[pacman-dev] [arch-general] Package signing

[Aleksis Jauntēvs]

>  - detached signature external to the package: the package will stay
> unchanged and there'll be a new file for the signature.
>  - detached signature internal to the package: makepkg would generate
> a detached signature, but would tar the package and the signature into
> a new file, so that both are always toghether (Debian and RPM based
> distros do that way). This would have a bigger impact on all developer
> tools and pacman itself.
>  - attached signature: the signature would contain the signed file,
> and pgp would be used to extract the signed file. Just like the one
> above, this would require lots of changes on the tools.

We have to choose so we can also effectively support unsigned packages. I 
think there is no reason to sign packages built localy using PKGBUILD froum 
AUR or elsewhere - the weak point is the build script itself and it is 
possible that some users will choose not to verify packages upon installation. 
So I think only first two options are viable.

> 
> I believe that this suggestions are feasible and will bring a new
> level of quality to Arch Linux. The gpg branch of pacman git
> repository of Allan is in a good position in relation of what I
> suggested above. One possible problem is that gpgme is not able to
> update a trusdb (or at least i couldn't fine how). Maybe we'll have to
> use some script for that.
> -----
> 
> Comments and criticism are very appreciated.

Nice resarch! Generally, this version is ok and I think it solves the package 
signing - verification functionality but we should cearfuly study this 
further. 

Also we cluld try to find a solution for problem when it is possible to 
install old version of signed packages from the repo. 

I have created git repository from Alan's gpg branch: 
http://gitorious.org/pacman-pkgsig 

-- 
Alekss