[pacman-dev] [arch-general] Package signing

Florian Pritz bluewind at server-speed.net
Fri May 7 14:44:47 CEST 2010

On 06.05.2010 22:48, Denis A. Altoé Falqueto wrote:
> To check the validity of the repo.db signature, we can do:
>  1. pacman downloads the repo.db and the signature
>  2. gpg extracts the original hash from the signature
>  3. sha1sum recomputes the hash on the downloaded repo.db
>  4. the recomputed hash and the signed hash are compared
> If the comparison is ok, the repo.db is intact. Otherwise, panic!!

Why can't you just sign the package, and let the rest of the process be
the way it is? I don't understand why you have to sign the DB too.
If the package signature is correct you can safely install it without
worrying whether the DB is the latest or not.

If a developer gets compromised you abandon his old key (post on the
ML, news item, ... and tell users to update pacman-keyring maybe you
could also use a keyserver here where you just publish a revocation
certificate), resign all clean packages and rebuild the rest.

Or am I missing something?

Florian Pritz -- {flo,bluewind}@server-speed.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/pacman-dev/attachments/20100507/ac680a03/attachment.bin>

More information about the pacman-dev mailing list