[pacman-dev] [arch-general] Package signing

Linas linas_fi at ymail.com
Wed May 5 19:38:59 CEST 2010

Allan McRae wrote:
>> 3. Package signing by developers
>> When a developer builds a new package, makepkg will have the options
>> to sign the package too, with the developer's own key (not the KSK, if
>> the developer owns one). At this point, there are three options (that
>> we should choose now) for the format of the signed/signature pair:
>>   - detached signature external to the package: the package will stay
>> unchanged and there'll be a new file for the signature.
>>   - detached signature internal to the package: makepkg would generate
>> a detached signature, but would tar the package and the signature into
>> a new file, so that both are always toghether (Debian and RPM based
>> distros do that way). This would have a bigger impact on all developer
>> tools and pacman itself.
>>   - attached signature: the signature would contain the signed file,
>> and pgp would be used to extract the signed file. Just like the one
>> above, this would require lots of changes on the tools.
>> The cheaper approach is obviously the first option. It will not
>> require lots of changes, but there'll be some. Maybe the convenience
>> of the latter two would compensaate for the trouble of changing the
>> tools? Comments very much appreciated.
> The first method is what is currently used on the gpg patches that are
> available.  The signature is made in a separate file and then is
> inserted in the repo db when the package is added.

I would prefer having the signature along the package. Maybe as a tar
extended header.
This way you can't lose the detached signature (it also means that you
need to download twice as much files).

>> 6. Final comments
>> I believe that this suggestions are feasible and will bring a new
>> level of quality to Arch Linux. The gpg branch of pacman git
>> repository of Allan is in a good position in relation of what I
>> suggested above. One possible problem is that gpgme is not able to
>> update a trusdb (or at least i couldn't fine how). Maybe we'll have to
>> use some script for that.
> Could the trust database be updated via pacman using post_install on
> some pacman-keychain package?
> Allan
I don't see how is the pacman-keychain database going to be updated,
since we should also allow the user to make manual changes so simply
replacing the file wouldn't work.

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the pacman-dev mailing list