On Sun, Aug 20, 2023 at 03:31:41PM +1000, Allan McRae wrote: > The answer is a solid maybe... Even leaning towards yes here! Questions to > answer first: > > 1) would we allow mixed signature verification. e.g. some repos use GPG and > others use openssh? Or some repos using both?
I think pacman should have the capability to check repos using both ; I don't see how else we could support a distribution migrating from one signature scheme to another (re-signing all packages at once seems unpractical). I think the decision of which scheme to allow should be left to configuration, either as a global setting in pacman.conf or as a per repo one. > > 2) What do we need to add to package entries in repos so that pacman knows > the signature file to download. I would not differentiate signature files depending on the scheme used, and just reuse the same structure (a .sig file). I see two possible ways if we do that: - detect the scheme used then verify signature (probably better error messages) - try to verify the signature with all allowed scheme (simpler) > Our current assumptions are very GPG based... Do you mean just the filename of the signature or also other things ? > 3) What will be our criteria for including additional signature verification > methods? openssh seems a good option for me, but we have had people request > one of the other new signing variants. I would say the criteria should be that a new method bring something more or better compared to those already existing in pacman. That's a bit vague though ; it would probably be on a case-by-case basis. You're talking of minisign and signify, I suppose ? -- Max Gautier
