[arch-dev-public] Keyring package for real

Allan McRae allan at archlinux.org
Sat Mar 3 23:38:47 EST 2012 

On 04/03/12 06:54, Pierre Schmitz wrote:
> Hi,
> 
> I have pushed an archlinux-keyring package into [testing] so we have
> something real to talk about. I revised some of my initial ideas. The
> package is compatible to pacman-key --populate; it seems gpg will also
> just accept a keyring that is just a bunch of keys put into one file.
> 
> The remaining issues is the install script of the actual package. Atm I
> run "pacman-key --init" on install and "--populate" on upgrade. Is there
> a scenario where running init might not be a good idea? It wont increase
> security to let users do this manually; even worse: people might just
> not do it then. So I am going with a "works out-of-the-box" experience
> here.

There have been so many issues with people not generating enough entropy
to generate the initial key with "pacman-key --init" that I am not so
sure that this is a good idea.

Not that the revoke file is optional so you do not need to provide an
empty one.

> There are at least two problems with using pacman-key: It is extremely
> verbose and it requires the keyring to be signed which will lead to a
> bootstrapping problem. I started a thread about this on pacman-dev; so
> if you have ideas why this signature check might not be useless let me
> know there.

I will discuss pacman-key in the other thread.   But we still have a
bootstrap issues here...   What key is the package signed by?  Users
will need to verify that key.  I think this is the only case where a
package should be signed by one (or more) of the master keys.

I am finding it difficult to see how turning on signing in a current
system can be done both automatically and securely  (with a new install,
setting up the keyring can be automatically done during install under
the assumption that the user verified the install media...). Telling
users to install a package that sets up their keyring without verifying
the signature of the package first seems like a failure at step one.

We could just create a news entry/wiki page with instructions on setting
up the keyring.  something like:

pacman-key --init
wget $(pacman -Sp archlinux-keyring){,.sig}
pacman-key --revc-keys <keys>    (key IDs need widely published)
pacman-key --verify archlinux-keyring-2012*-1-any.pkg.tar.xz.sig
pacman -U archlinux-keyring-2012*-1-any.pkg.tar.xz

Allan

More information about the arch-dev-public mailing list