On 29/06/2026 17:25, Sean E. Russell wrote:
Hi,
Hey!
I maintain a handfull of packages in AUR -- most of which I'm also the upstream author of -- and with all the recent hubub have been thinking about improving the trustability of those packages. I hadn't before really looked into signing since that seems mostly the domain of the core repositories and specifically signed _built_ packages (ignoring `-bin` packages in AUR for the moment).
AUR contains PKGBUILDs, not packages, so you could sign your commits, and users could verify those with e.g., git verify-commit. But the same is true for a malicious actor.
It occurs to me that my signature is going to have the most value to diligent checkers if it's signed by one of the trusted keys in `archlinux-keyring`, which of course leads me to wonder: is there a documented process for non-core contributors to get their keys signed? Arch Linux key signing parties, or something?
I think this is a bad idea.
There's a lot of discussion going on about a longer-term response to the supply chain attacks, and I'm sure a lot more less-visible discussion among the core team. In the meantime, I'd like to improve the trustability of the packages I maintain. I don't want to lose the enormous value AUR provides small (less popular) software developers and, ultimately, Arch users.
Bad actors can also use cryptography to sign their malicious payloads. You are trying to solve a trust issue with cryptography alone, and that will not work.
I think the best you can do is build a good reputation around your public key, your commits in AUR, get other developers that you meet in person to sign your public key (and publish those signatures), etc., etc.
But again, this is also something that a malicious actor can do. And a really patient one can do this for years, building trust until the right moment.
Probably more people will have more (and better) arguments that me, but digital signatures alone cannot solve the problem you mention here.
-- Iyán Méndez Veiga GPG Key: 204C 461F BA8C 81D1 0327 E647 422E 3694 311E 5AC1
OpenPGP_signature.asc
Description: OpenPGP digital signature
