On 24/12/21 01:30, Jeremy Huntwork wrote:
On Thu, Dec 23, 2021 at 10:14 AM Jeremy Huntwork <[email protected]> wrote:
The reason I don't see it as being a problem for me is that my intent
is to release authoritative packages from one source, a CI/CD pipeline
that is triggered off of the main repository. Validation and trust of
humans that are allowed to push to that repository and trigger
official releases can be handled via other mechanisms. Community
repositories might have slightly different requirements, but my
expectation is that every repository used could have one official
public key.
I suppose if I did have a reason for supporting multiple keys, those
would all have to be shipped/installed together and then pacman could
loop through them until one of them validates the sig. asignify is
fast enough though because of its methods and algorithms used (blake2)
that I don't really see that as an issue either.
I'm not a fan of the idea that if a user has a handful of non-distro
repositories configured, that every package signature would need checked
against multiple keys until one passed. Is there no way of identifying
the correct signing key from the signature file?
Allan
