Pacman package signing
From ArchWiki
This page will act as a brain dump and collaborative design document for implementation of package signing in pacman.
Contents |
Aim
Implement package signing in pacman.
Why sign packages?
Because it could lessen the possibility of installing malicious packages potentially dangerous for the system and data.
How signing is implemented in other distributions
Frugalware
Frugalware uses a fork of pacman which implements package signing (verify)
Gnuffy
Arch based distro gnuffy uses signed packages with their custom package manager Spaceman modeled on pacman.
Debian
Gentoo
Redhat/Fedora
Suse
Slackware
Ubuntu
Ideas
SSL key chain
GPG
Separate file
Every packager uses his own GPG key to sign the pkg.tar.gz file. Each Arch installation needs an initial database with the GPG keys. Pacman downloads the pkg.tar.gz and checks the signature.
Implementation details
Pros
Cons
Links
Git branches
Bug reports
Blogs
Mailing list discussions and patches
- Add Keyring option in alpm/pacman
- Package signing again
- PATCH (newgpg) Let pacman specify GnuPG's home directory.
- Dan's pacman tree build&test
- GPG work
- GPG signature option in makepkg patch
- GPG signature support for makepkg
- GPG signature option in makepkg, adapted to Dan McGee's suggestions patch
- GPG verification patch
- GPGSIG in repo-add patch
- Signing by default
- Package Database signing
- Pointless to use non-md5 for makepkg INTEGRITY_CHECK
- Can we trust our mirrors
- Multiple/Shared Architectures