[pacman-dev] makepkg: gpg signature verification?

Florian Pritz bluewind at server-speed.net
Mon Nov 22 16:33:03 CET 2010


I'd like to add $gpgsource (urls to gpg signatures of the sources) to
PKGBUILDs and when building check the signatures, but I'm not sure what
to do when the check fails.
If the user doesn't have the key in his keyring or doesn't trust it my
idea would be to display an error message and exit, but that doesn't
seem practical although I think it's the right way.

I also have no idea how to handle chroots. I really can't expect users
to copy their keyring into the chroot, but I could add an option to
makepkg.conf so you can disable the checking and wrapper scripts could
then do that before chrooting (using a new --verify option maybe).

C&C please.

-- 
Florian Pritz -- {flo,bluewind}@server-speed.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/pacman-dev/attachments/20101122/824bc6e4/attachment.bin>


More information about the pacman-dev mailing list