Hi, Probably you have noticed that in some random cases syncpkgd fails to build a package if the FrugalBuild has a signatures() array [and not an sha1sums() one]. This is because currently we do not store the public key of upstream, just download it when necessary.
While this seemed to be a nice solution, it turns out that it has two major problems: 1) We just check if the package has been signed, in case an attacker signes the source we accept it as well without any warning. 2) Real offline builds are not possible, since we need access to the keysever build-time. A solution would be to store upstream's key, and I don't think that is too hard: 1) Get the key id: $ gpg --verify pacman-tools-0.7.2.tar.gz.asc pacman-tools-0.7.2.tar.gz gpg: Signature made Sun May 14 02:38:36 2006 CEST using DSA key ID 20F55619 gpg: Can't check signature: public key not found 2) Downlad the key: $ gpg --recv-keys 20F55619 gpg: requesting key 20F55619 from hkp server subkeys.pgp.net gpg: key 20F55619: public key "Frugalware Linux Archives Verification Key <[email protected]>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 3 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 3u gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u gpg: next trustdb check due at 2037-11-01 gpg: Total number processed: 1 gpg: imported: 1 3) Export the key to $pkgname.key: $ gpg --export -a 20F55619 > pacman-tools.key 4) Add it to git: git add pacman-tools.key (next to the FrugalBuild and pacman-tools.install file - if there is any). Now makepkg can do this: if [ -f $pkgname.key ]; then gpg --import pacman-tools.key fi gpg --verify pacman-tools-0.7.2.tar.gz.asc pacman-tools-0.7.2.tar.gz What do you think about this?
pgp9iMT3LHNGA.pgp
Description: PGP signature
_______________________________________________ Frugalware-devel mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-devel
