[pacman-dev] GPG remote signing

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Mon Jun 13 12:41:20 EDT 2011 

On Mon, Jun 13, 2011 at 12:08 PM, Dan McGee <dpmcgee at gmail.com> wrote:
> I also want to make clear as it seems you have taken Denis' word as
> the gospel here when he mentioned signing package databases. Not a
> word of what I wrote when starting this thread implied databases, so I
> apologize for that if it did. Those are no issue at all- they are
> small enough that we could easily work out a solution similar to what
> Denis proposed, so we need no remote singing capability at all with
> those. The only thing I was looking for in this thread was a solution
> for packages that are too unweildy to schlep back and forth for the
> sole reason of signing; things like game data, Sage Mathematics
> packages, OpenOffice, etc. if they were built on a remote machine.

I really messed up the subject of my previous email.  Whenever we
discussed about remote signing, it was in the context of database
signing, so I've took that for granted. I was even intrigued by the
fact that you were writing about that in pacman-dev, instead in
arch-general, so I really messed up big time. Sorry for that.

I'm a little afraid to suggest this, but here we go. Maybe a simpler
approach would be to sign only hashes. That way, pacman would always
calculate the hash (it already does that for file corruption
verification) and see if the signature validates the calculated hash.
Makepkg could be updated to calculate a hash and sign it.

Pro: unified handling of files and signatures.

Con 1: a more convoluted solution, needing some considerable
reimplementations and testing.

Con 2: it would make harder using gpg directly, as one need to
calculate the hash with the correct algorithm before verifing the
signature. But this would happen if your original 3) or 4) option is
used.

But, in the end, it would make easier signing big packages that are
built remotely... I'm not very comfortable with my suggestion but I'm
doing anyway for the sake of discussion.

-- 
A: Because it obfuscates the reading.
Q: Why is top posting so bad?

-------------------------------------------
Denis A. Altoe Falqueto
Linux user #524555
-------------------------------------------

More information about the pacman-dev mailing list