[pacman-dev] [arch-general] Package signing
Linas
linas_fi at ymail.com
Wed May 5 19:38:59 CEST 2010
Allan McRae wrote:
>> 3. Package signing by developers
>>
>> When a developer builds a new package, makepkg will have the options
>> to sign the package too, with the developer's own key (not the KSK, if
>> the developer owns one). At this point, there are three options (that
>> we should choose now) for the format of the signed/signature pair:
>>
>> - detached signature external to the package: the package will stay
>> unchanged and there'll be a new file for the signature.
>> - detached signature internal to the package: makepkg would generate
>> a detached signature, but would tar the package and the signature into
>> a new file, so that both are always toghether (Debian and RPM based
>> distros do that way). This would have a bigger impact on all developer
>> tools and pacman itself.
>> - attached signature: the signature would contain the signed file,
>> and pgp would be used to extract the signed file. Just like the one
>> above, this would require lots of changes on the tools.
>>
>> The cheaper approach is obviously the first option. It will not
>> require lots of changes, but there'll be some. Maybe the convenience
>> of the latter two would compensaate for the trouble of changing the
>> tools? Comments very much appreciated.
>
> The first method is what is currently used on the gpg patches that are
> available. The signature is made in a separate file and then is
> inserted in the repo db when the package is added.
I would prefer having the signature along the package. Maybe as a tar
extended header.
This way you can't lose the detached signature (it also means that you
need to download twice as much files).
>> 6. Final comments
>>
>> I believe that this suggestions are feasible and will bring a new
>> level of quality to Arch Linux. The gpg branch of pacman git
>> repository of Allan is in a good position in relation of what I
>> suggested above. One possible problem is that gpgme is not able to
>> update a trusdb (or at least i couldn't fine how). Maybe we'll have to
>> use some script for that.
>
> Could the trust database be updated via pacman using post_install on
> some pacman-keychain package?
>
> Allan
I don't see how is the pacman-keychain database going to be updated,
since we should also allow the user to make manual changes so simply
replacing the file wouldn't work.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the pacman-dev
mailing list