Feb 9, 2024 12:25:02 Wilhelm Schuster <[email protected]>:
> Hi,
Hi,
> I maintain the AUR package for wget2 [0] (which has `validgpgkeys()`
> populated) and have recently been contacted by a user that has trouble
> with GPG signature verification when building the package in a Docker
> container (using aurutils apparently).
I also use aurutils although I don't use a container, that seems like a waste
of time to me as you can easily set aurutils to built in a clean chroot every
time. I haven't explored the whole breadth of possibilities with aurutils yet
as my migration to it is relatively recent, but from what I've seen, most of it
is essentially some scripts/commands that essentially work using devtools
and/or make{,chroot}pkg as a backend. It should be possible to go switch off
pgp verification in it, or even get it to pull pgp keys from somewhere else. I
am unsure how, however.
> Their first suggestion was for me
> to drop the validpgpkeys section to make it easier for them to build the
> package. This is not something I'm willing to implement as that means
> downgrading security for other users of the package.
>
> Their second suggestion was for me to add the GPG public keys directly
> to AUR package. My first thought was that this is also not a good idea,
I personally agree with your point of view on both suggestions. AUR packages
that are signed are very rare, but when that happens they should be kept
signed, as it proves the source isn't tempered.
> Do you think including GPG keys with AUR packages to make it easier for
> some users is a good idea? Or should they just use `--skippgpcheck`? Are
> there any glaring issues I'm missing here? Do you know of AUR packages
> that include the GPG keys for source verification similar to what Arch
> packages do?
In order: no, ideally not but if they wish to skip it it's their problem, see
below, not that I can remember currently.
What you're missing is that they're using aurutils, an AUR helper. Such tools
are officially unsupported. The only thing that matters for AUR packages is
that in a clean chroot running makepkg lets you build the entire thing, even if
you have to manually add the pgp keys to the pacman gpg keyring in the chroot
before building. In other words, if they encounter an issue with aurutils not
building packages due to pgp keys, they should probably bring that issue up
with the aurutils developers rather than asking individual AUR maintainers to
compromise the security of their PKGBUILDs for their helper to work.
--
Kusoneko
GPG: https://kusoneko.moe/gpg.txt
https://kusoneko.moe
