[pacman-dev] makepkg: gpg signature verification?
Allan McRae
allan at archlinux.org
Tue Nov 23 01:46:44 CET 2010
On 23/11/10 01:33, Florian Pritz wrote:
> I'd like to add $gpgsource (urls to gpg signatures of the sources) to
> PKGBUILDs and when building check the signatures, but I'm not sure what
> to do when the check fails.
> If the user doesn't have the key in his keyring or doesn't trust it my
> idea would be to display an error message and exit, but that doesn't
> seem practical although I think it's the right way.
>
> I also have no idea how to handle chroots. I really can't expect users
> to copy their keyring into the chroot, but I could add an option to
> makepkg.conf so you can disable the checking and wrapper scripts could
> then do that before chrooting (using a new --verify option maybe).
>
The total discussion on this topic so far is in:
https://bugs.archlinux.org/task/20448
As you can see, we barely got past the idea of checking the
signatures... I would abort if the check fails completely, but just
issue a warning if the failure is only due to no trust in the key being
used to sign (i.e. signature is correct).
I would not consider chroots yet. The same issue will occur with
package signing where people will not have their keys to sign packages
when building in chroots. These are the sort of things chroot building
wrapper scripts have to figure out.
Allan
More information about the pacman-dev
mailing list