[arch-general] Is it secure to just sign repository databases?

Levente Polyak anthraxx at archlinux.org
Sun Jun 16 17:12:42 UTC 2019

On June 16, 2019 5:57:34 PM GMT+02:00, Eli Schwartz via arch-general <arch-general at archlinux.org> wrote:
>That being said, if you have signed the repository db then as you
>mentioned the sha256 checksums for the package file are securely
>so you are guaranteed that use of pacman -S pkgname will securely
>that it is installing the package the repo-add user expected to provide
>when running repo-add.
>What is your threat model? These things will not be protected against:
>- people installing the package file directly, as such:
>  pacman -U https://example.com/foopkg-1-1-x86_64.pkg.tar.xz
>- An attacker with local filesystem access on the signing/hosting
>  can retroactively replace *all* packages built at any date, and trick
>  you into signing a new repo DB referencing them.
>- In shared packaging situations, like when a team of dozens of people
>  all upload packages, you want to be able to verify who signed each
>  package, as opposed to only verifying that the last person to update
> the repository asserted that all other packages are good and backed by
>  his/her good name -- this does not concern you.

An important side note: This will only really help
if users of the repo have set the repository SigLevel
to Required (which is not the default).
When using the default of Optional a MitM
attacker can just drop signatures for that database,
which obviously is much much much easier to
achieve for non https mirrors.


More information about the arch-general mailing list