Interest in other signature libs/tools?

Allan McRae allan at archlinux.org
Thu Dec 23 14:53:24 UTC 2021


On 23/12/21 00:18, Jeremy Huntwork wrote:
> Hello,
> 
> I've been using pacman for a little while in Mere Linux
> (https://github.com/jhuntwork/merelinux). In trying to keep things
> simple, I sidestepped support for digital signatures for a while, but
> I'm now at a point where I'd like to include it. However, I'd prefer
> not to use gpgme and friends. I'd rather use a more modern and simpler
> library. I've been looking at things like minisign and signify.
> Recently I found https://github.com/vstakhov/asignify which snapped
> into pacman pretty easily and is pretty much exactly what I'm looking
> for.
> 
> At the moment I only have a pretty hacky patch to make it work, so
> nothing that is ready to share here. But I wanted to gauge if there is
> any interest in supporting different libraries/tools, or if I would
> need to maintain my own patch downstream.
> 
> Thanks much for your good work and any feedback you may have.

Going into this blind having not looked at the other signing 
libraries...  but if there is substantial benefits of moving to another 
library, we would likely consider it.  Assuming there is rough feature 
parity.

A skim of the asignify indicates you would need to trust every key that 
signs a package, and not use a web-of-trust approach?  In fact, I don't 
see a way to assign trust to specific keys.  I could be wrong here.

Allan


More information about the pacman-dev mailing list