[arch-dev-public] Proposed news item: Package verification

Gaetan Bisson bisson at archlinux.org
Mon Apr 30 07:02:24 EDT 2012 

[2012-04-30 10:18:36 +1000] Allan McRae:
> On 30/04/12 08:59, Gaetan Bisson wrote:
> > Then, set the following in your pacman.conf:
> > 
> > 	SigLevel = PackageRequired TrustedOnly
> 
> Setting that globally causes failures with "pacman -U" and unsigned
> packages.  So PackageRequired should only be enabled on a per repo basis
> at the moment.

Right.

> We could do a pacman update with an updated pacman.conf for people to
> merge to help this along.

That would be great.

In fact, package verification could even be enabled by default in the
new pacman.conf, archlinux-keyring added as a dependency of pacman, and
the news item summed up into a post-install message. Attached are a
patch to our pacman package and an updated news post doing this.
Comments welcome!

Cheers.

-- 
Gaetan
-------------- next part --------------
Title: Having pacman verify packages

Over the past six months, pacman has had package verification features,
although they were turned off while we were still figuring out the
details of our public-key infrastructure.

They have been enabled in pacman-4.0.3-2; when you upgrade, you will be
prompted to run:

	pacman-key --init
	pacman-key --populate archlinux

This sets up a pacman keyring, and populates it with all the data needed to
authenticate packages as made by official Arch packagers (developers and
trusted users). This consists in particular of five master keys used to
authenticate official Arch packagers, so you do not need to know who joins or
leave the team: you just have to verify those five master keys once and for
all. This last command will prompt you to do so; please do this cautiously by
checking the fingerprints displayed against
<a href="https://www.archlinux.org/master-keys/">those published on our website</a>.

Then, merge your pacman.conf with pacman.conf.new, that is, enable package
verification through the SigLevel option, and you should be good to go.

For more details on the development of pacman and archlinux-keyring, see the blog posts of
<a href="http://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/">Allan</a>
and <a href="https://pierre-schmitz.com/verify-all-the-packages/">Pierre</a>.
-------------- next part --------------
diff -Naur old/pacman.conf new/pacman.conf
--- old/pacman.conf	2012-04-30 12:03:12.870704414 +0200
+++ new/pacman.conf	2012-04-30 12:35:33.646325388 +0200
@@ -42,12 +42,6 @@
 # you to locally sign and trust packager keys using `pacman-key` for them to be
 # considered valid.
 #SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# For now, off by default unless you read the above.
-SigLevel = Never
 
 #
 # REPOSITORIES
@@ -77,11 +71,11 @@
 #Include = /etc/pacman.d/mirrorlist
 
 [core]
-#SigLevel = PackageRequired
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [extra]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 #[community-testing]
@@ -89,7 +83,7 @@
 #Include = /etc/pacman.d/mirrorlist
 
 [community]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 # An example of a custom package repository.  See the pacman manpage for
diff -Naur old/pacman.conf.x86_64 new/pacman.conf.x86_64
--- old/pacman.conf.x86_64	2012-04-30 12:03:12.870704414 +0200
+++ new/pacman.conf.x86_64	2012-04-30 12:35:22.966314170 +0200
@@ -42,12 +42,6 @@
 # you to locally sign and trust packager keys using `pacman-key` for them to be
 # considered valid.
 #SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# For now, off by default unless you read the above.
-SigLevel = Never
 
 #
 # REPOSITORIES
@@ -77,11 +71,11 @@
 #Include = /etc/pacman.d/mirrorlist
 
 [core]
-#SigLevel = PackageRequired
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [extra]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 #[community-testing]
@@ -89,7 +83,7 @@
 #Include = /etc/pacman.d/mirrorlist
 
 [community]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 # If you want to run 32 bit applications on your x86_64 system,
@@ -100,7 +94,7 @@
 #Include = /etc/pacman.d/mirrorlist
 
 #[multilib]
-#SigLevel = PackageOptional
+#SigLevel = PackageRequired
 #Include = /etc/pacman.d/mirrorlist
 
 # An example of a custom package repository.  See the pacman manpage for
diff -Naur old/pacman.install new/pacman.install
--- old/pacman.install	2012-04-30 12:03:12.870704414 +0200
+++ new/pacman.install	2012-04-30 12:36:13.366366907 +0200
@@ -9,7 +9,9 @@
     if [ "$(vercmp $2 3.5.0)" -lt 0 ]; then
         _warnupgrade
     fi
-    _check_pubring
+    if [ ! -f "etc/pacman.d/gnupg/pubring.gpg" ] || [ "$(vercmp $2 4.0.3-2)" -lt 0 ]; then
+        _check_pubring
+    fi
 }
 
 post_install() {
@@ -17,9 +19,9 @@
 }
 
 _check_pubring() {
-    if [ ! -f "etc/pacman.d/gnupg/pubring.gpg" ]; then
-        echo " >>> Run \`pacman-key --init\` to set up your pacman keyring."
-    fi
+    echo " >>> Run  \`pacman-key --init; pacman-key --populate archlinux\`"
+    echo " >>> to import the data required by pacman for package verification."
+    echo " >>> See: https://www.archlinux.org/news/having-pacman-verify-packages"
 }
 
 _warnupgrade() {
diff -Naur old/PKGBUILD new/PKGBUILD
--- old/PKGBUILD	2012-04-30 12:03:12.870704414 +0200
+++ new/PKGBUILD	2012-04-30 12:36:46.533068001 +0200
@@ -5,14 +5,14 @@
 
 pkgname=pacman
 pkgver=4.0.3
-pkgrel=1
+pkgrel=2
 pkgdesc="A library-based package manager with dependency support"
 arch=('i686' 'x86_64')
 url="http://www.archlinux.org/pacman/"
 license=('GPL')
 groups=('base')
 depends=('bash' 'glibc>=2.15' 'libarchive>=3.0.2' 'curl>=7.19.4'
-         'gpgme' 'pacman-mirrorlist')
+         'gpgme' 'pacman-mirrorlist' 'archlinux-keyring')
 makedepends=('asciidoc')
 optdepends=('fakeroot: for makepkg usage as normal user')
 backup=(etc/pacman.conf etc/makepkg.conf)
@@ -24,8 +24,8 @@
         makepkg.conf)
 md5sums=('387965c7125e60e5f0b9ff3b427fe0f9'
          '1a70392526c8768470da678b31905a6e'
-         '4605b3490d4fd1e5c6e20db17da9ded6'
-         'a0edf98ad1845a4c7d902a86638d5d2d'
+         '5c0f4b106a4eba6ded854d545762e9a5'
+         '40479a57e5bd71a6cb7d1ece3af8c61d'
          '589cd34eb9d5b678455e8289394f523e')
 
 build() {

More information about the arch-dev-public mailing list