[pacman-dev] GPG remote signing

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Fri Jun 10 21:20:45 EDT 2011

On Fri, Jun 10, 2011 at 7:45 PM, Dan McGee <dpmcgee at gmail.com> wrote:
> Thoughts? Other ideas? Things I'm forgetting? I'll withhold my
> preference of option for now to prevent biasing any comments; the
> above should not be seen as order of preference.

I've had the following idea since when I started to help, but never
really tested it. I did it now and it worked. What do you think?

High lever explanation:

1. grab a remote lock by creating a lock directory
2. if previous command succeeded
    2.1. locally, scp the repository db file from the remote machine
to the local one
    2.2. sign the file locally
    2.3. send the signature back to remote
    2.4. release the lock

Test implementation:


host="some remote host"
lock="name of lock directory"
filetosign="full path of remote file to sign"

ssh "$host" "mkdir $lock" || res=$?
if [[ -z $res ]] ; then
    scp "$host":"$filetosign" "${localfile}"
    gpg --detach-sign "${localfile}"
    scp "${localfile}".sig "${host}":"${filetosign}".sig
    ssh "${host}" "rmdir ${lock}"

I've tested it here and it signed a file from my own machine through
ssh. It had lots of password typing, but that's because I don't use
public key authentication (I don't even start ssh automatically :))

A: Because it obfuscates the reading.
Q: Why is top posting so bad?

Denis A. Altoe Falqueto
Linux user #524555

More information about the pacman-dev mailing list