[arch-dev-public] Proposed news item: Package verification
bisson at archlinux.org
Sun Apr 29 18:59:31 EDT 2012
How about the following news item?
Title: Having pacman verify packages
Over the past six months, pacman has had package verification features,
although they were turned off while we were still figuring out the
details of our public-key infrastructure. This work has resulted in the
<a href="https://www.archlinux.org/packages/core/any/archlinux-keyring/">archlinux-keyring package</a>
which contains all the data you need to authenticate packages as
made by official Arch packagers (developers and trusted users).
Having pacman verify packages is now as easy as doing:
pacman -Syu archlinux-keyring
pacman-key --populate archlinux
The archlinux-keyring package contains five master keys that are used to
authenticate official Arch packagers, so you do not need to know who
joins or leave the team: you just have to verify those five master keys
once and for all. This last command will prompt you to do so; please do
this cautiously by checking the fingerprints displayed against
<a href="https://www.archlinux.org/master-keys/">those published on our website</a>.
Then, set the following in your pacman.conf:
SigLevel = PackageRequired TrustedOnly
And you should be good to go!
For more details on the development of pacman and archlinux-keyring, see the blog posts of
and <a href="https://pierre-schmitz.com/verify-all-the-packages/">Pierre</a>.
More information about the arch-dev-public