Skip to content
Snippets Groups Projects

Store PGP keys for source file signatures alongside PKGBUILDs

Merged Store PGP keys for source file signatures alongside PKGBUILDs
(removed):gpg-keys into master
All threads resolved!
Merged Allan McRae requested to merge (removed):gpg-keys into master
All threads resolved!
Compare
and
1 file
+ 69
0
Compare changes
  • Side-by-side
  • Inline
rfcs/0011-store-source-signing-keys.rst 0 → 100644
+ 69
0
================================================
Store PGP keys for source file signatures in SVN
================================================
- Date proposed: 2022-03-20
- RFC MR: https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/11
Summary
-------
Store the PGP signing keys listed in a PKGBUILDs `validpgpkeys` array in the
+1
trunk directory of SVN.
Motivation
----------
The PGP keyserver infrastructure has become increasingly brittle over recent
years. This can make helping with updates or rebuilds of packages difficult
due to lack of access to the valid signing key. Having the signing key exported
along side the PKGBUILD would allow for anybody to import the key into their
keyring and verify the source.
Specification
-------------
All keys used by upstream developers for signing source files will be stored
in the trunk/keys directory in SVN. A naive script for populating this directory
(assuming keys are available in the local keyring) is:
::
cd trunk
source PKGBUILD
mkdir keys
for keyid in ${validpgpkeys[@]}; do
gpg --export $keyid > keys/$keyid.asc
done
Then, any packager working on the package (e.g. for a rebuild) can readily
populate their keyring using:
::
cd trunk
gpg --import keys/*.asc
Drawbacks
---------
Adding the key to the source directory initially requires extra work from
packagers, although reduces work for subsequent packagers. We can automate
this with a simple script added to devtools.
Unresolved Questions
--------------------
- Will dbscripts enforce that signing keys are provided?
- Will the signing keys be copied from the trunk to repo directories?
- offload-build uploads a tarball generated by `makepkg --source` so will not
upload the keys directory. Should this be fixed in makepkg or devtools?
Alternatives Considered
-----------------------
Arch could host their own keyserver, containing all keys needed for verifying
source files used in the distro. It is unclear how such a keyserver would be
populated while avoiding arbitrary uploads from outside.