[pacman-dev] [PATCH 1/3] Revamp signing checks
This ensures we are actually making correct use of the information gpgme is returning to us. Marginal being allowed was obvious before, but Unknown should deal with trust level, and not the presence or lack thereof of a public key to validate the signature with. Return status and validity information in two separate values so check methods and the frontend can use them independently. For now, we treat expired keys as valid, while expired signatures are invalid. Signed-off-by: Dan McGee <dan@archlinux.org> --- lib/libalpm/alpm.h | 22 +++++++-- lib/libalpm/signing.c | 122 +++++++++++++++++++++++++++++++----------------- src/pacman/util.c | 42 ++++++++++++---- 3 files changed, 127 insertions(+), 59 deletions(-) diff --git a/lib/libalpm/alpm.h b/lib/libalpm/alpm.h index d9f3504..a91b00f 100644 --- a/lib/libalpm/alpm.h +++ b/lib/libalpm/alpm.h @@ -104,15 +104,26 @@ typedef enum _alpm_siglevel_t { } alpm_siglevel_t; /** - * PGP signature verification return codes + * PGP signature verification status return codes */ typedef enum _alpm_sigstatus_t { - ALPM_SIGSTATUS_VALID = 0, - ALPM_SIGSTATUS_MARGINAL, - ALPM_SIGSTATUS_UNKNOWN, - ALPM_SIGSTATUS_BAD + ALPM_SIGSTATUS_VALID, + ALPM_SIGSTATUS_KEY_EXPIRED, + ALPM_SIGSTATUS_SIG_EXPIRED, + ALPM_SIGSTATUS_KEY_UNKNOWN, + ALPM_SIGSTATUS_INVALID } alpm_sigstatus_t; +/** + * PGP signature verification status return codes + */ +typedef enum _alpm_sigvalidity_t { + ALPM_SIGVALIDITY_FULL, + ALPM_SIGVALIDITY_MARGINAL, + ALPM_SIGVALIDITY_NEVER, + ALPM_SIGVALIDITY_UNKNOWN +} alpm_sigvalidity_t; + /* * Structures */ @@ -202,6 +213,7 @@ typedef struct _alpm_backup_t { typedef struct _alpm_sigresult_t { int count; alpm_sigstatus_t *status; + alpm_sigvalidity_t *validity; char **uid; } alpm_sigresult_t; diff --git a/lib/libalpm/signing.c b/lib/libalpm/signing.c index 275851c..78e6264 100644 --- a/lib/libalpm/signing.c +++ b/lib/libalpm/signing.c @@ -305,8 +305,9 @@ int _alpm_gpgme_checksig(alpm_handle_t *handle, const char *path, _alpm_log(handle, ALPM_LOG_DEBUG, "%d signatures returned\n", sigcount); result->status = calloc(sigcount, sizeof(alpm_sigstatus_t)); + result->validity = calloc(sigcount, sizeof(alpm_sigvalidity_t)); result->uid = calloc(sigcount, sizeof(char*)); - if(!result->status || !result->uid) { + if(!result->status || !result->validity || !result->uid) { handle->pm_errno = ALPM_ERR_MEMORY; goto error; } @@ -316,6 +317,7 @@ int _alpm_gpgme_checksig(alpm_handle_t *handle, const char *path, gpgsig = gpgsig->next, sigcount++) { alpm_list_t *summary_list, *summary; alpm_sigstatus_t status; + alpm_sigvalidity_t validity; gpgme_key_t key; _alpm_log(handle, ALPM_LOG_DEBUG, "fingerprint: %s\n", gpgsig->fpr); @@ -335,6 +337,8 @@ int _alpm_gpgme_checksig(alpm_handle_t *handle, const char *path, if(gpg_err_code(err) == GPG_ERR_EOF) { _alpm_log(handle, ALPM_LOG_DEBUG, "key lookup failed, unknown key\n"); err = GPG_ERR_NO_ERROR; + STRDUP(result->uid[sigcount], gpgsig->fpr, + handle->pm_errno = ALPM_ERR_MEMORY; goto error); } else { CHECK_ERR(); if(key->uids) { @@ -346,34 +350,52 @@ int _alpm_gpgme_checksig(alpm_handle_t *handle, const char *path, gpgme_key_unref(key); } - if(gpgsig->summary & GPGME_SIGSUM_VALID) { - /* definite