Re: [arch-haskell] Package Signing

29 Jul 2012

      On Tue, Jul 24, 2012 at 11:19:54PM +0000, Xyne wrote:
...
Magnus Therning wrote:
...
On Tue, Jul 24, 2012 at 1:20 PM, Xyne  wrote:
...
Hi Magnus,
It's time to nag you again about package signing. I can give you a script to
batch sign packages, run repo-add, then sign the generated repo with a single
passphrase prompt. Obviously I don't know how well that fits with your current
release method, but it should be possible to set something up that is minimally
invasive and I'll gladly help if I can.
Good that you nag!
I'd love getting that script, and possibly hints on key
generation/storage/management/etc as well.
I've put together a clean script using various code snippets that I have in my
release scripts:
http://xyne.archlinux.ca/scripts/pacman/#repo-add_and_sign
Just ask if anything is unclear or if you think you've found a bug.
If you need something customized to your build system, give me some
details and I'll work on it.
[...]
For key generation/etc, I would suggest generating a new key pair
dedicated to package signing, but that's just a personal preference.
You could just as well use the same key pair that you already use to
sign your email. Management is not really any different either: keep
the private key secure, have a revocation key ready, etc.
Correct me if I'm wrong in this assumption, but I need to have the
following three items available when running the script:

1. The newly-built package.
2. The repo database (x.db.tar.gz) I'm adding the package to.
3. The secret key.

This is a slight problem for me.  I build on kiwilight (where I'm not
alone in having root access), the database is on xsounds.org (where I
don't have root access at all), and to be fully comfortable I'd like
to keep the secret key and perform the signing on my own machine :-)

Is there some way to simply extract the actual data that is to be
signed (the hashes), and perform the actual signing manually?

(I've found a need for this sort of thing with other package managers
as well, especially RPM, but never found a way to do that.  I would
find it unfortunate if the pacman developers have painted themselves
into the same corner as the RPM developers.)

/M

-- 
Magnus Therning                      OpenPGP: 0xAB4DFBA4 
email: magnus@therning.org   jabber: magnus@therning.org
twitter: magthe               http://therning.org/magnus

I invented the term Object-Oriented, and I can tell you I did not have
C++ in mind.
     -- Alan Kay