[arch-dev-public] Proposed news item: Package verification

Gaetan Bisson bisson at archlinux.org
Thu May 31 09:07:34 EDT 2012 

[2012-05-02 23:38:22 +0200] Gaetan Bisson:
> However, the install message is drown in the flood of packages, so most
> users will likely struggle when they run pacman next.

All in all, that seems like a minor con, especially since, on top of the
install message, we'll have a news post about this. It is far outweighed
by the pro of bringing users' setups to the same page as ours.

Attached are an updated proposed news post and pacman-4.0.3-2 release.
Please do have a look and let me know if you disagree with anything. I
would like to push this to [testing] in a couple of days or so.

Cheers.

-- 
Gaetan
-------------- next part --------------
Title: Having pacman verify packages

Over the past six months, pacman has had package verification features,
although they were turned off while we were still figuring out the
details of our public-key infrastructure.

They have been enabled in pacman-4.0.3-2; when you upgrade, you will be
prompted to run:

	pacman-key --init
	pacman-key --populate archlinux

This sets up a local keyring for pacman, and populates it with the data needed
to authenticate official packages. This includes five master keys used to
authenticate official Arch Linux packagers (developers and trusted users), so
you do not need to know who joins or leaves the team: you only have to verify
those five master keys once and for all. The populate command will prompt you
to do so; please do this cautiously by checking the fingerprints displayed
against
<a href="https://www.archlinux.org/master-keys/">those published on our website</a>.

Then, merge your pacman.conf with pacman.conf.new, that is, enable package
verification through the SigLevel option, and you should be good to go.

For details on the development of pacman and archlinux-keyring, see the blog posts of
<a href="http://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/">Allan</a>
and <a href="https://pierre-schmitz.com/verify-all-the-packages/">Pierre</a>.
-------------- next part --------------
diff -Naur old/pacman.conf new/pacman.conf
--- old/pacman.conf	2012-05-31 22:15:59.600458792 +1000
+++ new/pacman.conf	2012-05-31 22:35:29.778949346 +1000
@@ -36,18 +36,13 @@
 CheckSpace
 #VerbosePkgLists
 
-# PGP signature checking
-# NOTE: None of this will work without running `pacman-key --init` first.
-# The compiled in default is equivalent to the following line. This requires
-# you to locally sign and trust packager keys using `pacman-key` for them to be
-# considered valid.
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
 #SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# For now, off by default unless you read the above.
-SigLevel = Never
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
 
 #
 # REPOSITORIES
@@ -77,11 +72,11 @@
 #Include = /etc/pacman.d/mirrorlist
 
 [core]
-#SigLevel = PackageRequired
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [extra]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 #[community-testing]
@@ -89,7 +84,7 @@
 #Include = /etc/pacman.d/mirrorlist
 
 [community]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 # An example of a custom package repository.  See the pacman manpage for
diff -Naur old/pacman.conf.x86_64 new/pacman.conf.x86_64
--- old/pacman.conf.x86_64	2012-05-31 22:15:59.600458792 +1000
+++ new/pacman.conf.x86_64	2012-05-31 22:38:21.699215405 +1000
@@ -36,18 +36,13 @@
 CheckSpace
 #VerbosePkgLists
 
-# PGP signature checking
-# NOTE: None of this will work without running `pacman-key --init` first.
-# The compiled in default is equivalent to the following line. This requires
-# you to locally sign and trust packager keys using `pacman-key` for them to be
-# considered valid.
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
 #SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# For now, off by default unless you read the above.
-SigLevel = Never
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.
 
 #
 # REPOSITORIES
@@ -77,11 +72,11 @@
 #Include = /etc/pacman.d/mirrorlist
 
 [core]
-#SigLevel = PackageRequired
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 [extra]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 #[community-testing]
@@ -89,7 +84,7 @@
 #Include = /etc/pacman.d/mirrorlist
 
 [community]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
 Include = /etc/pacman.d/mirrorlist
 
 # If you want to run 32 bit applications on your x86_64 system,
@@ -100,7 +95,7 @@
 #Include = /etc/pacman.d/mirrorlist
 
 #[multilib]
-#SigLevel = PackageOptional
+#SigLevel = PackageRequired
 #Include = /etc/pacman.d/mirrorlist
 
 # An example of a custom package repository.  See the pacman manpage for
diff -Naur old/pacman.install new/pacman.install
--- old/pacman.install	2012-05-31 22:15:59.600458792 +1000
+++ new/pacman.install	2012-04-30 20:36:13.366366907 +1000
@@ -9,7 +9,9 @@
     if [ "$(vercmp $2 3.5.0)" -lt 0 ]; then
         _warnupgrade
     fi
-    _check_pubring
+    if [ ! -f "etc/pacman.d/gnupg/pubring.gpg" ] || [ "$(vercmp $2 4.0.3-2)" -lt 0 ]; then
+        _check_pubring
+    fi
 }
 
 post_install() {
@@ -17,9 +19,9 @@
 }
 
 _check_pubring() {
-    if [ ! -f "etc/pacman.d/gnupg/pubring.gpg" ]; then
-        echo " >>> Run \`pacman-key --init\` to set up your pacman keyring."
-    fi
+    echo " >>> Run  \`pacman-key --init; pacman-key --populate archlinux\`"
+    echo " >>> to import the data required by pacman for package verification."
+    echo " >>> See: https://www.archlinux.org/news/having-pacman-verify-packages"
 }
 
 _warnupgrade() {
diff -Naur old/PKGBUILD new/PKGBUILD
--- old/PKGBUILD	2012-05-31 22:15:59.600458792 +1000
+++ new/PKGBUILD	2012-05-31 22:41:54.882878202 +1000
@@ -5,14 +5,14 @@
 
 pkgname=pacman
 pkgver=4.0.3
-pkgrel=1
+pkgrel=2
 pkgdesc="A library-based package manager with dependency support"
 arch=('i686' 'x86_64')
 url="http://www.archlinux.org/pacman/"
 license=('GPL')
 groups=('base')
 depends=('bash' 'glibc>=2.15' 'libarchive>=3.0.2' 'curl>=7.19.4'
-         'gpgme' 'pacman-mirrorlist')
+         'gpgme' 'pacman-mirrorlist' 'archlinux-keyring')
 makedepends=('asciidoc')
 optdepends=('fakeroot: for makepkg usage as normal user')
 backup=(etc/pacman.conf etc/makepkg.conf)
@@ -24,8 +24,8 @@
         makepkg.conf)
 md5sums=('387965c7125e60e5f0b9ff3b427fe0f9'
          '1a70392526c8768470da678b31905a6e'
-         '4605b3490d4fd1e5c6e20db17da9ded6'
-         'a0edf98ad1845a4c7d902a86638d5d2d'
+         '99734ea46795f466d41c503e9e23b6d4'
+         '556d49489e82b5750cf026d3b18c8f4f'
          '589cd34eb9d5b678455e8289394f523e')
 
 build() {

More information about the arch-dev-public mailing list