good signature */ - _alpm_log(handle, ALPM_LOG_DEBUG, "result: valid signature\n"); - status = ALPM_SIGSTATUS_VALID; - } else if(gpgsig->summary & GPGME_SIGSUM_GREEN) { - /* good signature */ - _alpm_log(handle, ALPM_LOG_DEBUG, "result: green signature\n"); - status = ALPM_SIGSTATUS_VALID; - } else if(gpgsig->summary & GPGME_SIGSUM_RED) { - /* definite bad signature, error */ - _alpm_log(handle, ALPM_LOG_DEBUG, "result: red signature\n"); - status = ALPM_SIGSTATUS_BAD; - } else if(gpgsig->summary & GPGME_SIGSUM_KEY_MISSING) { - _alpm_log(handle, ALPM_LOG_DEBUG, "result: signature from unknown key\n"); - status = ALPM_SIGSTATUS_UNKNOWN; - } else if(gpgsig->summary & GPGME_SIGSUM_KEY_EXPIRED) { - _alpm_log(handle, ALPM_LOG_DEBUG, "result: key expired\n"); - status = ALPM_SIGSTATUS_BAD; - } else if(gpgsig->summary & GPGME_SIGSUM_SIG_EXPIRED) { - _alpm_log(handle, ALPM_LOG_DEBUG, "result: signature expired\n"); - status = ALPM_SIGSTATUS_BAD; + switch(gpg_err_code(gpgsig->status)) { + /* good cases */ + case GPG_ERR_NO_ERROR: + status = ALPM_SIGSTATUS_VALID; + break; + case GPG_ERR_KEY_EXPIRED: + status = ALPM_SIGSTATUS_KEY_EXPIRED; + break; + /* bad cases */ + case GPG_ERR_SIG_EXPIRED: + status = ALPM_SIGSTATUS_SIG_EXPIRED; + break; + case GPG_ERR_NO_PUBKEY: + status = ALPM_SIGSTATUS_KEY_UNKNOWN; + break; + case GPG_ERR_BAD_SIGNATURE: + default: + status = ALPM_SIGSTATUS_INVALID; + break; + } + + if(status == ALPM_SIGSTATUS_VALID + || status == ALPM_SIGSTATUS_KEY_EXPIRED) { + switch(gpgsig->validity) { + case GPGME_VALIDITY_ULTIMATE: + case GPGME_VALIDITY_FULL: + validity = ALPM_SIGVALIDITY_FULL; + break; + case GPGME_VALIDITY_MARGINAL: + validity = ALPM_SIGVALIDITY_MARGINAL; + break; + case GPGME_VALIDITY_NEVER: + validity = ALPM_SIGVALIDITY_NEVER; + break; + case GPGME_VALIDITY_UNKNOWN: + case GPGME_VALIDITY_UNDEFINED: + default: + validity = ALPM_SIGVALIDITY_UNKNOWN; + break; + } } else { - /* we'll capture everything else here */ - _alpm_log(handle, ALPM_LOG_DEBUG, "result: invalid signature\n"); - status = ALPM_SIGSTATUS_BAD; + validity = ALPM_SIGVALIDITY_NEVER; } result->status[sigcount] = status; + result->validity[sigcount] = validity; } ret = 0; @@ -429,31 +451,45 @@ int _alpm_check_pgp_helper(alpm_handle_t *handle, const char *path, /* ret will already be -1 */ } else { int num; - for(num = 0; num < result.count; num++) { - /* fallthrough in this case block is on purpose. if one allows unknown - * signatures, then a marginal signature should be allowed as well, and - * if neither of these are allowed we fall all the way through to bad. */ + for(num = 0; !ret && num < result.count; num++) { switch(result.status[num]) { case ALPM_SIGSTATUS_VALID: + case ALPM_SIGSTATUS_KEY_EXPIRED: _alpm_log(handle, ALPM_LOG_DEBUG, "signature is valid\n"); - break; - case ALPM_SIGSTATUS_MARGINAL: - if(marginal) { - _alpm_log(handle, ALPM_LOG_DEBUG, "allowing marginal signature\n"); - break; - } - case ALPM_SIGSTATUS_UNKNOWN: - if(unknown) { - _alpm_log(handle, ALPM_LOG_DEBUG, "allowing unknown signature\n"); - break; + switch(result.validity[num]) { + case ALPM_SIGVALIDITY_FULL: + _alpm_log(handle, ALPM_LOG_DEBUG, "signature is fully trusted\n"); + break; + case ALPM_SIGVALIDITY_MARGINAL: + _alpm_log(handle, ALPM_LOG_DEBUG, "signature is marginal trust\n"); + if(!marginal) { + ret = -1; + } + break; + case ALPM_SIGVALIDITY_UNKNOWN: + _alpm_log(handle, ALPM_LOG_DEBUG, "signature is unknown trust\n"); + if(!unknown) { + ret = -1; + } + break; + case ALPM_SIGVALIDITY_NEVER: + _alpm_log(handle, ALPM_LOG_DEBUG, "signature should never be trusted\n"); + ret = -1; + break; } - case ALPM_SIGSTATUS_BAD: - default: - _alpm_log(handle, ALPM_LOG_DEBUG, "signature is invalid\n"); - handle->pm_errno = invalid_err; + break; + case ALPM_SIGSTATUS_SIG_EXPIRED: + case ALPM_SIGSTATUS_KEY_UNKNOWN: + case ALPM_SIGSTATUS_INVALID: + _alpm_log(handle, ALPM_LOG_DEBUG, "signature is not valid\n"); ret = -1; + break; } } + + if(ret) { + handle->pm_errno = invalid_err; + } } alpm_sigresult_cleanup(&result); diff --git a/src/pacman/util.c b/src/pacman/util.c index 7065abd..8765da7 100644 --- a/src/pacman/util.c +++ b/src/pacman/util.c @@ -678,7 +678,7 @@ void signature_display(const char *title, alpm_sigresult_t *result) int i; for(i = 0; i < result->count; i++) { char sigline[PATH_MAX]; - const char *validity, *name; + const char *status, *validity, *name; /* Don't re-indent the first result */ if(i != 0) { int j; @@ -688,22 +688,42 @@ void signature_display(const char *title, alpm_sigresult_t *result) } switch(result->status[i]) { case ALPM_SIGSTATUS_VALID: - validity = _("Valid signature"); + status = _("Valid"); break; - case ALPM_SIGSTATUS_MARGINAL: - validity = _("Marginal signature"); + case ALPM_SIGSTATUS_KEY_EXPIRED: + status = _("Key expired"); break; - case ALPM_SIGSTATUS_UNKNOWN: - validity = _("Unknown signature"); + case ALPM_SIGSTATUS_SIG_EXPIRED: + status = _("Expired"); break; - case ALPM_SIGSTATUS_BAD: - validity = _("Invalid signature"); + case ALPM_SIGSTATUS_INVALID: + status = _("Invalid"); break; + case ALPM_SIGSTATUS_KEY_UNKNOWN: + status = _("Key unknown"); + break; + default: + status = _("Signature error"); + break; + } + switch(result->validity[i]) { + case ALPM_SIGVALIDITY_FULL: + validity = _("fully trusted"); + break; + case ALPM_SIGVALIDITY_MARGINAL: + validity = _("marginal trusted"); + break; + case ALPM_SIGVALIDITY_NEVER: + validity = _("never trusted"); + break; + case ALPM_SIGVALIDITY_UNKNOWN: default: - validity = _("Signature error"); + validity = _("unknown trust"); + break; } - name = result->uid[i] ? result->uid[i] : _("<Key Unknown>"); - snprintf(sigline, PATH_MAX, _("%s from \"%s\""), validity, name); + name = result->uid[i] ? result->uid[i] : _("{Key Unknown}"); + snprintf(sigline, PATH_MAX, _("%s, %s from \"%s\""), + status, validity, name); indentprint(sigline, len); printf("\n"); } -- 1.7.6
Add code to conf.c that parses the new SigLevel directive. An overwhelming number of options are presented, but most users will still be fine with the Never/Optional/Required trio. More advanced users can combine these or any of the other options on a 'SigLevel = ' line, which is parsed in a left-to-right fashion and flags turned on and off accordingly. For example, all three of these will net the same config: SigLevel = Required PackageOptional SigLevel = Optional DatabaseRequired SigLevel = DatabaseRequired PackageOptional Additionally, database-specific lines assume you wish to start with any global