On Thu, 4 Dec 2008 21:12:07 -0600 wrote "Dan McGee" <dpmcgee@gmail.com>:
On Thu, Dec 4, 2008 at 12:44 PM, Gerhard Brauer <gerbra@archlinux.de> wrote:
Summary: I think most of the signing part (makepkg, repo-add) and the verifying part (pacman) works so far. Awesome! gpg verifying is good integrated in pacman, the "warning: gpg cmdline" line thing i assume is a test/debug thing.
Next step could be: verifying the database files during pacman -Sy ?
There is nothing to verify about the database yet. Eventually we can sign these as well if necessary, but right now the only sigs are on the packages themselves.
I think signing the database files on gerolde is equal important than signing the packages. Cause pacman will have not a default setting like: check **all** packages if they were signed (local or foreign repos). So the %PGPSIG% field in the database is the only indicator for pacman: is this a signed package or not. So we must secure the database files against manipulations like removing, modifying this field.
This is an area that will need work as it is possible to make completely valid databases with valid packages, but an attacker could purposely hold back package releases to keep vulnerabilities open.
That's also a good point. Some propositions on this were to get the database files only from ftp.archlinux.org. But these are also only mirrors and this thought is also not doable cause the different sync levels of our mirrors. One short idea: Pierre and myself do still mirror checking on their sync states. That checks could maybe enhanced to check if the databases are on a quiet actual level or integrity... Hmmmm
Thanks for your help and feedback.
No thanks needed. For myself i WANT this feature. Some thoughts about more generally things which may need a little time to discuss (i don't want answers, this are only things i ask myself): a) On official repos (core,extra,...) pacman should not be allowed to install unsigned packages from. But pacman should still honor own local or foreign repos which may be unsigned. b) To solve this (and the point: where is the keyring?) maybe we could check a new entry in pacman.conf for the repos: [core] Keyring = /etc/pacman.d/archlinux.gpg Include = /etc/pacman.d/mirrorlist So pacman could decide: Have i to check this repo for signed packages and where the needed public keyring could be found. So also local or foreign repos could use the signing feature. c) Should we add an option to makepkg to let the developer/packager choose which secret key from his keyring should be used for signing? Maybe he won't use his default key and have a extra archlinux key generated. d) Currently we work on the libalpm integration. But what when users must or will use wget/curl via XferCommand? Sure, we could provide skeleton example scripts how to integrate gpg in this. But we give this work more i users hand. Or may our state: pacman and its secure framework is *only* given if you use the libalpm way? e) What's with our other devel tools (for ex. makechrootpkg)? Is signing also integrated in this tools? This weekend i will put the "signing pacman" on my machine to test it with my complete own repo, not only on a single package.
-Dan
Regards Gerhard