[pacman-dev] Status of package signing work
Hi, I just rebased the gpg work on top of my working branch and pulled in a couple of patches to do with the pacman-key tool so I thought it would be a good time to get a summary of where we are on this. Here is my take on the current status. I would like to keep this list up-to-date so we can track progress, so feel free to reply adding anything I have missed. pacman-key: - tool to manage pacman keyring - TODO: man page needs tidying/clarification makepkg: - will sign packages and produce detached signature if the "sign" option is enabled in makepkg.conf - split packages, PKGDEST etc all handled - TODO: allow selection of key used for signing (patch: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011435.html) - TODO: documentation (patch: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011436.html) repo-add: - adds package signature (base64) to repos if available when adding package - has option to sign a repo after creation and verify current signature before making changes - TODO: check signature used to verify is not only good but is also in a list of accepted keys (???) - TODO: allow selection of key used for signing (patch: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011435.html) - TODO: documentation (patch: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011436.html) pacman: - reads in keys from repo-db and decodes them when needed - reads in .sig files when beside a package being loaded from the filesystem - integrated gpgme into pacman for signature verification - provide options to control signature verification on a per repo basis - verifies signatures of packages when installing from repo - TODO: create directories needed for keyring during "make install" - TODO: verify signatures for packages installed from filesystem (???) - TODO: download and verify signatures of dbs (patches: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011433.html http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011434.html) I think the very last TODO there is the only thing stopping us from getting some actual testing of this work underway. I think I have my head around what the two patches are doing now, but I am not sure I like the "how" of that doing. So I will make an attempt into hacking them as I see fit in the next few days... Then I will publish a signed repo with a pacman-git and we can see how this all goes! Allan
On Sat, Nov 20, 2010 at 10:51 PM, Allan McRae <allan@archlinux.org> wrote:
pacman-key: - tool to manage pacman keyring - TODO: man page needs tidying/clarification
I'll try to work on that, but everyone is very welcome to help.
repo-add: - adds package signature (base64) to repos if available when adding package - has option to sign a repo after creation and verify current signature before making changes - TODO: check signature used to verify is not only good but is also in a list of accepted keys (???)
Good point, I'll try to do that too.
- TODO: allow selection of key used for signing (patch: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011435.html) - TODO: documentation (patch: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011436.html)
pacman: - reads in keys from repo-db and decodes them when needed - reads in .sig files when beside a package being loaded from the filesystem - integrated gpgme into pacman for signature verification - provide options to control signature verification on a per repo basis - verifies signatures of packages when installing from repo - TODO: create directories needed for keyring during "make install"
That is in the PKGBUILD for pacman, isn't?
- TODO: verify signatures for packages installed from filesystem (???)
I'll check if it is being done, but if I'm not mistaken, it is currently implemented.
- TODO: download and verify signatures of dbs (patches: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011433.html http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011434.html)
I think the very last TODO there is the only thing stopping us from getting some actual testing of this work underway. I think I have my head around what the two patches are doing now, but I am not sure I like the "how" of that doing. So I will make an attempt into hacking them as I see fit in the next few days... Then I will publish a signed repo with a pacman-git and we can see how this all goes!
Please, don't hesitate in asking if you have any questions about the implementation details. Or if you want to delegate the real work, you can ask me to change specific details. Just say what to do and i can help. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto Linux user #524555 -------------------------------------------
On 22/11/10 11:59, Denis A. Altoé Falqueto wrote:
On Sat, Nov 20, 2010 at 10:51 PM, Allan McRae<allan@archlinux.org> wrote:
pacman: - TODO: create directories needed for keyring during "make install"
That is in the PKGBUILD for pacman, isn't?
I think the default directories should be created by "make install" rather that in a PKGBUILD.
- TODO: verify signatures for packages installed from filesystem (???)
I'll check if it is being done, but if I'm not mistaken, it is currently implemented.
I probably did something wrong... but when I created a random ".sig" file of the right length beside a package and installed it with "pacman -U", it was clear that the signature file was being read in but it did not fail due to the bad signature. Mind you, I have absolutely no gpg keyring stuff set up for testing yet. Allan
On 22/11/10 11:59, Denis A. Altoé Falqueto wrote:
On Sat, Nov 20, 2010 at 10:51 PM, Allan McRae<allan@archlinux.org> wrote:
- TODO: download and verify signatures of dbs (patches: http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011433.html http://mailman.archlinux.org/pipermail/pacman-dev/2010-July/011434.html)
I think the very last TODO there is the only thing stopping us from getting some actual testing of this work underway. I think I have my head around what the two patches are doing now, but I am not sure I like the "how" of that doing. So I will make an attempt into hacking them as I see fit in the next few days... Then I will publish a signed repo with a pacman-git and we can see how this all goes!
