You are not logged in.

#1 2022-05-10 12:55:09

eom.dev
Member
Registered: 2022-02-11
Posts: 25

[SOLVED] package signatures in a custom repository

I have downloaded the pkg.tar.gz and pkg.tar.gz.sig for the linux kernel from kernel.org's mirror.  I would like to validate this signature and add it to my local repository, but I am not sure I understand the process.

According to reddit, pacman should check the signature if it is there, but the example is using the official repositories rather than a downloaded file.  If I run

pacman -Qp package.pkg.tar.gz

, and the sig file is present in the same directory, does this hold true?

Once validated and added to the database, what happens to the signature file?  I see the command

repo-add -s -k /path/to/keyfile /path/to/custom/db package.pkg.tar.gz

will create a signature for the database, but is the original signature file retained?  Am I correct in thinking that my key should be added to the keyring for machines that will pull from this repo, and that those machines will automatically validate the package against the original signature when pulled from this database?

Last edited by eom.dev (2022-05-15 14:48:36)

Offline

#2 2022-05-10 12:58:22

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,356
Website

Re: [SOLVED] package signatures in a custom repository

The signature is for the source archive and is for validation during the build process i.e. via makepkg.
This is unrelated to possible signatures you sign onto your (binary) packages and databases in your custom repo.

Never mind, I should have looked more closely at the link you provided.
This is actually a built kernel package with its signature.
You can just throw both of them into your repo an repo-add them.
Note that this will not sign the repo's database per default.
To do this, you'd need your custom key.

Last edited by schard (2022-05-10 13:00:29)


Солідарність з Україною

Offline

#3 2022-05-10 13:12:06

a821
Member
Registered: 2012-10-31
Posts: 315

Re: [SOLVED] package signatures in a custom repository

The signature for official packages can be verified with pacman-key, eg:

pacman-key -v package.pkg.tar.zst.sig

I don't really understand why you want to add official packages to a custom repo, though. Normally I compile AUR packages in a clean chroot, then sign them with gnupg using with my key and finally run `repo-add`  to add them to my repo.

Offline

Board footer

Powered by FluxBB