Re: [arch-general] Is it secure to just sign repository databases?

On 6/17/19 12:38 PM, Manuel Reimer wrote: > On 17.06.19 18:18, Eli Schwartz via arch-general wrote: >> That being said, it's possible to configure sudo to run makechrootpkg, >> but only makechrootpkg, as root. Or run SUDO_USER=... SUDO_UID=... >> makechrootpkg. > > I've tried several times to

Re: [arch-general] Is it secure to just sign repository databases?

On 17.06.19 18:18, Eli Schwartz via arch-general wrote: That being said, it's possible to configure sudo to run makechrootpkg, but only makechrootpkg, as root. Or run SUDO_USER=... SUDO_UID=... makechrootpkg. I've tried several times to just launch makechrootpkg with root privileges directly.

Re: [arch-general] Is it secure to just sign repository databases?

On 6/17/19 11:11 AM, Manuel Reimer wrote: > On 16.06.19 17:57, Eli Schwartz via arch-general wrote: >> As a matter of fact, if you use clean chroot builds >> then you possibly don't want to copy your private key to the chroot, and >> anyway there have IIRC been bugs with signing in a chroot, so

Re: [arch-general] Is it secure to just sign repository databases?

On 16.06.19 17:57, Eli Schwartz via arch-general wrote: As a matter of fact, if you use clean chroot builds then you possibly don't want to copy your private key to the chroot, and anyway there have IIRC been bugs with signing in a chroot, so the devtools scripts do not do signing in the chroot

Re: [arch-general] Is it secure to just sign repository databases?

On June 16, 2019 5:57:34 PM GMT+02:00, Eli Schwartz via arch-general wrote: >That being said, if you have signed the repository db then as you >mentioned the sha256 checksums for the package file are securely >signed, >so you are guaranteed that use of pacman -S pkgname will securely >verify

Re: [arch-general] Is it secure to just sign repository databases?

On 6/16/19 10:44 AM, brent s. wrote: > On 6/16/19 5:03 AM, Manuel Reimer wrote: >> Hello, >> >> I run a repository locally that I would like to share to the public. >> >> The build is mostly automated. That's why I don't want to sign each >> individual package. The private key is not stored on the

Re: [arch-general] Is it secure to just sign repository databases?

On 6/16/19 5:03 AM, Manuel Reimer wrote: > Hello, > > I run a repository locally that I would like to share to the public. > > The build is mostly automated. That's why I don't want to sign each > individual package. The private key is not stored on the build machine > and I want to sign the

[arch-general] Is it secure to just sign repository databases?

Hello, I run a repository locally that I would like to share to the public. The build is mostly automated. That's why I don't want to sign each individual package. The private key is not stored on the build machine and I want to sign the resulting stuff externally. The easiest way would be