You are not logged in.

#1 2019-10-25 16:52:54

Moe_Narrow
Member
Registered: 2018-01-08
Posts: 6

best practices for signature checking in PKGBUILDs

I've implemented signature checking in some PKGBUILDs.

Usually by including a link to my key on github* in the source array, the checksum for my key in the sha256sums array, and then including the following in prepare or build:

	gpg --import key
	#verify PKGBUILD signature
	gpg --verify ../PKGBUILD.sig ../PKGBUILD

I haven't seen many examples of signature checking in PKGBUILDS, this method seems to work well but I wanted to ask the opinion of others.

My real question; when is it preferable to not have signature checking, or when do you feel it is unnecessary or likely to cause issues?

* I have an aversion to using the keyserver because of an unfortunate experience I had with a poisoned key.


"Proactively seek to give of yourself and to bring only benefit to your peers and community."

Offline

#2 2019-10-25 17:22:55

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,466

Re: best practices for signature checking in PKGBUILDs

Hopefully you're not doing this in the AUR. Importing a key into people's keyring automatically is not going to go well.

Offline

#3 2019-10-26 16:37:06

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: best practices for signature checking in PKGBUILDs

man PKGBUILD , look for validpgpkeys .

For an example see https://aur.archlinux.org/cgit/aur.git/ … -video-sis


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#4 2019-10-27 00:22:50

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,466

Re: best practices for signature checking in PKGBUILDs

Lone_Wolf wrote:

man PKGBUILD , look for validpgpkeys .

For an example see https://aur.archlinux.org/cgit/aur.git/ … -video-sis

That doesn't help when he's trying to sign the PKGBUILD itself.

Offline

#5 2019-10-28 12:42:39

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: best practices for signature checking in PKGBUILDs

Using validpgpkeys & users manually importing his key would allow OP to remove gpg --import keyp from the PKGBUILD.
I doubt OP was aware of validpggkeys and felt it was worth mentioning it.

Moe_Narrow wrote:

My real question; when is it preferable to not have signature checking, or when do you feel it is unnecessary or likely to cause issues?

In my opinion it's a question of where someone puts their trust.
With an unsigned PKGBUILD from AUR users have to rely on the AUR maintainer and the AUR infrastructure maintainers.

With a signed PKGBUILD those still matter , but there are other factors.
a place (hosting)  where the signature is located, and the  maintainers of the hosting infrastructure.

How can AUR users verify the signature does belong to the aur package maintainer ?
AUR is not linked to other infrastructures, so looks to me like they have to trust the aur package maintainer for that.

Users also need to trust the hosting maintainers.

Personally I don't see a benefit of this.


However, there seem to be plans to integrate forum, aur , archweb etc and allow users to use one login / username for all of them.
Maybe a personal signature could be added.

That signature would be part of the archlinux web-of-trust and might be usable as an additonal layer of defense against tampering with PKGBUILDs.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

Board footer

Powered by FluxBB