[pacman-dev] [PATCH] Add per-repo PinnedPubKey option

Travis Burtrum travis.archlinux at burtrum.org
Tue Nov 1 19:25:21 UTC 2016

On 11/01/2016 03:00 PM, Daniel Micay wrote:
> We don't know how mirrors manage their HTTPS keys unless they use HPKP,
> so what good is pinning them manually? It'll eventually fail, and you
> can't know if it's an attack or they replaced the certificate.

Replacing certificates can, but doesn't need to, change the public key,
and with this all you are trusting is the public key.

Yes pinned public keys could not and should not be distributed with the
mirrorlist unless you can get promises from the individual https mirrors
that they will not rotate their public keys without sufficient notice.

Again this is going to be generally only useful with a single or small
handful of mirrors that you trust specifically.  I wanted this because I
run my own private mirror and connect from untrusted networks sometimes,
some of which will attempt to mitm https connections.

More information about the pacman-dev mailing list