Hello, The idea is to implement package signing for Arch similar to rpm GPG package signing. Short description follows. Use case for developers: 1. Dev bulds package with f.e. "-sign" switch. 2. Dev enters passphrase. 3. makepkg builds the package and creates detached signature (now we have 2 files *.tar.xz and *.sig). 4. The two files togeather are distributed to the repos as package with signature. Package installation: Pacman additionally downloads the signature the signature file and verifies the package. Problems: 1. Where to store the package signature file? It is more convenient and logical to keep the package as a single file. Rpm packages uses binary format and the signatures are stored inside. 2. GPG key sharing. Rpm-like distros like fedora and RHL use a single key for signing all their stable packages, but I think their build system is centralised. Is it safe to share one key among all package developers? 3.. Implementation: 1. Add package verification suport in lipalpm (using gpgme or gpg executable as rpm does). 2. Add package signing in makepkg script 3. Patch pacman, add option to turn the package signing ON or Off. 4. Add support for signed package distribution if needed (see Problems #1) 5. Include Arch public pgp key in /etc/pacman.d/..(??) Discussion about this and also other ways for package signing(md5,..) are welcome! -- Alekss