default that has been set. For example, if any of the above lines were in the [options] section, something such as: SigLevel = PackageRequired PackageAllowMarginal Would continue to enforce required database signatures. Inspiration-by: Kerrick Staley <mail@kerrickstaley.com> Signed-off-by: Dan McGee <dan@archlinux.org> --- src/pacman/conf.c | 126 +++++++++++++++++++++++++++++++++++++++------------ test/pacman/util.py | 2 +- 2 files changed, 98 insertions(+), 30 deletions(-) diff --git a/src/pacman/conf.c b/src/pacman/conf.c index fac6da3..a4de431 100644 --- a/src/pacman/conf.c +++ b/src/pacman/conf.c @@ -222,21 +222,93 @@ int config_set_arch(const char *arch) return 0; } -static alpm_siglevel_t option_verifysig(const char *value) +/** + * Parse a signature verification level line. + * @param values the list of parsed option values + * @return 0 on success, 1 on any parsing error + */ +static int process_siglevel(alpm_list_t *values, alpm_siglevel_t startval, + alpm_siglevel_t *storage) { - alpm_siglevel_t level; - if(strcmp(value, "Always") == 0) { - level = ALPM_SIG_PACKAGE | ALPM_SIG_DATABASE; - } else if(strcmp(value, "Optional") == 0) { - level = ALPM_SIG_PACKAGE | ALPM_SIG_PACKAGE_OPTIONAL | - ALPM_SIG_DATABASE | ALPM_SIG_DATABASE_OPTIONAL; - } else if(strcmp(value, "Never") == 0) { - level = 0; - } else { - return -1; + alpm_siglevel_t level = startval; + alpm_list_t *i; + int ret = 0; + + /* Collapse the option names into a single bitmasked value */ + for(i = values; i; i = alpm_list_next(i)) { + const char *original = i->data, *value; + int package = 0, database = 0; + + if (strncmp(original, "Package", strlen("Package")) == 0) { + /* only packages are affected, don't flip flags for databases */ + value = original + strlen("Package"); + package = 1; + } else if (strncmp(original, "Database", strlen("Database")) == 0) { + /* only databases are affected, don't flip flags for packages */ + value = original + strlen("Database"); + database = 1; + } else { + /* no prefix, so anything found will affect both packages and dbs */ + value = original; + package = database = 1; + } + + /* now parse out and store actual flag if it is valid */ + if(strcmp(value, "Never") == 0) { + if(package) { + level &= ~ALPM_SIG_PACKAGE; + } + if(database) { + level &= ~ALPM_SIG_DATABASE; + } + } else if(strcmp(value, "Optional") == 0) { + if(package) { + level |= ALPM_SIG_PACKAGE; + level |= ALPM_SIG_PACKAGE_OPTIONAL; + } + if(database) { + level |= ALPM_SIG_DATABASE; + level |= ALPM_SIG_DATABASE_OPTIONAL; + } + } else if(strcmp(value, "Required") == 0) { + if(package) { + level |= ALPM_SIG_PACKAGE; + level &= ~ALPM_SIG_PACKAGE_OPTIONAL; + } + if(database) { + level |= ALPM_SIG_DATABASE; + level &= ~ALPM_SIG_DATABASE_OPTIONAL; + } + } else if(strcmp(value, "TrustedOnly") == 0) { + if(package) { + level &= ~ALPM_SIG_PACKAGE_MARGINAL_OK; + level &= ~ALPM_SIG_PACKAGE_UNKNOWN_OK; + } + if(database) { + level &= ~ALPM_SIG_DATABASE_MARGINAL_OK; + level &= ~ALPM_SIG_DATABASE_UNKNOWN_OK; + } + } else if(strcmp(value, "TrustAll") == 0) { + if(package) { + level |= ALPM_SIG_PACKAGE_MARGINAL_OK; + level |= ALPM_SIG_PACKAGE_UNKNOWN_OK; + } + if(database) { + level |= ALPM_SIG_DATABASE_MARGINAL_OK; + level |= ALPM_SIG_DATABASE_UNKNOWN_OK; + } + } else { + pm_printf(ALPM_LOG_ERROR, _("invalid value for 'SigLevel' : '%s'\n"), + original); + ret = 1; + } + level &= ~ALPM_SIG_USE_DEFAULT; } - pm_printf(ALPM_LOG_DEBUG, "config: VerifySig = %s (%d)\n", value, level); - return level; + + if(!ret) { + *storage = level; + } + return ret; } static int process_cleanmethods(alpm_list_t *values) { @@ -359,16 +431,14 @@ static int _parse_options(const char *key, char *value, return 1; } FREELIST(methods); - } else if(strcmp(key, "VerifySig") == 0) { - alpm_siglevel_t level = option_verifysig(value); - if(level != -1) { - config->siglevel = level; - } else { - pm_printf(ALPM_LOG_ERROR, - _("config file %s, line %d: directive '%s' has invalid value '%s'\n"), - file, linenum, key, value); + } else if(strcmp(key, "SigLevel") == 0) { + alpm_list_t *values = NULL; + setrepeatingoption(value, "SigLevel", &values); + if(process_siglevel(values, ALPM_SIG_USE_DEFAULT, &(config->siglevel))) { + FREELIST(values); return 1; } + FREELIST(values); } else { pm_printf(ALPM_LOG_WARNING, _("config file %s, line %d: directive '%s' in section '%s' not recognized.\n"), @@ -726,17 +796,15 @@ static int _parseconfig(const char *file, struct section_t *section, goto cleanup; } section->servers = alpm_list_add(section->servers, strdup(value)); - } else if(strcmp(key, "VerifySig") == 0) { - alpm_siglevel_t level = option_verifysig(value); - if(level != -1) { - section->siglevel = level; - } else { - pm_printf(ALPM_LOG_ERROR, - _("config file %s, line %d: directive '%s' has invalid value '%s'\n"), - file, linenum, key, value); + } else if(strcmp(key, "SigLevel") == 0) { + alpm_list_t *values = NULL; + setrepeatingoption(value, "SigLevel", &values); + if(process_siglevel(values, config->siglevel, &(section->siglevel))) { + FREELIST(values); ret = 1; goto cleanup; } + FREELIST(values); } else { pm_printf(ALPM_LOG_WARNING, _("config file %s, line %d: directive '%s' in section '%s' not recognized.\n"), diff --git a/test/pacman/util.py b/test/pacman/util.py index dbe416f..60dea9e 100644 --- a/test/pacman/util.py +++ b/test/pacman/util.py @@ -118,7 +118,7 @@ def mkcfgfile(filename, root, option, db): if key != "local": value = db[key] data.append("[%s]\n" \ - "VerifySig = %s\n" \ + "SigLevel = %s\n" \ "Server = file://%s" \ % (value.treename, value.getverify(), \ os.path.join(root, SYNCREPO, value.treename))) -- 1.7.6
On 29/07/11 10:04, Dan McGee wrote:
Add code to conf.c that parses the new SigLevel directive. An overwhelming number of options are presented, but most users will still be fine with the Never/Optional/Required trio. More advanced users can combine these or any of the other options on a 'SigLevel = ' line, which is parsed in a left-to-right fashion and flags turned on and off accordingly. For example, all three of these will net the same config:
SigLevel = Required PackageOptional SigLevel = Optional DatabaseRequired SigLevel = DatabaseRequired PackageOptional
Additionally, database-specific lines assume you wish to start with any global default that has been set. For example, if any of the above lines were in the [options] section, something such as:
SigLevel = PackageRequired PackageAllowMarginal
Would continue to enforce required database signatures.
