[arch-general] Updating the archlinux-keyring package
Hi, Recently I had to fix a corrupted pacman db from a 3 month old livecd and realized that this process is not so innocent. Specifically, there is a chance to get a trojaned package on the system simply because the archlinux-keyring package on the iso is outdated. Of course, other similar scenarios are possible, e.g. a fresh install is made from an old livecd, or a server is updated after several months of uptime: new packages are pulled in but signature checks are made using the old keyring currently on the host. So, instead of relying on the discrete updates of archlinux-keyring, wouldn't is make more sense to have a systemd timer/cron job to frequently refresh pacman keyring? Thanks, -- Leonid Isaev GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
I do agree with that, i switched on a laptop which was off since september 2013 and i had some issue with some key. I had to update key, before having a sucessfull update. 2014-02-13 20:21 GMT+01:00 Leonid Isaev <lisaev@umail.iu.edu>:
Hi,
Recently I had to fix a corrupted pacman db from a 3 month old livecd and realized that this process is not so innocent. Specifically, there is a chance to get a trojaned package on the system simply because the archlinux-keyring package on the iso is outdated. Of course, other similar scenarios are possible, e.g. a fresh install is made from an old livecd, or a server is updated after several months of uptime: new packages are pulled in but signature checks are made using the old keyring currently on the host. So, instead of relying on the discrete updates of archlinux-keyring, wouldn't is make more sense to have a systemd timer/cron job to frequently refresh pacman keyring?
Thanks, -- Leonid Isaev GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
On 02/14/2014 03:00 AM, Plonky Duby wrote:
I do agree with that, i switched on a laptop which was off since september 2013 and i had some issue with some key.
I had to update key, before having a sucessfull update.
2014-02-13 20:21 GMT+01:00 Leonid Isaev <lisaev@umail.iu.edu>:
Hi,
Recently I had to fix a corrupted pacman db from a 3 month old livecd and realized that this process is not so innocent. Specifically, there is a chance to get a trojaned package on the system simply because the archlinux-keyring package on the iso is outdated. Of course, other similar scenarios are possible, e.g. a fresh install is made from an old livecd, or a server is updated after several months of uptime: new packages are pulled in but signature checks are made using the old keyring currently on the host. So, instead of relying on the discrete updates of archlinux-keyring, wouldn't is make more sense to have a systemd timer/cron job to frequently refresh pacman keyring?
Thanks, -- Leonid Isaev GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
pacman-key --refresh-keys ??
Am 14.02.2014 12:43, schrieb Don deJuan:
wouldn't is make more sense to have a systemd timer/cron job to frequently refresh pacman keyring?
pacman-key --refresh-keys ??
If you are paranoid enough that a former Arch developer or TU will be able to inject a broken package into a mirror, then it certainly helps you to run 'pacman-key --refresh-keys' regularly. You can also do so on the live CD. This will not automatically add new keys, but certainly remove trust from revoked keys.
On Fri, 14 Feb 2014 03:43:38 -0800 Don deJuan <donjuansjiz@gmail.com> wrote:
On 02/14/2014 03:00 AM, Plonky Duby wrote:
I do agree with that, i switched on a laptop which was off since september 2013 and i had some issue with some key.
I had to update key, before having a sucessfull update.
2014-02-13 20:21 GMT+01:00 Leonid Isaev <lisaev@umail.iu.edu>:
Hi,
Recently I had to fix a corrupted pacman db from a 3 month old livecd and realized that this process is not so innocent. Specifically, there is a chance to get a trojaned package on the system simply because the archlinux-keyring package on the iso is outdated. Of course, other similar scenarios are possible, e.g. a fresh install is made from an old livecd, or a server is updated after several months of uptime: new packages are pulled in but signature checks are made using the old keyring currently on the host. So, instead of relying on the discrete updates of archlinux-keyring, wouldn't is make more sense to have a systemd timer/cron job to frequently refresh pacman keyring?
Thanks, -- Leonid Isaev GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
pacman-key --refresh-keys ??
Well, I run this on the home server via a systemd timer, so that I don't forget to do it before an update. It is certainly not necessary on a frequently updated machine, but might be a good idea for a livecd before an installation. Cheers, -- Leonid Isaev GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
Am 2014-02-14 12:00, schrieb Plonky Duby:
I do agree with that, i switched on a laptop which was off since september 2013 and i had some issue with some key.
I had to update key, before having a sucessfull update.
A cronjob does not help you, when you're laptop is off.
2014-02-14 12:45 GMT+01:00 <simon.brand@postadigitale.de>:
Am 2014-02-14 12:00, schrieb Plonky Duby:
I do agree with that, i switched on a laptop which was off since september
2013 and i had some issue with some key.
I had to update key, before having a sucessfull update.
A cronjob does not help you, when you're laptop is off.
I understand your point, i just wanted to illustrate with another practical exemple.
participants (5)
-
Don deJuan
-
Leonid Isaev
-
Plonky Duby
-
simon.brand@postadigitale.de
-
Thomas Bächler