[pacman-dev] [arch-general] Package signing

[Denis A. Altoé Falqueto]

On Wed, May 5, 2010 at 2:38 PM, Linas <linas_fi at ymail.com> wrote:
> Allan McRae wrote:
>> The first method is what is currently used on the gpg patches that are
>> available.  The signature is made in a separate file and then is
>> inserted in the repo db when the package is added.
>
> I would prefer having the signature along the package. Maybe as a tar
> extended header.
> This way you can't lose the detached signature (it also means that you
> need to download twice as much files).

Hey, that would be cool! We wouldn't need to change the name structure
of the package and would not lose the signature.

>> Could the trust database be updated via pacman using post_install on
>> some pacman-keychain package?
>>
>> Allan
> I don't see how is the pacman-keychain database going to be updated,
> since we should also allow the user to make manual changes so simply
> replacing the file wouldn't work.

There'll be a script for that, so users and the post-install script
will be able to handle it without getting into the details of keyring
manipulation. It will be something like:

# pacman-key --import <keyfile>
# pacman-key --trust <keyid>

post-install would call pacman-key --updatedb and the script would
delete the old keys and append the new ones, as I wrote in the reply
to Allan. This must be called as root, but pacman is always called as
root also, so it is not a problem.

In the last case, the user will have to explicitly inform the trust
level of the key. We even could automate this, but I don't think is a
good idea. The user must have responsibility for his system (Arch Way
rules). I'll try to commit it to gitorious as soon as I get home, so
you can have a look and the discussion is brought to a more practical
level too.

-- 
A: Because it obfuscates the reading.
Q: Why is top posting so bad?

-------------------------------------------
Denis A. Altoe Falqueto
-------------------------------------------