If a package is signed, the maintainers have the permission to sign. If it’s necessary to add a maintainer, the uploader lists a username in a file, signs it, and uploads. (Is there a better way to achieve the same thing?) The server checks the signature, parses the file, and adds the usernames to the maintainers group.
Since it’s important to sign the file locally, there should be a convenience tool allowing to select the usernames.
This is too complicated and has some drawbacks. I’m currently working on the following: 1. It should be possible to upload a signature while uploading a package. The server must check that the signature corresponds to the uploader’s key. 2. If it’s necessary to add a new maintainer, the initial uploader must sign the public key of the said maintainer. (This will be checked by cabal-install.) For ‘cabal-install’: 1. A warning must be raised if a package that was signed previously is not signed. 2. If a package is signed but was not signed previously, ‘cabal-install’ must check its signature and add the public key to the cache. 3. If a package was signed but now is signed with a different key, ‘cabal-install’ must check whether this key is signed with the previously-known key corresponding to this package, then verify the signature. If not, a warning must be raised.