Martin Husemann <martin%duskware.de@localhost> writes: > Unfortunately it seems like gpg signed pkgs is no option here, unless someone > can describe a concept where we download the pkgbuild trust anchor key > from the root of the binary pkg repository and "somehow" automatically verify > this key against a master key that got installed with the system (and w/o > administrative overload for whoever has to sign the individual pkgbuilder > keys). The recursive chain of trust in x509 seems to be a good fit here > (even though noone really likes x509). OpenPGP has the same chain concept, with knobs to configure. But, I don't see why one can't: create a TNF-controlled (you with someone as backup) PGP key intended to be used over a long time (at least 5 years), and kept offline, as the TNF release signing CA key put the public part of this key into the distribution, and publish it Keep a file of public keys authorized to sign packages and put it on cdn.netbsd.org. Update it as needed, and get a signature from the CA key Write a script to download the signed keyfile, validate the signature, and put it in a keyring to be used for validating packages That amounts to the same thing as x509, except it's a bit of work, and it might differ in not trusting 100 Root CAs out there. It could probably also be done with config options to trust one valid signature from the CA key, marked trusted, and only one hop.
Attachment:
signature.asc
Description: PGP signature