Am 03.11.2013 02:32, schrieb Allan McRae: > On 03/11/13 11:19, Allan McRae wrote: >> Add function to sign repo database. Enabling signing requires setting >> SIGN_DB to true and adding the key ID to DB_KEY. The DB_KEY is restricted >> from signing package files. >> >> Signed-off-by: Allan McRae <[email protected]> >> --- > > GPG does not have a concept of some keys being valid for some tasks. > So pacman can not have this concept without implementing a complete hack > or requiring two separate keyrings (one for databases and one for > packages). Both of these are not going to happen, so we need to deal > with restricting key usage in dbscripts. > > The idea here is that someone creates a repo signing key and all master > keys sign it. Then a subkey is created and put on nymeria. If we have > issues, the subkey is revoked and a new subkey is created. > > Note that the patch assumes the db key will be added to nymeria's pacman > keyring which is located in the default location. > > Allan
I don't see how this could work. If you sign a package using that key pacman will happily accept it as valid. So if nymeria gets compromised the attacker obtains a valid packager key. Imho implementing db sigs this way is less secure than not implementing it at all. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
