[pacman-dev] [arch-general] Package signing

Allan McRae allan at archlinux.org
Thu May 6 01:11:20 CEST 2010

On 06/05/10 03:33, Denis A. Altoé Falqueto wrote:
> On Wed, May 5, 2010 at 3:51 AM, Allan McRae<allan at archlinux.org>  wrote:
>>> 5.2 devtools
>>> I don't know them, so I can't comment. But the upload and repo.db
>>> generation will be affected, for sure.
>> repo-add is also mostly good to go (there are some TODOs left, e.g. aborting
>> when the signature verification of the repo fails before adding the
>> package).
>> There needs to be discussion about signing the repo database itself and how
>> that is handled.  Does the last person to add a package sign the lot?  That
>> might be reasonable given the package signatures have been verified in some
>> sort of chain to the initial signing.  But it does mean that developers are
>> signing the entire db when they are only responsible for a small part.  I
>> guess that would also require private keys be available on the server
>> creating the repo dbs....   That needs thought.  How do other distros handle
>> that?
> Yes, this is a little troublesome right now. I don't know the workflow
> of the package upload and repo.db creation, but I presume that
> there'is a script to do it, right? Does repo-add run locally or
> remotely? I believe that it is run remotely. In that case, is there
> any synchronization scheme? Because we can have race conditions if two
> developers are calling it at the same time.
> I was thinking about generating the sha1 hash of the repo.db on the
> server and to sign locally just the hash, so the exchange of data
> between the server and the local machine is minimized. A digital
> signature is basically just that anyway. We could have a script to
> help the process, together with synchronization of the repo.db, to
> avoid race conditions. But that depends on the workflow of the
> uploading process. Could you explain it to me?

This is the current Arch package upload procedure.  Of course, it is not 
set in stone and if it requires changes for signing then that is fine.

1) packages are built locally, committed to SVN and uploaded to a 
staging directory on the main server.
2) on the main server, the dev runs a script that adds the packages in 
the dev staging area to the repos and updates the repo database.  This 
script does some sort of locking to prevent races conditions.


More information about the pacman-dev mailing list