You are not logged in.
- Topics: Active | Unanswered
#1 2020-05-08 20:18:45
- phonky
- Member
- Registered: 2008-12-19
- Posts: 69
Best practice for offering a new signed AUR package
I have been using `arch` and `manjaro` for many years now.
Funny enough I never created any package myself.
I just started a new job, and I have been tasked to create a download page with signed binaries of our software.
Only .deb and .rpm are required, but I will take this opportunity to create my first AUR package.
However, after some search, I am still not clear about best practices for such use cases.
Usually, our competitors have a download page, there is a .deb and .rpm file for download,
occasionally there are instructions on how to install from a ubuntu repo.
Our CEO insists in releasing signed binaries only and signing the binaries himself.
In such a use case, would it be acceptable to offer the signed `pkg.tar.xz` for download on our webpage?
Or is it still better to submit a package to the AUR?
I have found this https://wiki.archlinux.org/index.php/De … ge_signing for signing a package, so I would know where to look about how to do that.
What I did not understand on that page there is if the signed package would be automatically verified by the installation process or it would have to be done by user intervention.
Apologies if this is obvious and I was just not able to find/understand it.
Offline
#2 2020-05-08 21:35:13
- eschwartz
- Fellow
- Registered: 2014-08-08
- Posts: 4,097
Re: Best practice for offering a new signed AUR package
You can offer a *.pkg.tar.xz for download and, if it has a .sig PGP signature right next to it, you can install it with pacman -U https://example.com/foo.pkg.tar.xz
Signature checks do require that the prospective user downloads/imports the PGP public key using `pacman-key` and then --lsign-key to trust it.
Another option is using repo-add to create a <reponame>.db and serve the directory with the db and the (signed) package together. You could then list it on https://wiki.archlinux.org/index.php/Un … positories and in the download instructions.
One example of a proprietary software bundle doing this is sublime-text -- you can see their repo on that page. They have a very beautiful description of their integration with linux distributions, here: https://www.sublimetext.com/docs/3/linu … ories.html
...
Is the software open source? Arch policy is that AUR packages should build from source when possible, but you can pin a comment pointing to the official repo with the CEO's signed binaries.
Last edited by eschwartz (2020-05-08 21:35:45)
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
#3 2020-05-08 22:07:38
- phonky
- Member
- Registered: 2008-12-19
- Posts: 69
Re: Best practice for offering a new signed AUR package
Awesome answer, thank you so much!
Yes, all our code is open source
Offline