[arch-haskell] [haskell] & signing

Xyne xyne at archlinux.ca
Sat Oct 12 07:40:05 UTC 2013


Magnus Therning wrote:

> > Are there any plans to start signing [haskell] packages and databases?
> 
> Nothing concrete yet, no.  It's on my list of things to have a closer
> look at though, so any pointers to info would be of interest.

Creating the actual signatures is simple:

Method 1:
1) use makepkg's "sign" option to sign packages as you create them
2) create the database as usual
3) sign the database

Method 2:
1) build the packages as usual
2) batch sign them
3) create the database as usual
4) sign the database

The advantage of method 2 is that you will not be prompted for a passphrase for
every package. There may be a way to avoid that with makepkg, but I haven't
found it yet. I just wrote my own script to prompt me for the password, batch
sign the packages, create the database, and finally sign it.

The only thing that matters is that the detached signature files are in place
before you create the database, so that the database is aware of them.



Getting the necessary level of trust is another matter. For devs and TUs, we
need to get at least 3 of the Arch Linux master key signatures, but that is
only because users are expected to have trusted those keys.

If you do decide to make [haskell] independent and apply for official status as
I suggested in the other thread, then you should easily be able to get the
master key signatures (and you will probably get developer status too).

Otherwise, it is up to users to trust your key, which I think most users of
[haskell] would. I definitely would.



Here's the developer's wiki page about package signing:
https://wiki.archlinux.org/index.php/DeveloperWiki:Signing_Packages

You can ignore the CACert recommendation.




More information about the arch-haskell mailing list