[pacman-dev] New patchset for package signing

Ananda Samaddar ananda at samaddar.co.uk
Tue Jul 27 22:11:45 EDT 2010 

On Mon, 26 Jul 2010 17:26:00 -0300
Denis A. Altoé Falqueto <denisfalqueto at gmail.com> wrote:

> So, I changed the code to use gpgme. Here are the patches for your
> evaluation.
> 
> By the way, I'm not {angry,upset,crying} :) I really want to see
> package signing in pacman, but I know that this is a complex issue
> that will need lots of discussion.
> 
> Below, follows a little explanation of the general idea of each patch.
> 
> [PATCH 1/5] pacman-key: keyring management tool
> 
> The script that helps with management for pacman keyring. It uses
> gpg, instead of gpg2 and is heavly inpired on apt-key, from debian.
> It is very straightforward.
> 
> [PATCH 2/5] Signature verification functions
> 
> Two functions: one for signatures in memory and another for
> signatures in files. Signatures of packages are stored in the
> repository and are copied to memory before verification. The
> signatures of database files are stored on files, hence the new
> function.
> 
> [PATCH 3/5] Verify the signatures of databases and packages
> 
> The calls for the signature functions. Verification of database
> updates and package instalations from the repositories.
> 
> I didn't worry about local instalations, but it doesn't mean they are
> not there. If it were verified before (as Dan suggests), they are
> there. :)
> 
> A point raised by Dan was that the reading of the signature from the
> repository was too complex. The reaasoning behind it is that
> signatures grow according to the size of the key used to sign. So, we
> can't be never sure if some buffer size is really enough. Maybe it is
> enough now, but in the future it may be not and we'll have a new bug
> in the bugtracker. My implementation is simple and robust, so it will
> work with any signature size.
> 
> [PATCH 4/5] Parameter to select key to sign
> 
> Just a new parameter to allow the packager to select the key he wants
> to use. if the key is not specified, his default key will be used.
> 
> [PATCH 5/5] Document new options related to package signing
> 
> Just documentation. No imporant comment.
> 
> As always, comments and suggestions are welcome.
> 
> --
> Denis A. Altoé Falqueto
> 

This is really encouraging Denis, could you possibly update your Wiki
article with a status report?

http://wiki.archlinux.org/index.php/Package_Signing_Proposal_for_Pacman

Or maybe someone could summarise what the situation is now so us
impatient folk can surmise how close we are to seeing gpg signing in
Pacman.  Denis have you also considering the hash function that is used
when signing?  It seems that sha256 is considered the best to use at
the moment.  That is until sha-3 is finalised in 2012.

thanks,

Ananda

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/pacman-dev/attachments/20100728/41cf53d8/attachment.bin>

More information about the pacman-dev mailing list