On Thu, Dec 4, 2008 at 12:44 PM, Gerhard Brauer <gerbra@archlinux.de> wrote:
Ok, have tested the package signing feature from Dan's pacman git. (Thanks Allan for the hint with --disable-doc)
I test with the abook package from extra.
Woohoo! Thanks for testing, this is much appreciated.
1) makepkg ==> Finished making: abook 0.5.6-2 i686 (Thu Dec 4 15:52:44 UTC 2008) ==> Signing package... ==> ERROR: Cannot find the gpg binary! Is gnupg installed? 2) makepkg ==> Finished making: abook 0.5.6-2 i686 (Thu Dec 4 15:55:34 UTC 2008) ==> Signing package... gpg: directory `/root/.gnupg' created gpg: new configuration file `/root/.gnupg/gpg.conf' created gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/root/.gnupg/secring.gpg' created gpg: keyring `/root/.gnupg/pubring.gpg' created gpg: no default secret key: secret key not available gpg: signing failed: secret key not available ==> WARNING: Failed to sign package file.
That's right. I still have no gpg key. After setting up all gpg things makepkg builds and signs the package. So it sounds like we have a relatively sane makepkg patch, with most of the failure conditions working OK? This is good, and it means we are mostly done in this department.
3) Add a repo: mypkg repo-add ad the abook package and puts also the %PGPSIG% field in the desc file. Sweet. I think we are good here too.
4) pacman -S mypkg/abook checking package integrity... warning: gpg cmdline: gpg --verify --no-default-keyring --keyserver-options no-auto-key-retrieve --keyring /tmp/testing.gpg - /var/cache/pacman/pkg/abook-0.5.6-2-i686.pkg.tar.gz error: failed to commit transaction (invalid or corrupted package) abook-0.5.6-2-i686.pkg.tar.gz is invalid or corrupted Errors occurred, no packages were upgraded.
Ok, i have not imported the public key to root's keyring.
5) [root@archtest ~]# LANG=C pacman -S mypkg/abook resolving dependencies... looking for inter-conflicts...
Targets (1): abook-0.5.6-2
Total Download Size: 0.00 MB Total Installed Size: 0.20 MB
Proceed with installation? [Y/n] checking package integrity... warning: gpg cmdline: gpg --verify --no-default-keyring --keyserver-options no-auto-key-retrieve --keyring /tmp/testing.gpg - /var/cache/pacman/pkg/abook-0.5.6-2-i686.pkg.tar.gz (1/1) checking for file conflicts [#####################] 100% (1/1) installing abook [#####################] 100%
Problem/Question: Where could i define the public keyring location? According to commit: "Add keyring location as option on libalpm handle" the is a libalpm option --keyring. But i have no plan where to define it (in pacman.conf i got an error). I copied my keyring temporary to /tmp/testing.gpg what seems the default search path and filename. Doing this i could install above abook from my repo. You're delving into uncoded territory here, and not completely thought-out territory. This still needs some work.
6) [root@archtest ~]# LANG=C pacman -Sy mypkg/abook :: Synchronizing package databases... core is up to date extra is up to date community is up to date mypkg is up to date warning: abook-0.5.6-2 is up to date -- reinstalling resolving dependencies... looking for inter-conflicts...
Targets (1): abook-0.5.6-2
Total Download Size: 0.05 MB Total Installed Size: 0.20 MB
Proceed with installation? [Y/n] :: Retrieving packages from mypkg... abook-0.5.6-2-i686 49.6K 20.9M/s 00:00:00 [#####################] 100% checking package integrity... warning: gpg cmdline: gpg --verify --no-default-keyring --keyserver-options no-a uto-key-retrieve --keyring /tmp/testing.gpg - /var/cache/pacman/pkg/abook-0.5.6- 2-i686.pkg.tar.gz error: failed to commit transaction (invalid or corrupted package) abook-0.5.6-2-i686.pkg.tar.gz is invalid or corrupted Errors occurred, no packages were upgraded.
Here if have modified the abook-0.5.6-2-i686.pkg.tar.gz package, copied to my repo, do a repo-add but use the old *.sig signature. This modified package gets not installed. Maybe the error/reason could be more explained. Yeah, once again this is definitely work in progress. There is still a good bit to be done, as the current pacman/libalpm/gpg integration is hairy.
Summary: I think most of the signing part (makepkg, repo-add) and the verifying part (pacman) works so far. Awesome! gpg verifying is good integrated in pacman, the "warning: gpg cmdline" line thing i assume is a test/debug thing.
Next step could be: verifying the database files during pacman -Sy ? There is nothing to verify about the database yet. Eventually we can sign these as well if necessary, but right now the only sigs are on the packages themselves. This is an area that will need work as it is possible to make completely valid databases with valid packages, but an attacker could purposely hold back package releases to keep vulnerabilities open.
Thanks for your help and feedback. -Dan