Am 17.08.2013 17:27, schrieb Zbigniew Jędrzejewski-Szmek:
Hi,
I was trying to get the arch installation example in systemd-spawn to work on Fedora. My intent is to package pacman and pacstrap for Fedora, to make it easy to play with distributions. Fedora already has alien and dpkg/apt-get, so adding pacman seems kind of nice.
The packaging process is going well, but the intallation is not as easy, because of gpg key issues. It's possible that I made some error, I tried both to add SigLevel=TrustAll in (host's) /etc/pacman.conf, and to to import gpg keys with 'pacman-key --populate archlinux'. The second solution didn't seem to work, and both have downsides: - disabling checking is bad because of security issues, and it also seems to mess up the trust database inside the container, - importing the trust database in the host (assuming that I'd get it to work), would require either also packaging the keys for Fedora, or telling the user to trust keys blindly and download them from the internet...
pacstrap assumes that you have a working key database on the host (which is the case for our live CD and bootstrap tarball). To work around that, you need to 1) set up a keyring in /instroot/etc/pacman.d/gnupg 2) call pacstrap with the -G option This will set up a keyring in /instroot without the need for one in the host. For 1), simply run pacman-key --gpgdir /instroot/etc/pacman.d/gnupg --init pacman-key --gpgdir /instroot/etc/pacman.d/gnupg --populate archlinux For that, you must have the keyring available in /usr/share/pacman/keyrings/. Get the keyring from https://projects.archlinux.org/archlinux-keyring.git/ - you need the archlinux.gpg, archlinux-revoked and archlinux-trusted files. The only thing that is critical for security is the archlinux-trusted file - the fingerprints in there must match the ones from https://www.archlinux.org/master-keys/. The rest of the files are just there for convenience.