[arch-general] Is it secure to just sign repository databases?

Eli Schwartz eschwartz at archlinux.org
Mon Jun 17 17:08:20 UTC 2019 

On 6/17/19 12:38 PM, Manuel Reimer wrote:
> On 17.06.19 18:18, Eli Schwartz via arch-general wrote:
>> That being said, it's possible to configure sudo to run makechrootpkg,
>> but only makechrootpkg, as root. Or run SUDO_USER=... SUDO_UID=...
>> makechrootpkg.
> 
> I've tried several times to just launch makechrootpkg with root
> privileges directly. As makechrootpkg drops to a unprivileged user
> inside the chroot, this should be perfectly safe.
> 
> But I always ran into errors saying that makepkg is not allowed to be
> run as root.
> 
> Does your SUDO_USER=... SUDO_UID=... command line allow to directly
> launch as root without needing sudo at all? This is what I would need to
> make my autobuild work.

makechrootpkg uses the SUDO_USER/SUDO_UID variables to check which user
it should use when dropping privileges while running makepkg
--verifysource. By setting the variables, you thereby pretend to
makechrootpkg that it has been run via sudo.

Not doing *anything* to check which user to drop privileges to, is the
reason why running makechrootpkg as root is usually not going to work.

>> Yes -- do all signing locally, after the package leaves the build VM. If
>> something goes wrong on the VM, you can remove the relevant packages
>> without, say, revoking your key, so the security issue is less drastic.
> 
> This would also be a possible way. Sign packages where the signature is
> outdated, delete signatures that don't belong to packages and finally
> repo-add the whole stuff after deleting the db file.
> 
> Is there a better tool as repo-add/repo-remove? I've been searching for
> some "repo-update" tool for quite a while now. A smart tool which
> doesn't recreate stuff and just updates a DB file would be pretty handy.

repo-add generally works pretty well, it doesn't recreate stuff anyway
-- it unpacks the DB, adds the files you've specified to the DB, and
then repacks the DB. If you're looking for something which scans a
directory to find files which need to be updated, you can try "repose",
but it has conflicting behavior as compared to repo-add, so you cannot
mix and match repo-add and repose.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20190617/37bb361e/attachment.sig>

More information about the arch-general mailing list