diff options
author | Patrick McDermott <pehjota> | 2019-03-23 14:43:35 (EDT) |
---|---|---|
committer | Patrick McDermott <pehjota> | 2019-03-23 14:43:35 (EDT) |
commit | 058a3c551d9b3402bef9ebf89151e20e4897e080 (patch) | |
tree | b290d07e47a297b74057a655074cefb2d08065a3 /dev/archive | |
parent | 9638ba8e51d24b6ddfd609b8b276f7d28f7fc975 (diff) | |
parent | 32199feacf9feecf224a0f2b1489415850e122f2 (diff) |
Merge remote-tracking branch 'origin/master'
Conflicts:
dev/archive/signing.mdwn
Diffstat (limited to 'dev/archive')
-rw-r--r-- | dev/archive/signing.mdwn | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/dev/archive/signing.mdwn b/dev/archive/signing.mdwn index dbd094e..83d98df 100644 --- a/dev/archive/signing.mdwn +++ b/dev/archive/signing.mdwn @@ -14,10 +14,9 @@ Implementation ProteanOS Archive Manager ------------------------- -[[pro-archman|dev/pro-archman]] will gain two new options: one to enable archive -signing and one to specify a signing key. If archive signing is enabled, -pro-archman will run `gpg` to sign, with the specified key, `Packages` feed -index files when generated. +[[pro-archman|dev/pro-archman]] will gain a new option: an archive signing key. +If a key is provided, pro-archman will run `gpg` to sign, with the specified +key, `Packages` feed index files when generated. A `gpg` executable will be an optional dependency, found by the `configure` script at build time. @@ -52,6 +51,15 @@ prokit. prokit should find and use only archive signing keys (by a user ID specified in the profile) that are signed by a non-revoked previous key (or a signed chain of keys with the user ID). +A user already has to import a key into their own keyring to verify their prokit +download. Maybe it's better to just instruct users to also download the archive +signing key(s) into their keyrings. This takes advantage of existing PKI, and +leaves users to make sure their keyring is kept updated with signatures, +revocations, changed expiration dates, and transitions. It also avoids having +released prokit versions "expire" due to included keys expiring. + +Suggestions welcome. + Opkg ---- |