[pacman-dev] Dan's pacman tree build&test

Dan McGee dpmcgee at gmail.com
Thu Dec 4 22:12:07 EST 2008 

On Thu, Dec 4, 2008 at 12:44 PM, Gerhard Brauer <gerbra at archlinux.de> wrote:
> Ok, have tested the package signing feature from Dan's pacman git.
> (Thanks Allan for the hint with --disable-doc)
>
> I test with the abook package from extra.

Woohoo! Thanks for testing, this is much appreciated.

> 1)
> makepkg
> ==> Finished making: abook 0.5.6-2 i686 (Thu Dec  4 15:52:44 UTC 2008)
> ==> Signing package...
> ==> ERROR: Cannot find the gpg binary! Is gnupg installed?
> 2)
> makepkg
> ==> Finished making: abook 0.5.6-2 i686 (Thu Dec  4 15:55:34 UTC 2008)
> ==> Signing package...
> gpg: directory `/root/.gnupg' created
> gpg: new configuration file `/root/.gnupg/gpg.conf' created
> gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
> gpg: keyring `/root/.gnupg/secring.gpg' created
> gpg: keyring `/root/.gnupg/pubring.gpg' created
> gpg: no default secret key: secret key not available
> gpg: signing failed: secret key not available
> ==> WARNING: Failed to sign package file.
>
> That's right. I still have no gpg key.
> After setting up all gpg things makepkg builds and signs the package.
So it sounds like we have a relatively sane makepkg patch, with most
of the failure conditions working OK? This is good, and it means we
are mostly done in this department.

> 3)
> Add a repo: mypkg
> repo-add ad the abook package and puts also the %PGPSIG% field in the desc file.
Sweet. I think we are good here too.

> 4)
> pacman -S mypkg/abook
> checking package integrity...
> warning: gpg cmdline: gpg --verify --no-default-keyring --keyserver-options no-auto-key-retrieve --keyring /tmp/testing.gpg - /var/cache/pacman/pkg/abook-0.5.6-2-i686.pkg.tar.gz
> error: failed to commit transaction (invalid or corrupted package)
> abook-0.5.6-2-i686.pkg.tar.gz is invalid or corrupted
> Errors occurred, no packages were upgraded.
>
> Ok, i have not imported the public key to root's keyring.
>
> 5)
> [root at archtest ~]# LANG=C pacman -S mypkg/abook
> resolving dependencies...
> looking for inter-conflicts...
>
> Targets (1): abook-0.5.6-2
>
> Total Download Size:    0.00 MB
> Total Installed Size:   0.20 MB
>
> Proceed with installation? [Y/n]
> checking package integrity...
> warning: gpg cmdline: gpg --verify --no-default-keyring --keyserver-options no-auto-key-retrieve --keyring /tmp/testing.gpg - /var/cache/pacman/pkg/abook-0.5.6-2-i686.pkg.tar.gz
> (1/1) checking for file conflicts                   [#####################] 100%
> (1/1) installing abook                              [#####################] 100%
>
> Problem/Question:
> Where could i define the public keyring location?
> According to commit: "Add keyring location as option on libalpm handle" the is a libalpm option
> --keyring. But i have no plan where to define it (in pacman.conf i got an error).
> I copied my keyring temporary to /tmp/testing.gpg what seems the default search path and
> filename. Doing this i could install above abook from my repo.
You're delving into uncoded territory here, and not completely
thought-out territory. This still needs some work.

> 6)
> [root at archtest ~]# LANG=C pacman -Sy mypkg/abook
> :: Synchronizing package databases...
>  core is up to date
>  extra is up to date
>  community is up to date
>  mypkg is up to date
> warning: abook-0.5.6-2 is up to date -- reinstalling
> resolving dependencies...
> looking for inter-conflicts...
>
> Targets (1): abook-0.5.6-2
>
> Total Download Size:    0.05 MB
> Total Installed Size:   0.20 MB
>
> Proceed with installation? [Y/n]
> :: Retrieving packages from mypkg...
>  abook-0.5.6-2-i686        49.6K   20.9M/s 00:00:00 [#####################] 100%
> checking package integrity...
> warning: gpg cmdline: gpg --verify --no-default-keyring --keyserver-options no-a
> uto-key-retrieve --keyring /tmp/testing.gpg - /var/cache/pacman/pkg/abook-0.5.6-
> 2-i686.pkg.tar.gz
> error: failed to commit transaction (invalid or corrupted package)
> abook-0.5.6-2-i686.pkg.tar.gz is invalid or corrupted
> Errors occurred, no packages were upgraded.
>
> Here if have modified the abook-0.5.6-2-i686.pkg.tar.gz package, copied to my repo,
> do a repo-add but use the old *.sig signature. This modified package gets not
> installed.
> Maybe the error/reason could be more explained.
Yeah, once again this is definitely work in progress.  There is still
a good bit to be done, as the current pacman/libalpm/gpg integration
is hairy.

> Summary:
> I think most of the signing part (makepkg, repo-add) and the verifying
> part (pacman) works so far. Awesome!
> gpg verifying is good integrated in pacman, the "warning: gpg cmdline"
> line thing i assume is a test/debug thing.
>
> Next step could be: verifying the database files during pacman -Sy ?
There is nothing to verify about the database yet. Eventually we can
sign these as well if necessary, but right now the only sigs are on
the packages themselves. This is an area that will need work as it is
possible to make completely valid databases with valid packages, but
an attacker could purposely hold back package releases to keep
vulnerabilities open.

Thanks for your help and feedback.

-Dan

More information about the pacman-dev mailing list