[pacman-dev] [ Package Signing ] Your signature please

Allan McRae allan at archlinux.org
Sun Feb 20 07:02:16 EST 2011 

On 20/02/11 21:47, Daniel Mendler wrote:
> Hi Allan
>
>> As far as I am concerned, the major points on the TODO list that need
>> patches are the first five for pacman:
>>
>> TODO: fix (and refactor) reading signatures for packages installed with -U
>> TODO: have a way to force a signature check with -U (i.e. abort if no
>> signature is found)
>> TODO: only replace old database when signature is valid
>> TODO: output when downloading signature file - name when downloaded
>> TODO: output when downloading signature file - "error" when not available
>
> I have a patch for the third point. Can you please clarify the last two
> points? Do you think the output is too verbose (two download progress
> bars with the same name etc, and two error messages in case of error)?
>

Some examples of what those last two points cover:

1)
VerifySig = Always, valid signature:
:: Synchronizing package databases...
  pacman                    1.0K  381.6K/s 00:00:00 
[######################] 100%
  pacman                    0.3K   14.4M/s 00:00:00 
[######################] 100%
  kernel64                  1.5K   42.2M/s 00:00:00 
[######################] 100%

Two download bars with the same name - the second should be something 
like pacman.sig

2)
VerifySig = Always, no signature available:
:: Synchronizing package databases...
  pacman                    1.0K  317.1K/s 00:00:00 
[######################] 100%
error: failed retrieving file 'pacman.db.sig' from disk : No such file 
or directory
error: Failed to download signature for db: No such file or directory
error: failed to update pacman (invalid PGP signature)
  kernel64                  1.5K   55.1M/s 00:00:00 
[######################] 100%

The error messages need reduced to a possibly single, clear message

3)
VerifySig = Optional, no signature available:
:: Synchronizing package databases...
  pacman                    1.0K  363.2K/s 00:00:00 
[######################] 100%
error: failed retrieving file 'pacman.db.sig' from disk : No such file 
or directory
  kernel64                  1.5K   30.5M/s 00:00:00 
[######################] 100%

That is not an actual error as signature checking is optional

More information about the pacman-dev mailing list