On 2026-06-29 08:25:48 (-0700), Sean E. Russell wrote:
> Hi,
> 
> I maintain a handfull of packages in AUR -- most of which I'm also the 
> upstream
> author of -- and with all the recent hubub have been thinking about improving
> the trustability of those packages. I hadn't before really looked into signing
> since that seems mostly the domain of the core repositories and specifically
> signed _built_ packages (ignoring `-bin` packages in AUR for the moment).
> 
> It occurs to me that my signature is going to have the most value to diligent
> checkers if it's signed by one of the trusted keys in `archlinux-keyring`, 
> which
> of course leads me to wonder: is there a documented process for non-core
> contributors to get their keys signed? Arch Linux key signing parties, or
> something?
> 
> There's a lot of discussion going on about a longer-term response to the 
> supply
> chain attacks, and I'm sure a lot more less-visible discussion among the core
> team. In the meantime, I'd like to improve the trustability of the packages I
> maintain. I don't want to lose the enormous value AUR provides small (less
> popular) software developers and, ultimately, Arch users.
> 
> --- SER   
> Sean E. Russell (https://ser1.net)   
> OpMsg: https://ser1.net/.well-known/opmsg.txt    
> GPG key: https://ser1.net/.well-known/pgp.asc    
> Minisign: https://ser1.net/.well-known/minisign.pub   
> Age: age195vpft7nzsy83medxagqqsge0lrcuf9txe3z2znlu2wsk69cdu4sx8nfvp

Hi Sean,

it is useful and valuable to have OpenPGP signatures for the payloads (e.g. your
git tags or tarballs) from which you are building a package with a PKGBUILD.
However, it is a separate concern to have OpenPGP signatures for the packages
that you provide in a custom/unofficial package repository for users of Arch
Linux (even though you specifically may be using the same OpenPGP private key).

This is a complex topic, also for us and the upstreams we are dealing with as
a distribution.
A while back, we attempted to summarize our best practices and requirements
in [RFC0046].

With pacman we are tied to gnupg and a single, system-wide keyring in the custom
GnuPG format.
With it, we are not able to distinguish what artifact type (e.g. package files,
installation media, repository metadata) a signature created by an OpenPGP
private key should be used for and in what context (e.g. core repository, extra
repository, custom repository) it is supposed to be valid in.

In the context of the work on [alpm] we have also worked on [voa], which is a
generic approach to bringing more context into the verification of artifacts
using digital signatures.
We have also written a [blogpost] about it, that illustrates the use for e.g.
custom package repositories.

Now, this is not going to directly help you with your question, however, it
demonstrates a way forward to a future in which we will hopefully become more
flexible with regards to the cryptographic technology in use and have more
fine-grained control over which type of artifact is supposed to be validated
with signatures created by specific cryptographic entities.

In case you do try it out, I'd be happy to receive your feedback :)

To summarize: It would not make sense to use the distribution keyring in its
current form for what you are describing.

Best,
David

[RFC0046]: https://rfc.archlinux.page/0046-upstream-package-sources/
[alpm]: https://alpm.archlinux.page
[voa]: https://voa.archlinux.page
[blogpost]: 
https://devblog.archlinux.page/2026/verify-arch-linux-artifacts-using-voa-openpgp/

-- 
https://sleepmap.de

Attachment: signature.asc
Description: PGP signature

Reply via email to