[arch-general] How to download .sigs into CacheDir with pacman

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Thu Mar 22 13:28:43 EDT 2012 

On Thu, Mar 22, 2012 at 2:05 PM, Dennis 'Gyroplast' Herbrich
<dennis at archlinux.org> wrote:
> Greetings everyone!
>
> I am constructing a local, common repository of packages aggregated from
> core, extra and community, named 'default' for discussion's sake. This
> local repository shall be a "frozen" state of a (virtual) machine's
> package installation, to ensure a common package status across all
> machines which are using this local repository to upgrade. The idea behind
> this is to setup an internally tested "baseline" or "stable release"
> repository for certain clients.
>
> Basically, I want to shove 'pacman -Q' output into my magic bash script on
> my personal testing machine where all necessary updates are installed, and
> have a shiny repository ready for use fall out at the end. This is working
> nicely already, except for one thing that bothers me greatly:
>
> I haven't found a way to reliably download the official package signature
> files along with the packages themselves through creative use of pacman. I
> do not REALLY want to fetch the .sig files in another step from the mirror
> I am using, as that'd require me to construct package FILE names myself
> instead of just throwing pacman a "core/filesystem=2012.2-2" and let
> pacman figure out my architecture and download location. I DO want to have
> package signing available for my local copy, though.
>
> Is there a way to grab the .sig files along with the package files with
> pacman, and place them somewhere neat as the CacheDir, for instance?

That's an interesting situation. If I understood you correctly, you
have something like:

repository box:
Downloads some updates that you'll test and approve. After that,
you'll publush a new version of your repository database.

other boxes:
Updates from your private repository. Do they update only from your
repository or can they eventually get updates from Arch? I presume
they update only from your repository.

What you maybe don't know is that pacman don't use those .sig files to
really check the packages. The signatures come with each repository
database, in the metadata for each signed package. So, you shouldn't
really have to download them again, you already got them with Arch's
database repositories, in your repository box.

I would do the following:

1. Create a gpg key on the repository box
2. Sign the database you create with repo-add (you can choose the key to use)
3. On the other boxes, use pacman-key to import and trust your
repository public key
4. Update your other boxes
5. Be happy :)

For future updates of your repository, you'll have to re-sign it. What
you really get is a two level trust system. Your repository box trusts
Arch's keys and your other boxes trust your repository key.

Hope that helps.

-- 
A: Because it obfuscates the reading.
Q: Why is top posting so bad?
For more information, please read: http://idallen.com/topposting.html

-------------------------------------------
Denis A. Altoe Falqueto
Linux user #524555
-------------------------------------------

More information about the arch-general mailing list