[csw-maintainers] GPG package verification

Philip Brown phil at bolthole.com
Fri Dec 4 20:38:33 CET 2009


On Fri, Dec 4, 2009 at 3:40 AM, Maciej (Matchek) Blizinski
<maciej at opencsw.org> wrote:
> When pkg-get or pkgutil verify the gpg signature of a catalog file,
> what is it that it's specifically checking for?  My guess is that it
> checks for any good signature from any trusted key from root's
> keyring.
>

True.

> Debian uses a separate keyring for package verification.  Perhaps we
> should have something similar?


err, debian uses gpg completely differently.
it has a keyring, because it has each maintainer INDIVIDUALLY sign
their packages.
Which means you then need a whole keyring/web of trust/blahblah to
verify ALL the maintainers.

whereas we, at the moment, only sign the catalog, which has hashes of
all the packages it knows about.
This provides about the same level of non-tamperability, with much
less hassle to the maintainers individuallly.
(but more hassle for ME as the release manager ;-)


Now, that being said,we COULD theoretically have pkgutil and pkg-get
explicitly check for a particular signature, instead of just "any
signature" I suppose.


More information about the maintainers mailing list