On 19/02/11 19:25, Pierre Schmitz wrote:
On Sat, 19 Feb 2011 17:35:21 +1000, Allan McRae wrote:
I will repeat myself again... Patches for pacman do bugger all for
getting signatures into Arch Linux repos. Patches for the Arch Linux
devtools/db-scripts packages are needed.
To be honest, I don't think it's worth to work on patches for devtools
dbscripts right now. I'd prefer to be pointed at some documents which
describe exactly the wrokflow to sign a package with makepkg, upload it,
add it to a db, update, replace and delete it.
>
Once there is a version of pacman which supports signed packages I can
start implementing these ideas.
All there is from a pacman point of view is this:
1) makepkg signs the package with the packagers key and creates a
detached signature
2) repo-add adds that key to the repo db
3) pacman has a local keyring to verify the package signatures against.
An addition is repo-add will verify its current signature and resign the
database after adding the package(s).
So for a start, we could have the commitpkg just uploading signature
files alongside packages. It could also be temporarily responsible for
signing the package until makepkg with signing support gets released, or
perhaps better that could be done by makechrootpkg...
And last but not least we need to think about key management which is
less technical but very important.
I think that is fairly separate to the pacman implementation. Getting
some sort of ultimate trust key (or equivalent) into the pacman keyring
is the most difficult part. Then a distro can provide a pacman-keyring
package signed by that key which will provide the developer keys. The
pacman-key tool (a useful wrapper to gpg) is then used to import those
keys into the pacman keyring. How the keys are signed in order to for a
useful web of trust is up to the distro.
Allan
