Author Topic: makepkg - PKGBUILD - signature files  (Read 556 times)

0 Members and 1 Guest are viewing this topic.

Offline torvic9

  • Sr. Mitglied
  • ****
  • Posts: 253
  • Hello world!
  • Branch: stable
  • Skill: Intermediate
makepkg - PKGBUILD - signature files
« on: 22. February 2016, 22:44:02 »
Discovered something new today, most packagers surely know about this already, but I think it can be useful for packaging noobs like me:

makepkg supports GPG signatures in the PKGBUILD, i.e. it can not only check checksums but also signatures of downloaded source files.
Just add the link to the .sign file in the source function.
Here's an excerpt of my kernel PKGBUILD:
Code: [Select]
source=("https://www.kernel.org/pub/linux/kernel/v4.x/linux-${_basekernel}.tar.xz"
        "https://www.kernel.org/pub/linux/kernel/v4.x/linux-${_basekernel}.tar.sign"
        "http://www.kernel.org/pub/linux/kernel/v4.x/patch-${pkgver}.xz"
        "http://www.kernel.org/pub/linux/kernel/v4.x/patch-${pkgver}.sign"
...

You need to have the public keys of the source package's author in your keyring and have them signed with your key.
i3: i7-5820K | 32 GB | GeForce GTX 960, nvidia | linux44-custom
KDE: i7-920 | 12 GB | GeForce GTS 450, nouveau | linux44
Gnome: Thinkpad X200s | linux41

Offline oberon

  • Core Team
  • *****
  • Posts: 3858
  • I'm nice. Be new!
  • Branch: unstable
  • Desktop: i3, Deepin, Cinnamon
  • GPU Card: Intel ValleyView Gen7
  • GPU driver: Intel
  • Kernel: 4.1 / 4.4
  • Skill: Intermediate
Re: makepkg - PKGBUILD - signature files
« Reply #1 on: 23. February 2016, 00:29:24 »
To be honest I am not so happy with these signatures that you get in the AUR sometimes. How am I to decide if a key is trustworthy for me to sign when I know nothing about its origin. And then once it's authorized on my system it will be accepted as safe also in the future...
It is a completely different thing with the packagers' keys in the arch and manjaro keyrings, because a keyring establishes trust inside a closed and growing group. Like I don't know person X, but my friends A, B and C trust her, so it feels already a lot safe to trust person X ...
The packagers' keys need to be counter-signed by all other packagers in order to be accepted by all users' pacmen ;)
manjaro is addictive ::)
* manjaro-i3  * manjaro-cinnamon  * manjaro-deepin

Offline torvic9

  • Sr. Mitglied
  • ****
  • Posts: 253
  • Hello world!
  • Branch: stable
  • Skill: Intermediate
Re: makepkg - PKGBUILD - signature files
« Reply #2 on: 23. February 2016, 10:30:19 »
True, but I think the kernel dev's signatures (Torvalds, Kroah-Hartmann) can be trusted in the case of the kernel packages.
AUR, of course, not so much. That's why I only use packages from AUR if there's no alternative in the official repos.
i3: i7-5820K | 32 GB | GeForce GTX 960, nvidia | linux44-custom
KDE: i7-920 | 12 GB | GeForce GTS 450, nouveau | linux44
Gnome: Thinkpad X200s | linux41