[pacman-dev] GPG remote signing

Kerrick Staley mail at kerrickstaley.com
Sun Jun 12 04:23:52 EDT 2011


On Fri, Jun 10, 2011 at 5:45 PM, Dan McGee <dpmcgee at gmail.com> wrote:
> I've done a fair amount of research on what we might be able to do
> with this during the afternoon here. Some observations below. This is
> mainly addressing point four in Thomas' prior email
> (http://mailman.archlinux.org/mailman/private/arch-dev/2011-May/014193.html).
Could you please explain what the situation is? I do not have access
to the arch-dev archives. In particular, what do you mean by "location
A" and "location B"?

You want developers to be able to sign databases without copying them
to their local machines, correct? I vote for (4), then. (1) provides
complete security against an attacker with access to the main server,
but it may be hassling. (2), (3), and (4) ultimately don't provide any
security against an attacker with access to the main server (at least
until the attack is discovered), but with (2) and (3) keys will need
to be revoked after an attack (the developer's and the server's,
respectively), whereas with (4) nothing will have to be done (except
secure the server). Also, an attack against (4) would probably be
harder to mount for the attacker and easier to notice for the
developers.

It seems there will be a locking issue as Denis mentions, but I don't
fully understand the problem, so I can't say.

-Kerrick Staley

By the way, an (overdue) disclaimer: I'm just an idiot with no formal
background in cryptographic systems, so I don't necessarily know what
I'm talking about.


More information about the pacman-dev mailing list