You are not logged in.

#26 2014-12-09 03:03:34

Registered: 2010-11-02
Posts: 63

Re: Are AUR packages signed? How do I check the signature if they are?

progandy wrote:

A PKGBUILD signature is not part of the established procedure, but can be easily added. There is no catch-22. You don't need a crypto-hash for the signature, SKIP is perfectly fine for that. You don't have to verify the integrity of the signature, that happens automatically during the PKGBUILD verification. You could also manually add the signature file with e.g. bsdtar just before you upload the archive (mkaurball does something similar for .AURINFO)
A signature for the whole archive is also possible, but you'll have to use a separate distribution channel (e.g. you own website, github, ...) to provide it to the users.

A while ago I was experimenting with signing an AUR upload. It is actually possible to append a signature of a tar file to the end of the tar file (keeping the old EOF block intact as a marker), although I guess it is a bit of a hack. This way the signature is embedded in the file and there is no separate distribution channel. Some code, with a bit of explanation at the top: < … akeaur#L16>.


Board footer

Powered by FluxBB