[arch-projects] [dbscripts][PATCH] Prepare to sign repo databases

Allan McRae allan at archlinux.org
Sun Nov 3 05:03:41 EST 2013

On 03/11/13 18:50, Pierre Schmitz wrote:
> Am 03.11.2013 02:32, schrieb Allan McRae:
>> On 03/11/13 11:19, Allan McRae wrote:
>>> Add function to sign repo database.  Enabling signing requires setting
>>> SIGN_DB to true and adding the key ID to DB_KEY. The DB_KEY is restricted
>>> from signing package files.
>>> Signed-off-by: Allan McRae <allan at archlinux.org>
>>> ---
>> GPG does not have a concept of some keys being valid for some tasks.
>> So pacman can not have this concept without implementing a complete hack
>> or requiring two separate keyrings (one for databases and one for
>> packages).  Both of these are not going to happen, so we need to deal
>> with restricting key usage in dbscripts.
>> The idea here is that someone creates a repo signing key and all master
>> keys sign it.  Then a subkey is created and put on nymeria.  If we have
>> issues, the subkey is revoked and a new subkey is created.
>> Note that the patch assumes the db key will be added to nymeria's pacman
>> keyring which is located in the default location.
>> Allan
> I don't see how this could work. If you sign a package using that key
> pacman will happily accept it as valid. So if nymeria gets compromised
> the attacker obtains a valid packager key. Imho implementing db sigs
> this way is less secure than not implementing it at all.

If an attacker obtains any of our packagers keys then they can sign a
package.  So by your logic we should not be signing packages.

Also, this is the way every other distro signs their databases and
packages.  And they all use gpgv to verify packages which has no idea
about a web of trust.  This seems like something we should be able to

Finally, I think signing databases is far more important than signing
packages.  The most practical attack on Arch is to become a mirror and
hold back package updates with known vulnerabilities.  Then you even
know the IP addresses of people who have the vulnerable package.  DB
signing stops this as the entire database needs held back and people
will notice the lack of updates.


More information about the arch-projects mailing list