[pacman-dev] [arch-general] Package signing

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Thu May 6 03:18:11 CEST 2010 

On Wed, May 5, 2010 at 2:49 PM, Denis A. Altoé Falqueto
<denisfalqueto at gmail.com> wrote:
> On Wed, May 5, 2010 at 2:38 PM, Linas <linas_fi at ymail.com> wrote:
>> I would prefer having the signature along the package. Maybe as a tar
>> extended header.
>> This way you can't lose the detached signature (it also means that you
>> need to download twice as much files).
>
> Hey, that would be cool! We wouldn't need to change the name structure
> of the package and would not lose the signature.

In fact, that is not possible. Because the signature is made over a
stream of bytes, independent of the real content. So, the signing for
a .tar.gz is absolutely identical to a signing to a text file or
whatever else. If you sign the .tar file and after that sign and
insert the signature inside the .tar, you'll invalidate the signature,
because the original stream of bytes is not the same anymore. What we
could do in the future is to have a signed package format, with an
internal .tar.xz file (the real package) and the signature tarred
together. But I think this is the least of our worries.

>>> Could the trust database be updated via pacman using post_install on
>>> some pacman-keychain package?
>>>
>>> Allan
>> I don't see how is the pacman-keychain database going to be updated,
>> since we should also allow the user to make manual changes so simply
>> replacing the file wouldn't work.
>
> There'll be a script for that, so users and the post-install script
> will be able to handle it without getting into the details of keyring
> manipulation. It will be something like:
>
> # pacman-key --import <keyfile>
> # pacman-key --trust <keyid>
>
> post-install would call pacman-key --updatedb and the script would
> delete the old keys and append the new ones, as I wrote in the reply
> to Allan. This must be called as root, but pacman is always called as
> root also, so it is not a problem.
>
> In the last case, the user will have to explicitly inform the trust
> level of the key. We even could automate this, but I don't think is a
> good idea. The user must have responsibility for his system (Arch Way
> rules). I'll try to commit it to gitorious as soon as I get home, so
> you can have a look and the discussion is brought to a more practical
> level too.

I've not yet committed the script, but I'm sending it here (the
pastebin will expire in 1 month), so we all can play with it and send
suggestions. It is very similar to apt-key, but has some enhancements.
One of them is the command to trust in a key. The fingerprint of the
key will be shown to the user and the key will be edited in gpg (with
the --edit-key command). The user will then confirm if the fingerprint
is correct and type 'trust'. gpg will ask him what is the level of
trust and the change will be saved on the trust db of pacman.

http://pastebin.com/YxGM1Sxq

-- 
A: Because it obfuscates the reading.
Q: Why is top posting so bad?

-------------------------------------------
Denis A. Altoe Falqueto
-------------------------------------------

More information about the pacman-dev mailing list