[aur-general] Support for remote sums in PKGBUILDs
Ido Rosen
ido at kernel.org
Mon Oct 21 22:57:28 EDT 2013
This idea is a little bit more impractical, but: Handoff could be done
cryptographically as well - a signed PKGBUILD could carry a source file
that has a transfer-of-maintainership signature (e.g. a clearsigned message
with the date and name of the package/base) by the old key signing the new
key's key fingerprint + packagename + date, to allow people to transfer
maintainership to a new key without raising the alarm, if desired.
On Mon, Oct 21, 2013 at 10:53 PM, Ido Rosen <ido at kernel.org> wrote:
> (Just an additional implementation detail, but this would mean the
> verified keyID/fingerprint on the PKGBUILD that generated the pkg gets
> included in the pkg somehow, not that the pkg needs to be signed by the
> same key as the PKGBUILD was.)
>
>
> On Mon, Oct 21, 2013 at 10:44 PM, Ido Rosen <ido at kernel.org> wrote:
>
>> It'd be nice to have as an option - especially since the key fingerprint
>> is easy to look up on the AUR website. Then tools like yaourt or makepkg
>> can alert you when the keyID of the sig, for example, differs from the one
>> that signed the currently installed version during an upgrade, as a means
>> of allowing for integrity continuity. (There are other things that could
>> be done with this feature, but this is a useful one from a MITM standpoint,
>> so at least you know the new PKGBUILD is from the same author as the old
>> PKGBUILD your pkg was generated from, for example.)
>>
>>
>> On Mon, Oct 21, 2013 at 10:40 PM, Doug Newgard <scimmia22 at outlook.com>wrote:
>>
>>> ----------------------------------------
>>> > Date: Mon, 21 Oct 2013 22:19:32 -0400
>>> > From: ido at kernel.org
>>> > To: aur-general at archlinux.org
>>> > Subject: Re: [aur-general] Support for remote sums in PKGBUILDs
>>> >
>>> > - Do PKGBUILDs support signing the PKGBUILD and verifying that
>>> signature?
>>> > (This seems like a good feature for yaourt or possible makepkg if it
>>> isn't
>>> > one already.)
>>> > It seems like if you want safety from MITM attacks, PGP sigs are the
>>> way
>>> > to go, either sign the PKGBUILD and put the checksum in there, or
>>> include
>>> > the signature of the source file in the tarball/pkg. (This is already
>>> > provided for binary pkgs, but not source ones, correct? Seems easy
>>> enough
>>> > to add a PKGBUILD signature and teach makepkg to use it.)
>>> >
>>> >
>>> >
>>> > On Mon, Oct 21, 2013 at 10:13 PM, Doug Newgard <scimmia22 at outlook.com
>>> >wrote:
>>> >
>>> >> ----------------------------------------
>>> >>> From: adys.wh at gmail.com
>>> >>> Date: Tue, 22 Oct 2013 01:56:16 +0100
>>> >>> To: aur-general at archlinux.org
>>> >>> Subject: [aur-general] Support for remote sums in PKGBUILDs
>>> >>>
>>> >>> Breaking away from an IRC convo from this morning; has support for
>>> >>> remote sums been considered for pacman?
>>> >>> It's currently possible to do this for .sig files (through the source
>>> >>> array), but not available for simple sha/md5 hashes. This would let
>>> >>> packagers do something like:
>>> >>> source=("http://example.com/downloads/$pkgname-$pkgver.tar.xz")
>>> >>> sha1sums=("http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1
>>> ")
>>> >>>
>>> >>> (Of course, only for servers that generate a programmatically
>>> >>> discoverable hash of some sort; but it's not actually uncommon)
>>> >>>
>>> >>> J. Leclanche
>>> >>
>>> >> Couldn't you just do:
>>> >> sha1sums=("$(curl
>>> >> http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1)")
>>> >>
>>> >> It kind of defeats the purpose, though. If the server is hacked or
>>> someone
>>> >> does a MitM, they can easily replace the checksum file as well.
>>> >>
>>>
>>> Let's be realistic here, you're not going to get all of the PKGBUILDs in
>>> the AUR signed with PGP.
>>
>>
>>
>
More information about the aur-general
mailing list