Files
Arch-R/scripts/repo
Douglas Teles 7addeb691a pacman: drop per-package signing, sign only the repo db
First repo-dev release uploaded 1000/1078 assets before hitting
GitHub's documented per-release limit of 1000 assets. The cap is
hit because every package shipped a paired .sig, doubling the
count without adding meaningful security.

The trust path now flows entirely through the database:
  - archr-keyring ships the master public key.
  - archr.db.sig proves the db came from the maintainer.
  - The db records the SHA256 of every package; pacman re-hashes
    after download and refuses mismatches.

To compromise a package the attacker would have to publish a
modified db that lists their hash, which requires the signing
subkey. The per-package .sig was redundant against this attack.

This is the same model Arch Linux ARM, EndeavourOS and SteamOS
use in production.

pacman.conf SigLevel flips from "Required DatabaseOptional" to
"PackageOptional DatabaseRequired"; comment expanded so a future
reader sees the why.

gen-pacman-repo drops the `gpg --detach-sign` step inside
build_one_pkg(); repo-add --sign still signs the db at the end.
Asset count shrinks from 1078 to 543 (535 packages + 8 db
artifacts), which fits comfortably in a single GitHub Release.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-23 23:27:27 -03:00
..

scripts/repo

Tooling for the GitHub-Releases-as-pacman-mirror workflow described in docs/release-policy.md. The end result is a tag like repo-stable on archr-linux/archr-repo with the assembled .pkg.tar.zst files and signed metadata.

gen-pacman-repo

Reads the finished build tree (build.*-RK3326/install_pkg/<pkg>/) that make docker-RK3326 leaves behind, packs each <pkg> directory into a <pkg>-<version>-1-aarch64.pkg.tar.zst, generates the .PKGINFO sidecar that pacman needs, and runs repo-add to build archr.db and archr.files.

Run after a successful build:

BUILD_DIR=build.ArchR-RK3326.aarch64-2026.06-devel \
OUT_DIR=/tmp/repo-out \
CHANNEL=dev \
SIGNER=                                          \
    scripts/repo/gen-pacman-repo

Then upload:

gh release create repo-dev                                \
    --repo archr-linux/archr-repo                         \
    --title "ArchR repo dev $(date +%Y%m%d)"              \
    /tmp/repo-out/*

GPG signing

For production releases, set SIGNER=<fingerprint> and have the agent (or a YubiKey-backed agent) ready. repo-add --sign will sign the .db as it walks the package list, and each .pkg.tar.zst gets a .sig as well.

The master key whose public half is bundled into the archr-keyring package must include <fingerprint> either directly or as a signed subkey, otherwise pacman-key --populate archr on the client will not extend trust to packages signed by it.

Channels and tag mapping

archr-update rewrites /etc/pacman.d/mirrorlist based on system.cfg "updates.branch":

Channel value Mirror tag on archr-linux/archr-repo
stable (default) repo-stable
next repo-next
dev repo-dev

The promotion workflow (dev -> next -> stable) is documented in docs/release-policy.md.