DeveloperWiki:Signing Packages

From ArchWiki
Revision as of 19:46, 2 June 2011 by KerrickStaley (Talk | contribs) (If you have questions about the changes please contact me before reverting: mail @NOSPAM

Jump to: navigation, search
Warning: This is just a draft and work in progress. Don't even read it.

List of Packager Keys

After you finished not reading this, please go to DeveloperWiki:Signing_Packages/Packager_Keys.

Choose an UID

  • Use your real name. It has to be exactly the one that can be found on official documents like your passport or driver's license. Have a look at
  • Use a valid e-mail address. Means no obfuscation.
  • The e-mail address should be reliable (so don't use the one you got from your ISP a random free mail address).
  • If in doubt you should prefer using your address
  • The comment for your UID should be either "Arch Linux Developer" or "Arch Linux Trusted User"
  • An UID looks like this: Pierre Schmitz (Arch Linux Developer) <>
  • Even if you have an existing key, create a new one. You can sign the new key with your old one, which will automatically make it valid wherever your existing key is valid
  • Use this key only for signing packages and other official Arch business

Create a key pair

  1. install gnupg
  2. gpg --gen-key
    1. you may use the default options which is a 2048 Bit RSA key for encryption
    2. do not set it to expire
  3. Also create a revoke key for later use
    1. gpg -o ~/.gnupg/ --gen-revoke
    2. Make sure to create a backup of this file and remove it from your system afterwards
  4. Backup your private key: gpg --export-secret-keys >

Get your key signed by CAcert

  1. Get the CAcert key and import it:
    1. wget
    2. gpg --import cacert.asc
  2. Trust this key:
    1. gpg --edit-key
    2. >trust
    3. >5
  3. Export your key:
    1. gpg --export --armor >
    2. Paste the content of that file into the form on the CAcert website to get your signed public key.
  4. Save the signed key from the CAcert website and import it
    1. gpg --import <filename>
  5. You might want to send your new signed key to a keyserver
    1. Check your key id with gpg -k
    2. gpg --send-keys 9741E8AC
    3. You could also export it again for uploading it on e.g. your webspace: gpg --export --armor >
  6. You should create a backup of your keys and make sure to not forget the passphrase!

Sign your packages

  1. Install devtools 0.9.22 or later
  2. add SIGNPKG=y to your ~/.makepkg.conf
  3. If you want to sign with a specific key also add GPGKEY=<id>
  4. commitpkg and its aliases like extrapkg or testingpkg will now sign your packages and upload the package including its signature.

Verify a signed package (just for testing)

  1. Install and trust the CAcert key
    1. wget
    2. gpg --import cacert.asc
    3. gpg --edit-key
    4. >trust
    5. >5
  2. Search and import the packager's key
    1. gpg --search-keys 9741E8AC
  3. Verify the package
    1. gpg --verify devtools-*.pkg.tar.xz.sig

Open questions

  • How do we handle keys that expire? "Don't use expiring keys" is probably best, but open for debate.
  • Will we re-sign packages of a dev who left the team?
  • How do we verify the identity of devs who have no CAcert assurers near their location?