path: root/dev/archive/signing.mdwn
diff options
authorPatrick McDermott <pehjota>2019-03-23 14:43:35 (EDT)
committer Patrick McDermott <pehjota>2019-03-23 14:43:35 (EDT)
commit058a3c551d9b3402bef9ebf89151e20e4897e080 (patch)
treeb290d07e47a297b74057a655074cefb2d08065a3 /dev/archive/signing.mdwn
parent9638ba8e51d24b6ddfd609b8b276f7d28f7fc975 (diff)
parent32199feacf9feecf224a0f2b1489415850e122f2 (diff)
Merge remote-tracking branch 'origin/master'
Conflicts: dev/archive/signing.mdwn
Diffstat (limited to 'dev/archive/signing.mdwn')
1 files changed, 12 insertions, 4 deletions
diff --git a/dev/archive/signing.mdwn b/dev/archive/signing.mdwn
index dbd094e..83d98df 100644
--- a/dev/archive/signing.mdwn
+++ b/dev/archive/signing.mdwn
@@ -14,10 +14,9 @@ Implementation
ProteanOS Archive Manager
-[[pro-archman|dev/pro-archman]] will gain two new options: one to enable archive
-signing and one to specify a signing key. If archive signing is enabled,
-pro-archman will run `gpg` to sign, with the specified key, `Packages` feed
-index files when generated.
+[[pro-archman|dev/pro-archman]] will gain a new option: an archive signing key.
+If a key is provided, pro-archman will run `gpg` to sign, with the specified
+key, `Packages` feed index files when generated.
A `gpg` executable will be an optional dependency, found by the `configure`
script at build time.
@@ -52,6 +51,15 @@ prokit. prokit should find and use only archive signing keys (by a user ID
specified in the profile) that are signed by a non-revoked previous key (or a
signed chain of keys with the user ID).
+A user already has to import a key into their own keyring to verify their prokit
+download. Maybe it's better to just instruct users to also download the archive
+signing key(s) into their keyrings. This takes advantage of existing PKI, and
+leaves users to make sure their keyring is kept updated with signatures,
+revocations, changed expiration dates, and transitions. It also avoids having
+released prokit versions "expire" due to included keys expiring.
+Suggestions welcome.