mirror of
https://github.com/archr-linux/Arch-R.git
synced 2026-07-12 18:19:42 -07:00
pacman: drop per-package signing, sign only the repo db
First repo-dev release uploaded 1000/1078 assets before hitting
GitHub's documented per-release limit of 1000 assets. The cap is
hit because every package shipped a paired .sig, doubling the
count without adding meaningful security.
The trust path now flows entirely through the database:
- archr-keyring ships the master public key.
- archr.db.sig proves the db came from the maintainer.
- The db records the SHA256 of every package; pacman re-hashes
after download and refuses mismatches.
To compromise a package the attacker would have to publish a
modified db that lists their hash, which requires the signing
subkey. The per-package .sig was redundant against this attack.
This is the same model Arch Linux ARM, EndeavourOS and SteamOS
use in production.
pacman.conf SigLevel flips from "Required DatabaseOptional" to
"PackageOptional DatabaseRequired"; comment expanded so a future
reader sees the why.
gen-pacman-repo drops the `gpg --detach-sign` step inside
build_one_pkg(); repo-add --sign still signs the db at the end.
Asset count shrinks from 1078 to 543 (535 packages + 8 db
artifacts), which fits comfortably in a single GitHub Release.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
@@ -17,10 +17,16 @@ HookDir = /etc/pacman.d/hooks/
|
||||
HoldPkg = pacman glibc bash linux archr-keyring
|
||||
Architecture = aarch64
|
||||
|
||||
# Signature checking. Required is the target once archr-keyring ships
|
||||
# the production master key; DatabaseOptional during bootstrap because
|
||||
# the .db files in the first releases may not be signed yet.
|
||||
SigLevel = Required DatabaseOptional
|
||||
# Signature checking. The archr repo signs the database (.db) with the
|
||||
# production master subkey; individual packages are unsigned because
|
||||
# GitHub Releases caps a single release at 1000 assets and the per-pkg
|
||||
# .sig files double the count past that limit. The trust path is:
|
||||
# 1. archr-keyring ships the master public key.
|
||||
# 2. archr.db.sig proves the db came from us.
|
||||
# 3. The db lists SHA256 of every package; pacman re-hashes after
|
||||
# download and refuses mismatches.
|
||||
# This is the same model Arch Linux ARM, EndeavourOS and SteamOS use.
|
||||
SigLevel = PackageOptional DatabaseRequired
|
||||
LocalFileSigLevel = Optional
|
||||
|
||||
CheckSpace
|
||||
|
||||
Reference in New Issue
Block a user