[pacman-dev] [PATCH] Add per-repo PinnedPubKey option

Travis Burtrum travis.archlinux at burtrum.org
Tue Nov 1 13:44:03 UTC 2016

On 10/31/2016 05:24 PM, Daniel Micay wrote:
> Perhaps Pacman should just learn to respect HPKP? It's actually
> supported by wget now, take a look at ~/.wget-hsts. Pacman could have a
> similar file in the sync database directory. Then it just kicks in after
> the first connection and as long as Pacman keeps accessing that mirror
> it will keep updating the date. It could work quite well since we don't
> support not upgrading for long periods of time.

Those are 2 different things though, wget supports HSTS, not HPKP,
though pinning public keys is part of HPKP.  I plan eventually to write
HPKP support for curl/wget, but that's a pretty ambitious project I
don't have time for right now.

However, with as often as pacman pushes the mirrorlist, it could include
just a hard-coded set of hashes for TLS servers.  Or a simple script
generates and installs them for those who care.

More information about the pacman-dev mailing list