Inspiration-by: Kerrick Staley<mail@kerrickstaley.com> Signed-off-by: Dan McGee<dan@archlinux.org> ---
Signed-off-by: Allan Tested using this in my pacman.conf: [allanbrokeit] Server = file:///home/allan/web/allanbrokeit/i686/ #Server = http://allanmcrae.com/allanbrokeit/i686/ SigLevel = Required [kernel64] Server = file:///home/arch/kernel64/2.6.39/ SigLevel = DatabaseRequired and everything seems to succeed/fail as expected. Allan
This adds docs for SigLevel, which can exist in both [options] and [repository] sections. It also does a bit of reworking of the structure of this manpage and adds a labeled list under the repo sections where we didn't have one before. Signed-off-by: Dan McGee <dan@archlinux.org> --- doc/pacman.conf.5.txt | 90 ++++++++++++++++++++++++++++++++++++++++++++---- 1 files changed, 82 insertions(+), 8 deletions(-) diff --git a/doc/pacman.conf.5.txt b/doc/pacman.conf.5.txt index 08fd0e1..cc8c1e4 100644 --- a/doc/pacman.conf.5.txt +++ b/doc/pacman.conf.5.txt @@ -156,6 +156,10 @@ Options packages are only cleaned if not installed locally and not present in any known sync database. +*SigLevel =* ...:: + Set the default signature verification level. For more information, see + <<SC,Package and Database Signature Checking>> below. + *UseSyslog*:: Log action messages through syslog(). This will insert log entries into +{localstatedir}/log/messages+ or equivalent. @@ -193,27 +197,97 @@ contain a file that lists the servers for that repository. -------- [core] -# use this repository first -Server = ftp://ftp.archlinux.org/core/os/arch +# use this server first +Server = ftp://ftp.archlinux.org/$repo/os/$arch # next use servers as defined in the mirrorlist below Include = {sysconfdir}/pacman.d/mirrorlist -------- +The order of repositories in the configuration files matters; repositories +listed first will take precedence over those listed later in the file when +packages in two repositories have identical names, regardless of version +number. + +*Include =* path:: + Include another config file. This file can include repositories or + general configuration options. Wildcards in the specified paths will get + expanded based on linkman:glob[7] rules. + +*Server =* url:: + A full URL to a location where the database, packages, and signatures (if + available) for this repository can be found. ++ During parsing, pacman will define the `$repo` variable to the name of the current section. This is often utilized in files specified using the 'Include' directive so all repositories can use the same mirrorfile. pacman also defines the `$arch` variable to the value of `Architecture`, so the same mirrorfile can even be used for different architectures. +*SigLevel =* ...:: + Set the default signature verification level. For more information, see + <<SC,Package and Database Signature Checking>> below. + +Package and Database Signature Checking +--------------------------------------- +The 'SigLevel' directive is valid in both the `[options]` and repository +sections. If used in `[options]`, it sets a default value for any repository +that does not provide the setting. + +If set to *Never*, no signature checking will take place. +If set to *Optional* , signatures will be checked when present, but unsigned +databases and packages will also be accepted. +If set to *Required*, signatures will be required on all packages and +databases. + +Alternatively, you can get more fine-grained control by combining some of +the options and prefixes described below. All options passed on a single +line are processed in left-to-right fashion, where later options override +and/or supplement earlier ones. + +The options are split into two main groups, described below. Terms used such as +``marginally trusted'' are terms used by GnuPG, for more information please +consult linkman:gpg[1]. + +When to Check:: + These options control if and when signature checks should take place. + + *Never*;; + All signature checking is suppressed, even if signatures are present. + + *Optional* (default);; + Signatures are checked if present; absence of a signature is not an + error. An invalid signature is a fatal error, as is a signature from a + key not in the keyring. + + *Required*;; + Signatures are required; absence of a signature or an invalid signature + is a fatal error, as is a signature from a key not in the keyring. + +What is Allowed:: + These options control what signatures are viewed as permissible. Note that + neither of these options allows acceptance of invalid or expired + signatures, or those from revoked keys. + + *TrustedOnly* (default);; + If a signature is checked, it must be in the keyring and fully trusted; + marginal trust does not meet this criteria. + + *TrustAll*;; + If a signature is checked, it must be in the keyring, but is not + required to be assigned a trust level (e.g., unknown or marginal + trust). + +Options in both groups can additionally be prefixed with either *Package* or +*Database*, which will cause it to only take effect on the specified object +type. For example, `PackageTrustAll` would allow marginal and unknown trust +level signatures for packages. + +The built-in default is the following: + -------- -Server = ftp://ftp.archlinux.org/$repo/os/$arch +SigLevel = Optional TrustedOnly -------- -The order of repositories in the configuration files matters; repositories -listed first will take precedence over those listed later in the file when -packages in two repositories have identical names, regardless of version -number. - Using Your Own Repository ------------------------- If you have numerous custom packages of your own, it is often easier to generate -- 1.7.6
On 29/07/11 10:04, Dan McGee wrote:
This adds docs for SigLevel, which can exist in both [options] and [repository] sections. It also does a bit of reworking of the structure of this manpage and adds a labeled list under the repo sections where we didn't have one before.
