Hi,
I maintain the AUR package for wget2 [0] (which has `validgpgkeys()`
populated) and have recently been contacted by a user that has trouble
with GPG signature verification when building the package in a Docker
container (using aurutils apparently). Their first suggestion was for me
to drop the validpgpkeys section to make it easier for them to build the
package. This is not something I'm willing to implement as that means
downgrading security for other users of the package. makepkg provides an
escape hatch for users who don't care about signature verification via
the `--skippgpcheck` flag.
Their second suggestion was for me to add the GPG public keys directly
to AUR package. My first thought was that this is also not a good idea,
but I'm not sure I can come up with convincing arguments. My reason
against it is, that the PGP key allows for a user of my PKGBUILD to
verify that I only include sources which have been signed by the
maintainer of the software. As packager, I can control the source and
hashes for a package, so if I want to use a malicious source, I can just
update the hash to match, but I can't easily change the upstream signing
key. However, if the users relies on the key included with the package,
then I could use my own malicious key, so the user should compare the
key with upstream sources anyway.
On the other hand retrieving keys from the keyservers can be a
crapshoot. I certainly have been bitten by that brittle infrastructure
in the past, and having a copy of the key can alleviate that. That seems
also the reason, why Arch proper has started including copies of GPG
keys with their packages (see for example glibc [1]). This has been
codified in RFC0011 [2] and is managed via the `export-pkgbuild-keys`
script included in devtools. There doesn't seem to be any discussion of
downsides of this approach in the RFC and accompanying Merge Request.
Users, who wish to make sure that the used GPG keys are the ones
published by upstream can always ignore the included key files and grab
the keys directly from the keyservers.
Do you think including GPG keys with AUR packages to make it easier for
some users is a good idea? Or should they just use `--skippgpcheck`? Are
there any glaring issues I'm missing here? Do you know of AUR packages
that include the GPG keys for source verification similar to what Arch
packages do?
[0]: https://aur.archlinux.org/packages/wget2
[1]:
https://gitlab.archlinux.org/archlinux/packaging/packages/glibc/-/tree/2.39-1/keys/pgp
[2]: https://rfc.archlinux.page/0011-store-source-signing-keys/
Cheers, Wilhelm.
