0011 Store PGP keys for source file signatures alongside the PKGBUILD

Store PGP keys for source file signatures alongside the PKGBUILD #

Summary #

Store the PGP signing keys listed in a PKGBUILD's validpgpkeys array alongside the PKGBUILD in our VCS.

Motivation #

The PGP keyserver infrastructure has become increasingly brittle over recent years. This can make helping with updates or rebuilds of packages difficult due to lack of access to the valid signing key. Having the signing key exported alongside the PKGBUILD would allow for anybody to import the key into their keyring and verify the source.

Specification #

All keys used by upstream developers for signing source files will be stored in alongside the PKGBUILD in the VCS. A naive script for populating this directory (assuming keys are available in the local keyring) in our current SVN infrastructure is:

cd trunk
source PKGBUILD
mkdir keys
for keyid in ${validpgpkeys[@]}; do
    gpg --export $keyid > keys/$keyid.asc
done

Then, any packager working on the package (e.g. for a rebuild) can readily populate their keyring using:

cd trunk
gpg --import keys/*.asc

Drawbacks #

Adding the key to the source directory initially requires extra work from packagers, although reduces work for subsequent packagers. We can automate this with a simple script added to devtools.

Unresolved Questions #

  • Will dbscripts enforce that signing keys are provided?
  • Will the signing keys be copied from the trunk to repo directories? This becomes a non-issue with proposed future git layout where tags are used for release management.
  • offload-build uploads a tarball generated by makepkg --source so will not upload the keys directory. Should this be fixed in makepkg or devtools?
  • infrastructure to periodically validate keys to catch revoked and expired keys could be added in the future. This is outside the scope of this RFC.

Alternatives Considered #

Arch could host their own keyserver, containing all keys needed for verifying source files used in the distro. It is unclear how such a keyserver would be populated while avoiding arbitrary uploads from outside.

November 6, 2024