You are not logged in.
- Topics: Active | Unanswered
#1 2022-05-10 12:55:09
- eom.dev
- Member
- Registered: 2022-02-11
- Posts: 57
[SOLVED] package signatures in a custom repository
I have downloaded the pkg.tar.gz and pkg.tar.gz.sig for the linux kernel from kernel.org's mirror. I would like to validate this signature and add it to my local repository, but I am not sure I understand the process.
According to reddit, pacman should check the signature if it is there, but the example is using the official repositories rather than a downloaded file. If I run
pacman -Qp package.pkg.tar.gz, and the sig file is present in the same directory, does this hold true?
Once validated and added to the database, what happens to the signature file? I see the command
repo-add -s -k /path/to/keyfile /path/to/custom/db package.pkg.tar.gzwill create a signature for the database, but is the original signature file retained? Am I correct in thinking that my key should be added to the keyring for machines that will pull from this repo, and that those machines will automatically validate the package against the original signature when pulled from this database?
Last edited by eom.dev (2022-05-15 14:48:36)
Offline
#2 2022-05-10 12:58:22
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 1,978
- Website
Re: [SOLVED] package signatures in a custom repository
The signature is for the source archive and is for validation during the build process i.e. via makepkg.
This is unrelated to possible signatures you sign onto your (binary) packages and databases in your custom repo.
Never mind, I should have looked more closely at the link you provided.
This is actually a built kernel package with its signature.
You can just throw both of them into your repo an repo-add them.
Note that this will not sign the repo's database per default.
To do this, you'd need your custom key.
Last edited by schard (2022-05-10 13:00:29)
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline
#3 2022-05-10 13:12:06
- a821
- Member
- Registered: 2012-10-31
- Posts: 381
Re: [SOLVED] package signatures in a custom repository
The signature for official packages can be verified with pacman-key, eg:
pacman-key -v package.pkg.tar.zst.sigI don't really understand why you want to add official packages to a custom repo, though. Normally I compile AUR packages in a clean chroot, then sign them with gnupg using with my key and finally run `repo-add` to add them to my repo.
Offline