[pacman-dev] package signing for pacman
Allan McRae
allan at archlinux.org
Mon Jul 25 06:10:49 EDT 2011
On 25/07/11 13:03, Shaun Kluzek wrote:
> Hi, my name is Shaun Kluzek. I have been using linux now for about a
> decade and have spent the last two years using arch linux and previously
> using gentoo. I studied computer science in Melbourne Australia at RMIT
> University and program well in C.
> After reading "The real story behind Arch Linux package signing" by Dan
> Mcgee, I headed over to Alan McRae's TODO list for package signing, and
> spotted the pacman signature verification, acting upon this I built the
> gpgme documentation from the texi files and have spent the last two days
> reading and understanding it( gnu don't make this very easy ). As a
> result, I have successfully written a small C program that verifies a
> detached ascii armored signature with its accompanying file against
> users in your keyring. The code at this stage is test code and very
> messy, however, it loads in a detached sig say signed.asc, then loads in
> the signed file somefile and then verifies it, giving the validation
> back in a bit vector. The code needs to be rewritten and split into some
> nice funtions. I have obtained the pacman source code from git and had a
> brief look through it just prior to writing the libgpgme stuff. Once
> tidied up ( into funtions and descriptive error output ) I dont think it
> would be much problem adding it into pacman. How should I proceed ?
My suggestion would be to take a better look at what is currently in the
pacman source code from git and have a read of the mailing list archives
to get an idea of what is currently already done. There has been
substantial progress on implementing this that you appear to have
overlooked.
Allan
More information about the pacman-dev
mailing list