[arch-haskell] Package Signing

Magnus Therning magnus at therning.org
Sat Oct 12 07:40:21 UTC 2013


On Tue, Jul 24, 2012 at 11:19:54PM +0000, Xyne wrote:
> Magnus Therning wrote:
> 
>> On Tue, Jul 24, 2012 at 1:20 PM, Xyne <xyne at archlinux.ca> wrote:
>>> Hi Magnus,
>>>
>>> It's time to nag you again about package signing. I can give you a script to
>>> batch sign packages, run repo-add, then sign the generated repo with a single
>>> passphrase prompt. Obviously I don't know how well that fits with your current
>>> release method, but it should be possible to set something up that is minimally
>>> invasive and I'll gladly help if I can.
>> 
>> Good that you nag!
>> 
>> I'd love getting that script, and possibly hints on key
>> generation/storage/management/etc as well.
> 
> 
> I've put together a clean script using various code snippets that I have in my
> release scripts:
> 
> http://xyne.archlinux.ca/scripts/pacman/#repo-add_and_sign
> 
> Just ask if anything is unclear or if you think you've found a bug.
> If you need something customized to your build system, give me some
> details and I'll work on it.
[...]
> For key generation/etc, I would suggest generating a new key pair
> dedicated to package signing, but that's just a personal preference.
> You could just as well use the same key pair that you already use to
> sign your email. Management is not really any different either: keep
> the private key secure, have a revocation key ready, etc.

Correct me if I'm wrong in this assumption, but I need to have the
following three items available when running the script:

1. The newly-built package.
2. The repo database (x.db.tar.gz) I'm adding the package to.
3. The secret key.

This is a slight problem for me.  I build on kiwilight (where I'm not
alone in having root access), the database is on xsounds.org (where I
don't have root access at all), and to be fully comfortable I'd like
to keep the secret key and perform the signing on my own machine :-)

Is there some way to simply extract the actual data that is to be
signed (the hashes), and perform the actual signing manually?

(I've found a need for this sort of thing with other package managers
as well, especially RPM, but never found a way to do that.  I would
find it unfortunate if the pacman developers have painted themselves
into the same corner as the RPM developers.)

/M

-- 
Magnus Therning                      OpenPGP: 0xAB4DFBA4 
email: magnus at therning.org   jabber: magnus at therning.org
twitter: magthe               http://therning.org/magnus

I invented the term Object-Oriented, and I can tell you I did not have
C++ in mind.
     -- Alan Kay
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://www.haskell.org/pipermail/arch-haskell/attachments/20131012/dd465d20/attachment.sig>


More information about the arch-haskell mailing list