On 04/03/12 06:54, Pierre Schmitz wrote:
Hi,
I have pushed an archlinux-keyring package into [testing] so we have something real to talk about. I revised some of my initial ideas. The package is compatible to pacman-key --populate; it seems gpg will also just accept a keyring that is just a bunch of keys put into one file.
The remaining issues is the install script of the actual package. Atm I run "pacman-key --init" on install and "--populate" on upgrade. Is there a scenario where running init might not be a good idea? It wont increase security to let users do this manually; even worse: people might just not do it then. So I am going with a "works out-of-the-box" experience here.
There have been so many issues with people not generating enough entropy to generate the initial key with "pacman-key --init" that I am not so sure that this is a good idea. Not that the revoke file is optional so you do not need to provide an empty one.
There are at least two problems with using pacman-key: It is extremely verbose and it requires the keyring to be signed which will lead to a bootstrapping problem. I started a thread about this on pacman-dev; so if you have ideas why this signature check might not be useless let me know there.
I will discuss pacman-key in the other thread. But we still have a bootstrap issues here... What key is the package signed by? Users will need to verify that key. I think this is the only case where a package should be signed by one (or more) of the master keys. I am finding it difficult to see how turning on signing in a current system can be done both automatically and securely (with a new install, setting up the keyring can be automatically done during install under the assumption that the user verified the install media...). Telling users to install a package that sets up their keyring without verifying the signature of the package first seems like a failure at step one. We could just create a news entry/wiki page with instructions on setting up the keyring. something like: pacman-key --init wget $(pacman -Sp archlinux-keyring){,.sig} pacman-key --revc-keys <keys> (key IDs need widely published) pacman-key --verify archlinux-keyring-2012*-1-any.pkg.tar.xz.sig pacman -U archlinux-keyring-2012*-1-any.pkg.tar.xz Allan