[arch-dev-public] arch bootstrapping

Thomas Bächler thomas at archlinux.org
Sun Aug 18 12:16:39 EDT 2013


Am 17.08.2013 17:27, schrieb Zbigniew Jędrzejewski-Szmek:
> Hi,
> 
> I was trying to get the arch installation example in systemd-spawn
> to work on Fedora. My intent is to package pacman and pacstrap for
> Fedora, to make it easy to play with distributions. Fedora already
> has alien and dpkg/apt-get, so adding pacman seems kind of nice.
> 
> The packaging process is going well, but the intallation is not
> as easy, because of gpg key issues. It's possible that I made some
> error, I tried both to add SigLevel=TrustAll in (host's) /etc/pacman.conf,
> and to to import gpg keys with 'pacman-key --populate archlinux'.
> The second solution didn't seem to work, and both have downsides:
> - disabling checking is bad because of security issues,
>   and it also seems to mess up the trust database inside the container,
> - importing the trust database in the host (assuming that I'd get it
>   to work), would require either also packaging the keys for Fedora,
>   or telling the user to trust keys blindly and download them from
>   the internet...

pacstrap assumes that you have a working key database on the host (which
is the case for our live CD and bootstrap tarball). To work around that,
you need to

1) set up a keyring in /instroot/etc/pacman.d/gnupg
2) call pacstrap with the -G option

This will set up a keyring in /instroot without the need for one in the
host.

For 1), simply run
 pacman-key --gpgdir /instroot/etc/pacman.d/gnupg --init
 pacman-key --gpgdir /instroot/etc/pacman.d/gnupg --populate archlinux

For that, you must have the keyring available in
/usr/share/pacman/keyrings/. Get the keyring from
https://projects.archlinux.org/archlinux-keyring.git/ - you need the
archlinux.gpg, archlinux-revoked and archlinux-trusted files.

The only thing that is critical for security is the archlinux-trusted
file - the fingerprints in there must match the ones from
https://www.archlinux.org/master-keys/. The rest of the files are just
there for convenience.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20130818/7544960a/attachment.asc>


More information about the arch-dev-public mailing list