merelinux
merelinux copied to clipboard
jhuntwork
Support digital signing and verification of packages
The initial libraries to support digital signing are present, but they are not implemented into the build system nor are any packages actually signed yet. Further investigation and testing needs to be done.
If it's possible, I would like to suggest OpenBSD's signify for signing purposes. It seems to be a lot simpler than GPG.
If it's possible, I would like to suggest OpenBSD's
signifyfor signing purposes. It seems to be a lot simpler than GPG.
Nice, thanks for the suggestion. I'll take a look!
So looking a little closer, gpg is pretty well embedded in the way pacman and its build script makepkg work. I think to get around that would probably require a lot of hacking that I'm not particularly interested in doing at the moment. I'll keep this issue open on the back burner, and possibly if someone looks a little deeper and has a suggestion about implementation, we can reconsider
Surprisingly, it looks like pacman (or maybe it's gpgme) shells out to to the gpg binary to do validation of packages. If only the gpg binary is removed from the system, pacman cannot validate signed packages.
I expected that all that functionality would be available in the library and compiled directly into the pacman package. This means that we'd have to support gpg and its dependencies in the base system. Additionally, the pacman-key tool is actually a bash script which also sources and uses makepkg bash 'libraries', which means both another hard dependency on bash in the core system and makepkgs libs, neither of which I was expecting.
I'm going to back out the current changes to pacman (and maybe gnupg et al) and re-open this. This might also mean re-evaluating package managers again, or finishing the mere tool sooner rather than later.
This evening I played around with asignify. I was able to patch pacman to get it to use that for signature verification instead of gpgme. The current patch isn't very clean and I'm still reviewing the lib, but it was at least very promising. The work involved isn't too bad. I'll post here again as I have more updates.
Submitted an initial set of patches upstream: https://lists.archlinux.org/pipermail/pacman-dev/2022-January/025439.html
That's really interesting, thanks for the patch. I will test it on my side to see if all goes well.
Nice, I'd love to hear how it goes!
I received some additional feedback from pacman devs about the patch here: https://lists.archlinux.org/pipermail/pacman-dev/2022-January/025496.html
Based on that I was going to look at an alternative patch that uses signify or minisign instead, but haven't had time to dive into it yet. Still, the above patch worked for me, and asignify seems like a fine lib, it just doesn't have wide usage yet.