[arch-haskell] Package Signing

Xyne xyne at archlinux.ca
Sat Oct 12 07:40:19 UTC 2013


Magnus Therning wrote:

> On Tue, Jul 24, 2012 at 1:20 PM, Xyne <xyne at archlinux.ca> wrote:
> > Hi Magnus,
> >
> > It's time to nag you again about package signing. I can give you a script to
> > batch sign packages, run repo-add, then sign the generated repo with a single
> > passphrase prompt. Obviously I don't know how well that fits with your current
> > release method, but it should be possible to set something up that is minimally
> > invasive and I'll gladly help if I can.
> 
> Good that you nag!
> 
> I'd love getting that script, and possibly hints on key
> generation/storage/management/etc as well.


I've put together a clean script using various code snippets that I have in my
release scripts:

http://xyne.archlinux.ca/scripts/pacman/#repo-add_and_sign

Just ask if anything is unclear or if you think you've found a bug. If you need
something customized to your build system, give me some details and I'll work
on it.

I'm going to announce it on the forum too. If there's any interest, I'll
probably package it. If I do, the link will also change, so check the projects
page if the one above dies.


For key generation/etc, I would suggest generating a new key pair dedicated to
package signing, but that's just a personal preference. You could just as well
use the same key pair that you already use to sign your email. Management is not
really any different either: keep the private key secure, have a revocation key
ready, etc.

If you create a new key pair, upload the public one to e.g. pgp.mit.edu and
post the fingerprint in a few different places so users can verify it before
trusting it.

That's all I can think of for now.




More information about the arch-haskell mailing list