[pacman-dev] package signing for pacman

[Shaun Kluzek]

Hi, my name is Shaun Kluzek. I have been using linux now for about a 
decade and have spent the last two years using arch linux and previously 
using gentoo. I studied computer science in Melbourne Australia at RMIT 
University and program well in C.
After reading "The real story behind Arch Linux package signing" by Dan 
Mcgee, I headed over to Alan McRae's TODO list for package signing, and 
spotted the pacman signature verification, acting upon this I built the 
gpgme documentation from the texi files and have spent the last two days 
reading and understanding it( gnu don't make this very easy ). As a 
result, I have successfully written a small C program that verifies a 
detached ascii armored signature with its accompanying file against 
users in your keyring. The code at this stage is test code and very 
messy, however, it loads in a detached sig say signed.asc, then loads in 
the signed file somefile and then verifies it, giving the validation 
back in a bit vector. The code needs to be rewritten and split into some 
nice funtions. I have obtained the pacman source code from git and had a 
brief look through it just prior to writing the libgpgme stuff. Once 
tidied up ( into funtions and descriptive error output ) I dont think it 
would be much problem adding it into pacman. How should I proceed ?

Shaun Kluzek