I like the idea of GPG signed repositories, but they are just about useless if they are signing MD5s. MD5 is very insecure, but good for normal file integrity checking. Can Pacman use SHA-256 or similiar? Another thing to watch out for is malicious publication of old repositories with old and vulnerable packages that have the force option set. I've thought briefly on how to circumvent this, but not enough to have a method I would purpose. Thanks, Teran On Mon, Dec 8, 2008 at 12:34, Dan McGee <dpmcgee@gmail.com> wrote:
On Mon, Dec 8, 2008 at 4:55 AM, Gerhard Brauer <gerbra@archlinux.de> wrote:
Am Sun, 7 Dec 2008 15:18:32 -0600 schrieb "Dan McGee" <dpmcgee@gmail.com>:
I did quite a bit more work with GPG today. I wrapped my head around GPGME, which presents a nice C interface to the GPG stuff so we are now a lot closer to a working implementation: http://code.toofishes.net/gitweb.cgi?p=pacman.git;a=shortlog;h=refs/heads/ne...
From the script side of things, I didn't change much. The libalpm code has changed considerably, and there is still a lot of room for improvement. Let me know if you guys have questions.
With heads/newgpg pacman doesn't check or find the .sig Files. If starting with --debug i got these debug messages:
debug: md5(/var/cache/pacman/pkg/abook-0.5.6-3-i686.pkg.tar.gz) =79777684f62164 934a1264df66b8fdc6 debug: returning error 35 from gpgme_init : signature directory not configured correctly debug: installing packages debug: found cached pkg: /var/cache/pacman/pkg/abook-0.5.6-3-i686.pkg.tar.gz debug: loading target '/var/cache/pacman/pkg/abook-0.5.6-3-i686.pkg.tar.gz' debug: no package signature file found
Where or what have i to configure as the "gpgme_init : signature directory"? My public key is in /root/.gnupg/pubring.gpg. I tried it also with /tmp/testing.gpg but the same error. AFAI could read the code this may belongs to commit: http://code.toofishes.net/gitweb.cgi?p=pacman.git;a=commit;h=1a286336147c7d3... I see a prog gpgme-config, but don't see what i could do with ;-)
Help ;-)
I didn't promise this worked out of the box- I just meant that it was a better start than the other code. You're either going to have to know C and understand what is going on (and fix it), or wait for it to be in a better state of completion.
-Dan _______________________________________________ pacman-dev mailing list pacman-dev@archlinux.org http://archlinux.org/mailman/listinfo/pacman-dev