[arch-dev-public] Proposed news item: Package verification

Gaetan Bisson bisson at archlinux.org
Sun Apr 29 18:59:31 EDT 2012

Hi everyone,

How about the following news item?


Title: Having pacman verify packages

Over the past six months, pacman has had package verification features,
although they were turned off while we were still figuring out the
details of our public-key infrastructure. This work has resulted in the
<a href="https://www.archlinux.org/packages/core/any/archlinux-keyring/">archlinux-keyring package</a>
which contains all the data you need to authenticate packages as
made by official Arch packagers (developers and trusted users).

Having pacman verify packages is now as easy as doing:

	pacman -Syu archlinux-keyring
	pacman-key --init
	pacman-key --populate archlinux
The archlinux-keyring package contains five master keys that are used to
authenticate official Arch packagers, so you do not need to know who
joins or leave the team: you just have to verify those five master keys
once and for all. This last command will prompt you to do so; please do
this cautiously by checking the fingerprints displayed against
<a href="https://www.archlinux.org/master-keys/">those published on our website</a>.

Then, set the following in your pacman.conf:

	SigLevel = PackageRequired TrustedOnly

And you should be good to go!

For more details on the development of pacman and archlinux-keyring, see the blog posts of
<a href="http://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/">Allan</a>
and <a href="https://pierre-schmitz.com/verify-all-the-packages/">Pierre</a>.




More information about the arch-dev-public mailing list