Skip to content

Signing of package repository databases

The package repository databases created by arch-repo-management are currently not signed.

We need to integrate a middleware, that allows us to sign repository databases. One derived implementation should do this by using a predefined local setup (configured via the configuration file as a PoC).

This needs to be implemented with extensibility in mind, as we will have a signing enclave in the future, to which we want to hand of the repository databases for a signature.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information