[arch-announce] Having pacman verify packages

Arch Linux: Recent news updates: Gaetan Bisson announce at archlinux.org
Mon Jun 4 11:01:02 EDT 2012


Gaetan Bisson wrote:

For the past six months, pacman's package verification features were turned off
by default while we were figuring out the details of our public-key
infrastructure.

They have finally been enabled in pacman-4.0.3-2; when you upgrade, you will be
prompted to run:


    pacman-key --init

    pacman-key --populate archlinux


This sets up a local keyring for pacman, and populates it with the data needed
to authenticate official packages. This includes five master keys used to
authenticate Arch Linux packagers (developers and trusted users), so you do not
need to know who joins or leaves the team: you only have to verify those five
master keys once and for all. The populate command will prompt you to do so;
please do this cautiously by checking the fingerprints displayed against [those
published on our website][1].

Then, merge your `pacman.conf` with `pacman.conf.pacnew`, that is, enable
package verification through the SigLevel option, and you should be good to go.

For details on the development of pacman and archlinux-keyring, see the blog
posts of [Allan][2] and [Pierre][3].

   [1]: https://www.archlinux.org/master-keys/

   [2]: http://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/

   [3]: https://pierre-schmitz.com/verify-all-the-packages/

URL: http://www.archlinux.org/news/having-pacman-verify-packages/


More information about the arch-announce mailing list