[pacman-dev] [package signing] repo-add and access to pacman keyring

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Tue Mar 1 10:10:47 EST 2011


On Tue, Mar 1, 2011 at 1:25 AM, Allan McRae <allan at archlinux.org> wrote:
> On 19/02/11 12:02, Denis A. Altoé Falqueto wrote:
>>
>> Hi,
>>
>> Well, it seems I'm busy lately, doesn't it? :)
>>
>> I was implementing the first TODO list for repo-add in (see
>> https://wiki.archlinux.org/index.php/User:Allan/Package_Signing) and
>> stuck in a point where I need some opinions on what to do.
>>
>> repo-add should verify if the signature is valid and if it is from
>> someone from a list of valid keys. I think that list should be
>> pacman's keyring, because it is the keyring the final user will use to
>> verify the signatures, right?
>>
>> So, repo-add needs read access to pacman's keyring, so the keyring
>> would need to be readable for anyone. gpg emits a warning when the
>> keyring dir and files have insecure permissions (any permissions for
>> group owner and other users). In my opinion, this could be ignored,
>> because pacman's keyring doesn't have any private information. Of
>> course, writing permissions should be granted only to root, the owner
>> of the keyring.
>>
>> After all, do you agree with my reasoning? Can we make pacman's
>> keyring readable for anyone?
>>
>
> The more I think about this, I am beginning to lean towards just leaving
> this at the moment.  I think we should wait for some actual usage of the
> signing system before we can decide exactly what to do here.   Once a
> workflow is figured out for when a distribution starts using this signing
> system, we will know when the repo db is being signed (in a central
> location, on the developers computer and then uploaded, etc) and by what key
> (repo master key, developers key) and then we can see where improvements can
> be made.
>
> So lets just skip that TODO item for now.
>
> Allan
>
>

I came to the same conclusion yesterday. Thanks for the reply :)

-- 
A: Because it obfuscates the reading.
Q: Why is top posting so bad?

-------------------------------------------
Denis A. Altoe Falqueto
Linux user #524555
-------------------------------------------


More information about the pacman-dev mailing list