Skip to content

Evaluate Git/ PGP integration for signing and signature checking

For checking signatures against a list of allowed PGP key IDs (e.g. from pacman-key) and the local signing of repository sync databases, we need integration with tooling that can deal with PGP.

When looking at other avenues for signature validation in git repositories (e.g. #151 ), one could also look at openssh based signature integration (this would not be something that pacman can handle for repository sync databases though, so it falls flat in the use-case of repository sync database signing - #32).

Requirements

repod mode git smartcard (db signing) git tag validation WOT integration (git tag/ db validation)
user Yes Yes Yes Yes [2]
system Yes Yes [1] Yes Yes [2]

[1] If we want to allow a dedicated machine to be able to sign sync databases itself, it would probably be good to also have smartcard support here.

[2] Depending on support in keyringctl (see keyringctl#3), we can also evaulate the use of a flat file here (i.e. a keyring file with all "allowed keys") instead of hooking into an existing web-of-trust.

PGP providers

gpgme

  • pypi.org package is extremely out-of-date (last release 2018, 12(!) releases behind current gpgme)
  • package does not build in venv (as the sdist is so outdated and uses some super ancient integration), only system integration can be used until upstream fixes this
  • patches have been provided to upstream for fixing sdist tarball generation and PEP517 based builds (so far no response)

sequoia

johnnycanencrypt

  • provides sdist tarballs and wheels on pypi.org
  • written in rust, based on sequoia
  • basic, does not integrate with keyring, requires a local "keystore" directory
  • seems to have smartcard integration
  • does not yet use sequoia's internal keystore implementation/specification

python-gnupg

pgpy

Git providers

dulwich

  • somehow integrates with gpg for signatures (unclear if they ever test this, given that everything is terribly out-of-date and broken)

pygit2

  • pygit2 can get to signature strings, so PGP integration is likely open/ can be implemented whichever way

gitpython

  • long track record of botched releases (faith in upstream quite low also given that the project seems to be in maintenance-only mode over developing gitoxide)
  • relies on system git and gnupg executables
Edited by David Runge
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information