[pacman-dev] [arch-general] Package signing
aleksis.jauntevs at gmail.com
Sat May 1 19:31:15 CEST 2010
> - detached signature external to the package: the package will stay
> unchanged and there'll be a new file for the signature.
> - detached signature internal to the package: makepkg would generate
> a detached signature, but would tar the package and the signature into
> a new file, so that both are always toghether (Debian and RPM based
> distros do that way). This would have a bigger impact on all developer
> tools and pacman itself.
> - attached signature: the signature would contain the signed file,
> and pgp would be used to extract the signed file. Just like the one
> above, this would require lots of changes on the tools.
We have to choose so we can also effectively support unsigned packages. I
think there is no reason to sign packages built localy using PKGBUILD froum
AUR or elsewhere - the weak point is the build script itself and it is
possible that some users will choose not to verify packages upon installation.
So I think only first two options are viable.
> I believe that this suggestions are feasible and will bring a new
> level of quality to Arch Linux. The gpg branch of pacman git
> repository of Allan is in a good position in relation of what I
> suggested above. One possible problem is that gpgme is not able to
> update a trusdb (or at least i couldn't fine how). Maybe we'll have to
> use some script for that.
> Comments and criticism are very appreciated.
Nice resarch! Generally, this version is ok and I think it solves the package
signing - verification functionality but we should cearfuly study this
Also we cluld try to find a solution for problem when it is possible to
install old version of signed packages from the repo.
I have created git repository from Alan's gpg branch:
More information about the pacman-dev