[pacman-dev] [package signing] repo-add and access to pacman keyring

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Fri Feb 18 21:02:10 EST 2011


Well, it seems I'm busy lately, doesn't it? :)

I was implementing the first TODO list for repo-add in (see
https://wiki.archlinux.org/index.php/User:Allan/Package_Signing) and
stuck in a point where I need some opinions on what to do.

repo-add should verify if the signature is valid and if it is from
someone from a list of valid keys. I think that list should be
pacman's keyring, because it is the keyring the final user will use to
verify the signatures, right?

So, repo-add needs read access to pacman's keyring, so the keyring
would need to be readable for anyone. gpg emits a warning when the
keyring dir and files have insecure permissions (any permissions for
group owner and other users). In my opinion, this could be ignored,
because pacman's keyring doesn't have any private information. Of
course, writing permissions should be granted only to root, the owner
of the keyring.

After all, do you agree with my reasoning? Can we make pacman's
keyring readable for anyone?


A: Because it obfuscates the reading.
Q: Why is top posting so bad?

Denis A. Altoe Falqueto
Linux user #524555

More information about the pacman-dev mailing list