On 22/11/10 11:59, Denis A. Altoé Falqueto wrote:

On Sat, Nov 20, 2010 at 10:51 PM, Allan McRae wrote:

...

pacman: - TODO: create directories needed for keyring during "make install"

That is in the PKGBUILD for pacman, isn't?

I think the default directories should be created by "make install" rather that in a PKGBUILD.

...

- TODO: verify signatures for packages installed from filesystem (???)

I'll check if it is being done, but if I'm not mistaken, it is currently implemented.

I probably did something wrong... but when I created a random ".sig" file of the right length beside a package and installed it with "pacman -U", it was clear that the signature file was being read in but it did not fail due to the bad signature. Mind you, I have absolutely no gpg keyring stuff set up for testing yet. Allan

pacman -Syy :: Synchronizing package databases...

pacman -Sy :: Synchronizing package databases...

pacman -Syy :: Synchronizing package databases...

So... a real work usage test of package signing is under way on my laptop! I built a pacman-git package from my "gpg" branch (http://projects.archlinux.org/users/allan/pacman.git/log/?h=gpg). Note that branch is on top of my working branch which contains a change to the local db format so be warned if you go to test it... Here is my experience so far (long version): 1) Adding my signature to the pacman keyring with pacman-key worked. I'm not entirely up on gpg signing, but I had to set the trust level of my key to "ultimate" for things I signed to validate. "full" trust was not enough. Is this usual? 2) Building a package and signing it went flawlessly 3) Adding the package and signature to the repo worked, but a symlink to the signature needs to be created at repo.db.sig now that pacman looks for repo.db when downloading a db. Not surprising given the patch for repo-add is about 30 months old! 4) Updating a repo and validating its signature went fine although it does give a lot of output which needs removed. Also, the name displayed while downloading the sig file needs adjusted. pacman 1.0K 318.7K/s 00:00:00 [######################] 100% pacman 0.3K 10.5M/s 00:00:00 [######################] 100% summary=3 fpr=1A03113E773AA2652D2FA5DCE9241FABC8A82D92 status=0 timestamp=1290423916 wrong_key_usage=0 pka_trust=0 chain_model=0 validity=4 validity_reason=0 key=1 hash=2 kernel64 1.5K 43.4M/s 00:00:00 [######################] 100% That second "pacman" download is actually the sig file for the pacman repo... I then tried setting "VerifySig = Optional" creating a new db without a signature and running a -Sy: pacman 1.0K 376.6K/s 00:00:00 [######################] 100% error: failed retrieving file 'pacman.db.sig' from disk : No such file or directory summary=4 fpr=E9241FABC8A82D92 status=117440520 timestamp=0 wrong_key_usage=0 pka_trust=0 chain_model=0 validity=0 validity_reason=0 key=0 hash=0 error: File /var/lib/pacman/sync/pacman.db has an invalid signature. error: failed to update pacman (invalid PGP signature) Huh... OK, it fails downloading the signature and then attempts to use the old signature file... Lets remove the old signature file and try again: pacman 1.0K 378.6K/s 00:00:00 [######################] 100% error: failed retrieving file 'pacman.db.sig' from disk : No such file or directory Better, but it is not really an error given the signature verification is optional. 5) Installing packages from a repo and verifying their signature works. Again there is a lot of "debug" output but that will be fixed with the changes needed above. 6) Installing packages with signatures from the local filesystem does not really work... The function that reads in the signature file assumes a certain size for the file (72 bytes) and that did not match my signature file size. I have pinged Dan to see if he can remember where that assumption came from but given that code is over two years old... tl:dr (short version): package/db signing somewhat works, but needs _substantial_ polish. I'm going to start with a bit more of a rebase of what is on the gpg branch. E.g. the commits to makepkg/repo-add were initially made 30 months ago and so a bunch of extra correction fixes have been made to keep up with current development. Merging these should hopefully make the patch series less all over the place... Then I think we should just work through each part polishing the implementation. I think an obvious first step is the issues with the download and verification of database signatures I pointed out above. Allan