Please, don't hesitate in asking if you have any questions about the implementation details. Or if you want to delegate the real work, you can ask me to change specific details. Just say what to do and i can help.
I was going to get you to do some adjustments, but while reviewing those two patches I decided that it should be done in a slightly different way... and then I prototyped that way for you to adjust your patches to follow... and then I just finished the patches! So I am not ignoring your patches, but just though that their goal should be achieved in a different way. I will send my two patches to this list following this email. I think they completely cover the first patch linked above but the second patch looks like it had an unrelated change included in it that I have not looked at (reading in PGPSIG without requiring a size?). That should be resubmitted as a separate patch with a commit message explaining it. Allan
pacman -Syy :: Synchronizing package databases...
pacman -Sy :: Synchronizing package databases...
pacman -Syy :: Synchronizing package databases...
So... a real work usage test of package signing is under way on my laptop! I built a pacman-git package from my "gpg" branch (http://projects.archlinux.org/users/allan/pacman.git/log/?h=gpg). Note that branch is on top of my working branch which contains a change to the local db format so be warned if you go to test it... Here is my experience so far (long version): 1) Adding my signature to the pacman keyring with pacman-key worked. I'm not entirely up on gpg signing, but I had to set the trust level of my key to "ultimate" for things I signed to validate. "full" trust was not enough. Is this usual? 2) Building a package and signing it went flawlessly 3) Adding the package and signature to the repo worked, but a symlink to the signature needs to be created at repo.db.sig now that pacman looks for repo.db when downloading a db. Not surprising given the patch for repo-add is about 30 months old! 4) Updating a repo and validating its signature went fine although it does give a lot of output which needs removed. Also, the name displayed while downloading the sig file needs adjusted. pacman 1.0K 318.7K/s 00:00:00 [######################] 100% pacman 0.3K 10.5M/s 00:00:00 [######################] 100% summary=3 fpr=1A03113E773AA2652D2FA5DCE9241FABC8A82D92 status=0 timestamp=1290423916 wrong_key_usage=0 pka_trust=0 chain_model=0 validity=4 validity_reason=0 key=1 hash=2 kernel64 1.5K 43.4M/s 00:00:00 [######################] 100% That second "pacman" download is actually the sig file for the pacman repo... I then tried setting "VerifySig = Optional" creating a new db without a signature and running a -Sy: pacman 1.0K 376.6K/s 00:00:00 [######################] 100% error: failed retrieving file 'pacman.db.sig' from disk : No such file or directory summary=4 fpr=E9241FABC8A82D92 status=117440520 timestamp=0 wrong_key_usage=0 pka_trust=0 chain_model=0 validity=0 validity_reason=0 key=0 hash=0 error: File /var/lib/pacman/sync/pacman.db has an invalid signature. error: failed to update pacman (invalid PGP signature) Huh... OK, it fails downloading the signature and then attempts to use the old signature file... Lets remove the old signature file and try again: pacman 1.0K 378.6K/s 00:00:00 [######################] 100% error: failed retrieving file 'pacman.db.sig' from disk : No such file or directory Better, but it is not really an error given the signature verification is optional. 5) Installing packages from a repo and verifying their signature works. Again there is a lot of "debug" output but that will be fixed with the changes needed above. 6) Installing packages with signatures from the local filesystem does not really work... The function that reads in the signature file assumes a certain size for the file (72 bytes) and that did not match my signature file size. I have pinged Dan to see if he can remember where that assumption came from but given that code is over two years old... tl:dr (short version): package/db signing somewhat works, but needs _substantial_ polish. I'm going to start with a bit more of a rebase of what is on the gpg branch. E.g. the commits to makepkg/repo-add were initially made 30 months ago and so a bunch of extra correction fixes have been made to keep up with current development. Merging these should hopefully make the patch series less all over the place... Then I think we should just work through each part polishing the implementation. I think an obvious first step is the issues with the download and verification of database signatures I pointed out above. Allan
On 21/11/10 10:51, Allan McRae wrote:
Hi,
I just rebased the gpg work on top of my working branch and pulled in a couple of patches to do with the pacman-key tool so I thought it would be a good time to get a summary of where we are on this.
Here is my take on the current status. I would like to keep this list up-to-date so we can track progress, so feel free to reply adding anything I have missed.
<snip> FYI: I have wikified the TODO list here: https://wiki.archlinux.org/index.php/User:Allan/Package_Signing Allan
participants (2)
-
Allan McRae
-
Denis A. Altoé Falqueto