Am Sun, 30 Nov 2008 01:20:13 +0100 schrieb Gerhard Brauer <gerhard.brauer@xxxxxx>: > Am Sat, 29 Nov 2008 17:24:19 -0600 > schrieb "Aaron Griffin" <aaronmgriffin@xxxxxxxxx>: > > > > All we'd need is to patch repo-add to include signature data in the > > DB. To do this properly, signatures should be uploaded with the > > package itself, from the packager's machine... hmmm > > In the starting mail on arch-dev-public Pierre attached a quick patch > and download script that i have tested with my own repo. This is > working in this way that a whatever modified database file don't get > installed as new data during -Syu when the signature could not be > verified. No new database -> no new packages. I think i misunderstood Aaron part. He mentioned that repo-add should also add the "signature data" to the db. Maybe we don't need special data to verify a package against a valid signature. We could sign a package inline, that means the tar.gz is enveloped by a signature (default --sign option). After/during verifying the tar.gz could be seperated from the signature with --output. The disadvantage with this methode is maybe that the package archiv could not be used directly without verifying it. On the other side we sign with --detach-sign which provides a .sig File releated to the signed pkg.tar.gz. Upload (and pacman download) then must handle two files. Database signature entries: Maybe we could use existing fields to get the proper key id from the public keyring to verify. Email oder packager data. But this could be only done when package is always and only signed by it's maintainer - and AFAIK we have situations where one developer build packages for a other. So you're right: the key id oder fingerprint of the actually developer/packager/signer must be store in the database file to get the proper key id. Regards Gerhard
