[pacman-dev] [ Package Signing ] Your signature please
allan at archlinux.org
Sat Feb 19 09:09:35 EST 2011
On 19/02/11 19:25, Pierre Schmitz wrote:
> On Sat, 19 Feb 2011 17:35:21 +1000, Allan McRae wrote:
>> I will repeat myself again... Patches for pacman do bugger all for
>> getting signatures into Arch Linux repos. Patches for the Arch Linux
>> devtools/db-scripts packages are needed.
> To be honest, I don't think it's worth to work on patches for devtools
> dbscripts right now. I'd prefer to be pointed at some documents which
> describe exactly the wrokflow to sign a package with makepkg, upload it,
> add it to a db, update, replace and delete it.
> Once there is a version of pacman which supports signed packages I can
> start implementing these ideas.
All there is from a pacman point of view is this:
1) makepkg signs the package with the packagers key and creates a
2) repo-add adds that key to the repo db
3) pacman has a local keyring to verify the package signatures against.
An addition is repo-add will verify its current signature and resign the
database after adding the package(s).
So for a start, we could have the commitpkg just uploading signature
files alongside packages. It could also be temporarily responsible for
signing the package until makepkg with signing support gets released, or
perhaps better that could be done by makechrootpkg...
> And last but not least we need to think about key management which is
> less technical but very important.
I think that is fairly separate to the pacman implementation. Getting
some sort of ultimate trust key (or equivalent) into the pacman keyring
is the most difficult part. Then a distro can provide a pacman-keyring
package signed by that key which will provide the developer keys. The
pacman-key tool (a useful wrapper to gpg) is then used to import those
keys into the pacman keyring. How the keys are signed in order to for a
useful web of trust is up to the distro.
More information about the pacman-dev