On Tue, Aug 25, 2009 at 6:24 AM, Dan McGee <[email protected]> wrote: > On Mon, Aug 24, 2009 at 6:19 PM, Dan McGee<[email protected]> wrote: >> On Mon, Aug 24, 2009 at 5:28 PM, Xavier<[email protected]> wrote: >>> On Tue, Aug 25, 2009 at 12:19 AM, Allan McRae<[email protected]> wrote: >>>> Xavier wrote: >>>>> >>>>> Just to let you know that I resurrected the gpg branch there : >>>>> http://code.toofishes.net/cgit/xavier/pacman.git/log/?h=gpg >>>>> >>>>> I took Dan's newgpg branch (with a few changes) : >>>>> http://code.toofishes.net/cgit/dan/pacman.git/commit/?h=newgpg >>>>> then merged the pending patches we had : >>>>> http://archlinux.org/pipermail/pacman-dev/2008-December/007808.html >>>>> http://archlinux.org/pipermail/pacman-dev/2008-December/007836.html >>>>> http://archlinux.org/pipermail/pacman-dev/2008-December/007837.html >>>>> and rebased it all on master. >>>>> >>>>> Actually I don't see what else needs to be done on the implementation >>>>> side, it looks almost complete to me. >>>>> >>>>> Now the big remaining problem is everything related to key >>>>> administration still needs to be figured out, and this is critical in >>>>> term of security. >>>>> But it might not need additional tool support. >>>>> >>>> >>>> So... how about we set up a small signed package repo somewhere and just >>>> see how this all goes? We are not going to know all the issues until we >>>> actually use it. >>>> >>> >>> That's probably a good idea. >>> I wish some people who actually knew how to use gnupg a bit could help >>> though :) >> >> I did a whole lot of looking and working on this today while sitting >> in the jury waiting room (and woo, I got picked to be on a jury, meh). >> I've actually worked my way back through the original patches and am >> about halfway through what Xavier has on his branch, and I've actually >> added another 3 or 4 patches to the mix. I'll try to push the >> "results" somewhere public tonight. I do feel the momentum on this >> whole thing actually moving in the right direction, however, so that >> is awesome. >> >> Hopefully I will be able to continue the patch processing and tidying >> and keep looking at this throughout the week. > > Remember only half of the patches are there: > http://code.toofishes.net/cgit/dan/pacman.git/log/?h=gpg
Soooooo...I finally started looking at this again more tonight. I have my GPG base rebased, and I see Xavier did the same today as well. My goal for tonight was to get a better idea of where to head with the libalpm/pacman side of things, as I am not near as happy with that as the tooling side of things. So I did some research, and this is our "competition": http://bazaar.launchpad.net/~ubuntu-core-dev/apt/ubuntu/annotate/head%3A/methods/gpgv.cc And the code that calls that executable: http://bazaar.launchpad.net/~ubuntu-core-dev/apt/ubuntu/annotate/head%3A/apt-pkg/indexcopy.cc Quick notes: * They don't use gpgme or any other wrapper; they call gpgv directly * There is quite a bit of code here, but not an overwhelming amount; some might be reusable * I don't believe they do signed packages, just signed repositories * There is one trusted keyring involved So some of the next steps: * Get consensus on whether the script side of the signing stuff is in a good enough state. This is basically the first 5 patches on my 'gpg' branch. Does anyone want to raise any objections, suggestions, or have comments? * Figure out where we want to move with pacman/libalpm support. I am feeling less inclined to use gpgme, but I don't really know what the right answer is yet. I'm hoping things from the above code will help. * Actually implement the signature checking code. * Refine the signature checking code. * Get a test repo set up with signed packages and databases, most likely with something like pacman-git so we can all test it. -Dan
