Interest in other signature libs/tools?
Allan McRae
allan at archlinux.org
Fri Dec 24 04:34:45 UTC 2021
On 24/12/21 01:30, Jeremy Huntwork wrote:
> On Thu, Dec 23, 2021 at 10:14 AM Jeremy Huntwork <jeremy at merelinux.org> wrote:
>> The reason I don't see it as being a problem for me is that my intent
>> is to release authoritative packages from one source, a CI/CD pipeline
>> that is triggered off of the main repository. Validation and trust of
>> humans that are allowed to push to that repository and trigger
>> official releases can be handled via other mechanisms. Community
>> repositories might have slightly different requirements, but my
>> expectation is that every repository used could have one official
>> public key.
>
> I suppose if I did have a reason for supporting multiple keys, those
> would all have to be shipped/installed together and then pacman could
> loop through them until one of them validates the sig. asignify is
> fast enough though because of its methods and algorithms used (blake2)
> that I don't really see that as an issue either.
I'm not a fan of the idea that if a user has a handful of non-distro
repositories configured, that every package signature would need checked
against multiple keys until one passed. Is there no way of identifying
the correct signing key from the signature file?
Allan
More information about the pacman-dev
mailing list