[pacman-dev] Status of package signing work

Allan McRae allan at archlinux.org
Sun Nov 21 01:51:36 CET 2010 

Hi,

I just rebased the gpg work on top of my working branch and pulled in a 
couple of patches to do with the pacman-key tool so I thought it would 
be a good time to get a summary of where we are on this.

Here is my take on the current status.  I would like to keep this list 
up-to-date so we can track progress, so feel free to reply adding 
anything I have missed.

pacman-key:
  - tool to manage pacman keyring
  - TODO: man page needs tidying/clarification

makepkg:
  - will sign packages and produce detached signature if the "sign" 
option is enabled in makepkg.conf
  - split packages, PKGDEST etc all handled
  - TODO: allow selection of key used for signing (patch: 
http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011435.html)
  - TODO: documentation (patch: 
http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011436.html)

repo-add:
  - adds package signature (base64) to repos if available when adding 
package
  - has option to sign a repo after creation and verify current 
signature before making changes
  - TODO: check signature used to verify is not only good but is also in 
a list of accepted keys (???)
  - TODO: allow selection of key used for signing (patch: 
http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011435.html)
  - TODO: documentation (patch: 
http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011436.html)

pacman:
  - reads in keys from repo-db and decodes them when needed
  - reads in .sig files when beside a package being loaded from the 
filesystem
  - integrated gpgme into pacman for signature verification
  - provide options to control signature verification on a per repo basis
  - verifies signatures of packages when installing from repo
  - TODO: create directories needed for keyring during "make install"
  - TODO: verify signatures for packages installed from filesystem (???)
  - TODO: download and verify signatures of dbs (patches: 
http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011433.html 
http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011434.html)

I think the very last TODO there is the only thing stopping us from 
getting some actual testing of this work underway.  I think I have my 
head around what the two patches are doing now, but I am not sure I like 
the "how" of that doing.  So I will make an attempt into hacking them as 
I see fit in the next few days...  Then I will publish a signed repo 
with a pacman-git and we can see how this all goes!

Allan

More information about the pacman-dev mailing list