On 31/07/11 11:15, Allan McRae wrote:
I was thinking of how we currently check package validity and had planned to do something like:
1) signature check 2) md5sum check _only_ if no signature to check
with the intention of adding an sha256sum check in the middle in the future (perhaps only if pacman is built using openssl to save us having to provide the routines...).
But as far as I can tell, _alpm_check_pgp_helper does not allow you to distinguish between a successful signature check and the case where no signature is available and signature checking is not required. Is that correct or am I missing something?
It appears that this is an area that needs work anyway...
pacman -Sw libcups resolving dependencies...
Targets (1): libcups-1.4.7-3 Total Download Size: 0.00 MiB Proceed with download? [Y/n] (1/1) checking package integrity [######################] 100% error: failed to commit transaction (invalid or corrupted package (checksum)) libcups-1.4.7-3-i686.pkg.tar.xz is invalid or corrupted Errors occurred, no packages were upgraded. This happened with a lot of packages so it definitely was not a checksum error... [12:11:35] debug: using cachedir: /home/arch/pkgcache/i686/ checking package integrity... [12:11:35] debug: found cached pkg: /home/arch/pkgcache/i686/libcups-1.4.7-3-i686.pkg.tar.xz [12:11:35] debug: replacing pkgcache entry with package file for target libcups [12:11:35] debug: md5sum: 772cf71cb8abb5afce923ae870130a51 [12:11:35] debug: checking md5sum for /home/arch/pkgcache/i686/libcups-1.4.7-3-i686.pkg.tar.xz [12:11:35] debug: base64_sig: (null) [12:11:35] debug: checking signatures for /home/arch/pkgcache/i686/libcups-1.4.7-3-i686.pkg.tar.xz [12:11:35] debug: checking signature for /home/arch/pkgcache/i686/libcups-1.4.7-3-i686.pkg.tar.xz [12:11:35] debug: 1 signatures returned [12:11:35] debug: fingerprint: 976AC6FA3B94FA10 [12:11:35] debug: summary: key missing [12:11:35] debug: status: No public key [12:11:35] debug: timestamp: 1311845034 [12:11:35] debug: exp_timestamp: 0 [12:11:35] debug: validity: unknown; reason: Success [12:11:35] debug: key lookup failed, unknown key [12:11:35] debug: signature is not valid [12:11:35] debug: returning error 33 from _alpm_sync_commit : invalid or corrupted package (checksum) error: failed to commit transaction (invalid or corrupted package (checksum)) My cache is essentially a mirror of the repo so has a bunch of signature files in it. So when I "download" a package from the repos and pacman finds its signature in the cache, that gets checked. So, that was quite unexpected for me (but I suppose it is a good thing?). We just need to fix that error message. Allan