> - detached signature external to the package: the package will stay > unchanged and there'll be a new file for the signature. > - detached signature internal to the package: makepkg would generate > a detached signature, but would tar the package and the signature into > a new file, so that both are always toghether (Debian and RPM based > distros do that way). This would have a bigger impact on all developer > tools and pacman itself. > - attached signature: the signature would contain the signed file, > and pgp would be used to extract the signed file. Just like the one > above, this would require lots of changes on the tools.
We have to choose so we can also effectively support unsigned packages. I think there is no reason to sign packages built localy using PKGBUILD froum AUR or elsewhere - the weak point is the build script itself and it is possible that some users will choose not to verify packages upon installation. So I think only first two options are viable. > > I believe that this suggestions are feasible and will bring a new > level of quality to Arch Linux. The gpg branch of pacman git > repository of Allan is in a good position in relation of what I > suggested above. One possible problem is that gpgme is not able to > update a trusdb (or at least i couldn't fine how). Maybe we'll have to > use some script for that. > ----- > > Comments and criticism are very appreciated. Nice resarch! Generally, this version is ok and I think it solves the package signing - verification functionality but we should cearfuly study this further. Also we cluld try to find a solution for problem when it is possible to install old version of signed packages from the repo. I have created git repository from Alan's gpg branch: http://gitorious.org/pacman-pkgsig -- Alekss
