Currently, Arch Linux does not provide digital signatures for repository sync databases (aka repository metadata). However, doing so would improve the supply chain security for all users of the distribution. Signing the repository sync databases is considered a medium impact action, as users would initially need to actively opt-in to verify them.

The automatic signing of repository sync databases may involve creating a dedicated user on the central package repository server to decouple the package maintainer’s login user from the user with access to the Signstar ssh credentials. Here again, the host should guard the SSH key used for connecting to the Signstar host using the host’s integrated or discrete TPM 2.0. In addition to user separation, refactoring and re-architecturing of parts of the dbscripts project are likely necessary. Here, the logins of all package maintainers and administrators must be logged, so that in case of malicious activity, all signature requests can be pin-pointed to the responsible individual and cross-referenced with the dedicated logs of the Signstar host.

Once signing of repository sync databases is automated and works reliably, the distribution-wide default should be adapted so that end-user systems require valid signatures for them.