You are not logged in.
- Topics: Active | Unanswered
#1 2025-09-21 18:29:47
- jkhmtx
- Member
- Registered: 2025-09-20
- Posts: 1
SSH signing (instead of gpg) for package verification?
Hopefully a simple enough question: Can I sign commits/tags with my SSH key, and use the public key in lieu of a fingerprint for commit/tag signature verification?
I've read the PKGBUILD/makepkg reference back-to-front several times by now, and scoured the internet with no luck, so I hope you can forgive the straightforward ask.
I am aware of `validpgpkeys`, and see no other reference to an SSH equivalent. I guess I'm hoping to hear I missed something, there's an undocumented API, a workaround/consideration for package integrity that will allow me to eschew an additional GPG key in my keyring, or news about this as a pending feature request.
Thank you!
Offline
#2 2025-09-21 19:21:02
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 14,280
Re: SSH signing (instead of gpg) for package verification?
Currently pgp are the only supported keys for pacman/makepkg (as far as I know).
There is this upstream issue: https://gitlab.archlinux.org/pacman/pacman/-/issues/67 .
You probably have to wait for a pacman dev to come along to learn how close this is.
(some of them do use the forum).
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#3 2025-09-21 22:08:47
- Allan
- Pacman
- From: Brisbane, AU
- Registered: 2007-06-09
- Posts: 11,575
- Website
Re: SSH signing (instead of gpg) for package verification?
You probably have to wait for a pacman dev to come along to learn how close this is.
No-one is working on it.
Offline