[pacman-dev] GPG remote signing

Kerrick Staley mail at kerrickstaley.com
Mon Jun 13 17:17:07 EDT 2011

On Mon, Jun 13, 2011 at 10:08 AM, Dan McGee <dpmcgee at gmail.com> wrote:
> Not to bust your enthusiasm, but I had researched all of this and more
> before writing my original email. It even included the final
> suggestion of signing the hash of the file because the two things
> can't be separated (and won't be done anytime soon by the upstream
> devs). I looked at the agent as the best possibility for this very
> reason.
> I also want to make clear as it seems you have taken Denis' word as
> the gospel here when he mentioned signing package databases. Not a
> word of what I wrote when starting this thread implied databases, so I
> apologize for that if it did. Those are no issue at all- they are
> small enough that we could easily work out a solution similar to what
> Denis proposed, so we need no remote singing capability at all with
> those. The only thing I was looking for in this thread was a solution
> for packages that are too unweildy to schlep back and forth for the
> sole reason of signing; things like game data, Sage Mathematics
> packages, OpenOffice, etc. if they were built on a remote machine.
> It's also nice to link to the full thread if you're going to
> cross-post one snippet:
> http://lists.gnupg.org/pipermail/gnupg-users/2011-June/042068.html

OK, sorry. I just made a guess as to what you were talking about,
since you never transcribed the original conversation or made clear
what you were referring to. Anyway, I second Denis's suggestion of
always signing the hash rather than the original file. Like I
mentioned, any scheme where the signing is done on the server means
that keys will get compromised if the main server gets hacked.

-Kerrick Staley

More information about the pacman-dev mailing list