[pacman-dev] [ Package Signing ] Your signature please

[Allan McRae]

On 19/02/11 19:25, Pierre Schmitz wrote:
> On Sat, 19 Feb 2011 17:35:21 +1000, Allan McRae wrote:
>> I will repeat myself again...  Patches for pacman do bugger all for
>> getting signatures into Arch Linux repos.   Patches for the Arch Linux
>> devtools/db-scripts packages are needed.
>
> To be honest, I don't think it's worth to work on patches for devtools
> dbscripts right now. I'd prefer to be pointed at some documents which
> describe exactly the wrokflow to sign a package with makepkg, upload it,
> add it to a db, update, replace and delete it.
 >
> Once there is a version of pacman which supports signed packages I can
> start implementing these ideas.

All there is from a pacman point of view is this:
1) makepkg signs the package with the packagers key and creates a 
detached signature
2) repo-add adds that key to the repo db
3) pacman has a local keyring to verify the package signatures against.

An addition is repo-add will verify its current signature and resign the 
database after adding the package(s).

So for a start, we could have the commitpkg just uploading signature 
files alongside packages.  It could also be temporarily responsible for 
signing the package until makepkg with signing support gets released, or 
perhaps better that could be done by makechrootpkg...

> And last but not least we need to think about key management which is
> less technical but very important.

I think that is fairly separate to the pacman implementation.  Getting 
some sort of ultimate trust key (or equivalent) into the pacman keyring 
is the most difficult part.  Then a distro can provide a pacman-keyring 
package signed by that key which will provide the developer keys.  The 
pacman-key tool (a useful wrapper to gpg) is then used to import those 
keys into the pacman keyring.  How the keys are signed in order to for a 
useful web of trust is up to the distro.

Allan