PKGBUILD review and question

Neurofibromin · 2025-01-25 08:30:15

Hi!

I just released my first AUR package: https://aur.archlinux.org/packages/bookmark-dlp
I want to use pgp signature to check the integrity with the signed git commits and tags. How do I get my public keys to the user?
I figured uploading the public key to the aur repo and referencing that as a source would work, that way I can also add the b2sum of the key to the PKGBUILD. So the public key gets integrity checked by b2sum, the other sources (git) gets checked by the public key.
Reference:
https://wiki.archlinux.org/title/Makepk … e_checking
https://wiki.archlinux.org/title/PKGBUILD#validpgpkeys
My key is also on https://keys.openpgp.org/ but not sure how could I point the user to the keyserver in the PKGBUILD.
https://wiki.archlinux.org/title/PKGBUILD#Integrity notes that

when upstream makes digital signatures available, the signature files should be added to the source array and the PGP key fingerprint to the validpgpkeys array. This allows authentication of the files at build time.

My question is: How?

If anyone has advice on how or whether to make the package framework dependent (.net) that is welcome as well. I think that would require

different publish options, not too inconvenient
different .desktop file, as the binarey has to be launched as dotnet run /path/to/mybinary - I would like to avoid maintaining 2 .desktop files

Thanks for any advice and help!

jl2 · 2025-01-27 19:56:41

You don't.

Fact is you don't really add security, as close to no one using the AUR actually verifies that the GPG signatures are from the packager/maintainer. Instead they just blindly trust it and fetch it from a keyserver.
Paru (AUR manager) can auto-fetch needed GPG keys, because people are even to lazy to do that.

Default keyserver IIRC is ubuntu: hkp://keyserver.ubuntu.com

Neurofibromin · 2025-01-27 22:15:04

I think it would still be better to use pgp than only writing the hashes to check integrity and validate the source. Even when using the keyserver. But what I was looking for was actually to distribute the public key with the PKGBUILD in the same repo, but also include the b2sum of the pubkey - to validate the pgp key integrity. Kind of a mixed solution of both pgp and hashes.
I guess this is just a limitation of the pkgbuild system. Thanks for the answer!

jl2 · 2025-01-28 06:59:03

Well it makes even less sense to ship it with the PKGBUILD - after all, the idea of the GPG keys is to prevent a man-in-the-middle attack (somebody just replacing the entire PKGBUILD or it's sources, which nobody would do for low value targets like us ).
It's really not intended to verify the integrity, the hashes do that job. If you want to have a backup for the hashes you can add a second hash array with a different algorithm.

This is not a limitation of the ABS, it's intended.

Last edited by jl2 (2025-01-28 07:00:35)

Lone_Wolf · 2025-01-28 11:01:00

Arch linux packages do ship pgp keys with the files to build repo packages in a special folder .
https://gitlab.archlinux.org/archlinux/ … kages/mesa for an example .

Keep in mind that this is only secure if you trust the source of those keyfiles.

Personally I would add a note where the key can be found in a pinned comment on the aur page .
This leaves the decision of verifying & installing the key to the user.

Arch Linux

#1 2025-01-25 08:30:15

PKGBUILD review and question

#2 2025-01-27 19:56:41

Re: PKGBUILD review and question

#3 2025-01-27 22:15:04

Re: PKGBUILD review and question

#4 2025-01-28 06:59:03

Re: PKGBUILD review and question

#5 2025-01-28 11:01:00

Re: PKGBUILD review and question

Board footer