On Mon, Jun 2, 2008 at 6:46 PM, Geoffroy Carrier <[EMAIL PROTECTED]> wrote: > Excerpts from Geoffroy Carrier's message of Tue Jun 03 01:25:31 +0200 2008: >> Keyring in pacman.conf, --keyring in pacman, >> support for this option in libalpm and pacman. > > Now that I have a keyring, I'd like to start using it :) > > Three options here: > - Include tons of code from gpg in pacman :) > Of course not the good move... > - Use gpgme > This library will rely on gnupg. Not the good move IMHO. > - use popen/fork and exec* > That's basically git's behaviour. > We might wanna know gnupg's path somehow ;) > Do we want to rely on the shell or use another XferCommand-like to > get it? I'd rather use the first solution. > Anyway, it's pretty easy to check the signature then: Just send the > binary key to gpg --keyring $keyringfile --no-default-keyring \ > --verify - $pkgfilename > and except it to return 0. > > We have to think about the default interaction. > It would be easy to sign all packages as the first step, so excepting > signed packages for the first pacman release including GPG support seems > fair to me. I think asking confirmation from the user in case packages > are not signed, like apt tools do. > > BTW, thanks toofishes for base64's support. Please contact me on XMPP > so that we can share stuff between our repos. My "not-so-experimental, > at least things compile" branch is available on > http://github.com/gcarrier/pacman/commits/pacgpg > but I might not update it on a regular basis.
FYI for you (Geoffroy) and everyone- I just pushed my gpg branch to toofishes.net, so it is now available there for fetching. This is a combination of Geoffroy and I's patches to try to get GPG support into our tools (makepkg, repo-add, and eventually libalpm/pacman). Please let me know if you see any issues with this branch. -Dan _______________________________________________ pacman-dev mailing list [email protected] http://archlinux.org/mailman/listinfo/pacman-dev
