Files
Arch-R/scripts
Douglas Teles 7addeb691a pacman: drop per-package signing, sign only the repo db
First repo-dev release uploaded 1000/1078 assets before hitting
GitHub's documented per-release limit of 1000 assets. The cap is
hit because every package shipped a paired .sig, doubling the
count without adding meaningful security.

The trust path now flows entirely through the database:
  - archr-keyring ships the master public key.
  - archr.db.sig proves the db came from the maintainer.
  - The db records the SHA256 of every package; pacman re-hashes
    after download and refuses mismatches.

To compromise a package the attacker would have to publish a
modified db that lists their hash, which requires the signing
subkey. The per-package .sig was redundant against this attack.

This is the same model Arch Linux ARM, EndeavourOS and SteamOS
use in production.

pacman.conf SigLevel flips from "Required DatabaseOptional" to
"PackageOptional DatabaseRequired"; comment expanded so a future
reader sees the why.

gen-pacman-repo drops the `gpg --detach-sign` step inside
build_one_pkg(); repo-add --sign still signs the db at the end.
Asset count shrinks from 1078 to 543 (535 packages + 8 db
artifacts), which fits comfortably in a single GitHub Release.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-23 23:27:27 -03:00
..
2024-07-06 13:09:20 +02:00
2020-02-10 08:53:39 +01:00
2026-03-20 11:36:42 -03:00
2026-03-18 17:32:41 -03:00
2026-03-23 14:19:12 -03:00
2024-07-06 13:09:20 +02:00
2026-03-18 17:32:41 -03:00
2025-02-03 07:04:59 -05:00
2025-02-03 07:04:59 -05:00
2025-07-13 19:02:39 +01:00
2025-02-03 07:04:59 -05:00
2024-07-06 13:09:20 +02:00
2019-07-09 00:05:25 +01:00
2026-03-18 17:32:41 -03:00
2025-07-13 19:02:39 +01:00
2024-07-06 13:09:20 +02:00
2025-05-11 18:04:57 -04:00
2024-07-06 13:09:20 +02:00
2025-02-03 07:04:59 -05:00
2026-03-18 17:32:41 -03:00
2026-03-18 17:32:41 -03:00