[pacman-dev] Status of package signing work

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Mon Nov 22 02:59:07 CET 2010


On Sat, Nov 20, 2010 at 10:51 PM, Allan McRae <allan at archlinux.org> wrote:
> pacman-key:
>  - tool to manage pacman keyring
>  - TODO: man page needs tidying/clarification

I'll try to work on that, but everyone is very welcome to help.

> repo-add:
>  - adds package signature (base64) to repos if available when adding package
>  - has option to sign a repo after creation and verify current signature
> before making changes
>  - TODO: check signature used to verify is not only good but is also in a
> list of accepted keys (???)

Good point, I'll try to do that too.

>  - TODO: allow selection of key used for signing (patch:
> http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011435.html)
>  - TODO: documentation (patch:
> http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011436.html)
>
> pacman:
>  - reads in keys from repo-db and decodes them when needed
>  - reads in .sig files when beside a package being loaded from the
> filesystem
>  - integrated gpgme into pacman for signature verification
>  - provide options to control signature verification on a per repo basis
>  - verifies signatures of packages when installing from repo
>  - TODO: create directories needed for keyring during "make install"

That is in the PKGBUILD for pacman, isn't?

>  - TODO: verify signatures for packages installed from filesystem (???)

I'll check if it is being done, but if I'm not mistaken, it is
currently implemented.

>  - TODO: download and verify signatures of dbs (patches:
> http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011433.html
> http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011434.html)
>
> I think the very last TODO there is the only thing stopping us from getting
> some actual testing of this work underway.  I think I have my head around
> what the two patches are doing now, but I am not sure I like the "how" of
> that doing.  So I will make an attempt into hacking them as I see fit in the
> next few days...  Then I will publish a signed repo with a pacman-git and we
> can see how this all goes!

Please, don't hesitate in asking if you have any questions about the
implementation details. Or if you want to delegate the real work, you
can ask me to change specific details. Just say what to do and i can
help.

-- 
A: Because it obfuscates the reading.
Q: Why is top posting so bad?

-------------------------------------------
Denis A. Altoe Falqueto
Linux user #524555
-------------------------------------------


More information about the pacman-dev mailing list