On 28.04.2010 19:18, Denis A. Altoé Falqueto wrote:
> I'm thinking about a two way signing process. The dev signs the
> package and send it to the server. The server would have a script or a
> cron job to verify if the signature is valid and is from someone
> trusted [1]. If so, the original signature is discarded and a new one
> is made, with an official Arch key.
If you do it that way you wouldn't have to sign the uploaded packages.
I'd publish a list of developers' keys and the user has to add and trust
(in GPG terms) those keys. If he trusts them pacman installs packages
singed by those keys or keys that can be trusted because they have been
signed by them (GPG's web of trust). Otherwise if the (untrusted) sig
can be verified pacman could ask and if the sig is broken it could abort.
If you do it that way you can also add URLs to binary packages to the
AUR and let pacman download them if you trust the sig.
C&C welcome.
--
Florian Pritz -- {flo,bluewind}@server-speed.net
Attachment:
signature.asc
Description: OpenPGP digital signature
