FS#66125 - Recognize signed commits and show signature information in AUR web interface
Attached to Project:
AUR web interface
Opened by Anderson Medeiros Gomes (amg1127) - Sunday, 05 April 2020, 08:54 GMT
Opened by Anderson Medeiros Gomes (amg1127) - Sunday, 05 April 2020, 08:54 GMT
|
Details
Provided that I trust Arch Linux developers and Trusted
Users, I am confident that package files retrieved and
installed by Pacman are trusted because package signatures
are verified automatically using a keyring located in
/etc/pacman.d/gnupg folder and populated by
"archlinux-keyring" package. On the other side, packages
retrieved from AUR are user-submitted content and,
therefore, I should manually check them against malicious
code every time I am willing to install or upgrade packages
from there in my system.
Because verifying PKGBUILD files manually is a time-consuming operation, I would like to have the possibility of trusting AUR packages selectively by trusting maintainers' GPG keys in my build environment. I am planning to do the following steps: * Have a dedicated local user, a GPG keyring and a keypair to locally sign packages built by "makepkg". * Import trusted AUR package maintainer keys to that keyring and sign them locally. * Manually check signatures of AUR repositories being downloaded (cloned) by running "git verify-commit" or "git log --show-signature". * Enable automatic signature checks of AUR repositories being updated (pulled) by setting "gpg.minTrustLevel=fully" and "merge.verifySignatures=true" in repository configs (git config --local). I believe that AUR's underlying Git infrastructure already accepts signed commits from package maintainers. So, I am writing to propose the following features: * AUR web interface should recognize packages published via signed Git commits and show signature information in information pages, such as key fingerprint and issuer's name. * AUR submission guidelines should suggest publishers to sign their commits before pushing changes. * AUR wiki page should provide instructions on how to verify Git signatures after downloading (cloning) a package. |
This task depends upon