Signed-off-by: Dan McGee<dan@archlinux.org> --- doc/pacman.conf.5.txt | 90 ++++++++++++++++++++++++++++++++++++++++++++---- 1 files changed, 82 insertions(+), 8 deletions(-)
diff --git a/doc/pacman.conf.5.txt b/doc/pacman.conf.5.txt index 08fd0e1..cc8c1e4 100644 --- a/doc/pacman.conf.5.txt +++ b/doc/pacman.conf.5.txt @@ -156,6 +156,10 @@ Options packages are only cleaned if not installed locally and not present in any known sync database.
+*SigLevel =* ...:: + Set the default signature verification level. For more information, see + <<SC,Package and Database Signature Checking>> below. + *UseSyslog*:: Log action messages through syslog(). This will insert log entries into +{localstatedir}/log/messages+ or equivalent. @@ -193,27 +197,97 @@ contain a file that lists the servers for that repository.
-------- [core] -# use this repository first -Server = ftp://ftp.archlinux.org/core/os/arch +# use this server first +Server = ftp://ftp.archlinux.org/$repo/os/$arch # next use servers as defined in the mirrorlist below Include = {sysconfdir}/pacman.d/mirrorlist --------
+The order of repositories in the configuration files matters; repositories +listed first will take precedence over those listed later in the file when +packages in two repositories have identical names, regardless of version +number. + +*Include =* path:: + Include another config file. This file can include repositories or + general configuration options. Wildcards in the specified paths will get + expanded based on linkman:glob[7] rules. + +*Server =* url:: + A full URL to a location where the database, packages, and signatures (if + available) for this repository can be found. ++ During parsing, pacman will define the `$repo` variable to the name of the current section. This is often utilized in files specified using the 'Include' directive so all repositories can use the same mirrorfile. pacman also defines the `$arch` variable to the value of `Architecture`, so the same mirrorfile can even be used for different architectures.
+*SigLevel =* ...:: + Set the default signature verification level. For more information, see + <<SC,Package and Database Signature Checking>> below. + +Package and Database Signature Checking +--------------------------------------- +The 'SigLevel' directive is valid in both the `[options]` and repository +sections. If used in `[options]`, it sets a default value for any repository +that does not provide the setting. + +If set to *Never*, no signature checking will take place. +If set to *Optional* , signatures will be checked when present, but unsigned +databases and packages will also be accepted. +If set to *Required*, signatures will be required on all packages and +databases.
My only comment here is that the above could go more paragraph style as it seems repetitive given it is in bullet point style just below.
+Alternatively, you can get more fine-grained control by combining some of +the options and prefixes described below. All options passed on a single +line are processed in left-to-right fashion, where later options override +and/or supplement earlier ones. + +The options are split into two main groups, described below. Terms used such as +``marginally trusted'' are terms used by GnuPG, for more information please +consult linkman:gpg[1]. + +When to Check:: + These options control if and when signature checks should take place. + + *Never*;; + All signature checking is suppressed, even if signatures are present. + + *Optional* (default);; + Signatures are checked if present; absence of a signature is not an + error. An invalid signature is a fatal error, as is a signature from a + key not in the keyring. + + *Required*;; + Signatures are required; absence of a signature or an invalid signature + is a fatal error, as is a signature from a key not in the keyring. + +What is Allowed:: + These options control what signatures are viewed as permissible. Note that + neither of these options allows acceptance of invalid or expired + signatures, or those from revoked keys. + + *TrustedOnly* (default);; + If a signature is checked, it must be in the keyring and fully trusted; + marginal trust does not meet this criteria. + + *TrustAll*;; + If a signature is checked, it must be in the keyring, but is not + required to be assigned a trust level (e.g., unknown or marginal + trust). + +Options in both groups can additionally be prefixed with either *Package* or +*Database*, which will cause it to only take effect on the specified object +type. For example, `PackageTrustAll` would allow marginal and unknown trust +level signatures for packages. + +The built-in default is the following: + -------- -Server = ftp://ftp.archlinux.org/$repo/os/$arch +SigLevel = Optional TrustedOnly --------
-The order of repositories in the configuration files matters; repositories -listed first will take precedence over those listed later in the file when -packages in two repositories have identical names, regardless of version -number. - Using Your Own Repository ------------------------- If you have numerous custom packages of your own, it is often easier to generate
participants (2)
-
Allan McRae
-
Dan McGee