[arch-haskell] Package Signing

Mon Jul 30 08:35:57 CEST 2012

On 2012-07-29 18:48 +0200
Magnus Therning wrote:

>Correct me if I'm wrong in this assumption, but I need to have the
>following three items available when running the script:
>
>1. The newly-built package.
>2. The repo database (x.db.tar.gz) I'm adding the package to.
>3. The secret key.

1 & 3, yes.

If you have all of the packages then the full database will be recreated so you
don't actually need 2, but if it's present then it will be updated with the
selected packages.

>This is a slight problem for me.  I build on kiwilight (where I'm not
>alone in having root access), the database is on xsounds.org (where I
>don't have root access at all), and to be fully comfortable I'd like
>to keep the secret key and perform the signing on my own machine :-)
>
>Is there some way to simply extract the actual data that is to be
>signed (the hashes), and perform the actual signing manually?

I'm not sure, but I think gpg needs the full file to generate the signature.
There might be some way to dig the hashing algorithm out of the source code and
then create your own remote signing function with it, but that would require
knowledge of gpg internals.

One solution might be to build the packages on kiwilight, then mount the
directory of built packages with sshfs.  You could then run the signing script
locally. I don't know much bandwith that will use, but I think it's worth
trying. In the worst case scenario, it will be equivalent to downloading the
packages. Whether or not that's a problem depends on your connection.

If I understand the problem correctly, you do not generate the database
yourself. That should not be a problem for package signatures, as repo-add will
include them in the database as long as the signature files are present when it
adds the packages. If you can't remote-mount xsounds with sshfs and sign the
database there, just download it and sign it locally then upload the database
signature file.

If that is not possible for whatever reason, just having package signatures is
better than nothing. However, given what you've said about not being the only
one to have access to these repos, I think package signing in this case is very
important.

I would also like to know who does have access to these files. On kiwilight
I believe that it is only Kaiting, who is a TU. Who has access on xsounds?

Could you simply make kiwilight the main host and have xsounds mirror it? The
process would then be the following:
1) ssh into kiwilight, build, and move to haskell/$arch if necessary
2) mount haskell/$arch via ssh and run the signing script locally

You would then have a fully signed repo in haskell/$arch that can be mirrored
by xsounds.