[pacman-dev] GPG work
sega01 at gmail.com
Mon Dec 8 08:00:36 EST 2008
I like the idea of GPG signed repositories, but they are just about
useless if they are signing MD5s. MD5 is very insecure, but good for
normal file integrity checking. Can Pacman use SHA-256 or similiar?
Another thing to watch out for is malicious publication of old
repositories with old and vulnerable packages that have the force
option set. I've thought briefly on how to circumvent this, but not
enough to have a method I would purpose.
On Mon, Dec 8, 2008 at 12:34, Dan McGee <dpmcgee at gmail.com> wrote:
> On Mon, Dec 8, 2008 at 4:55 AM, Gerhard Brauer <gerbra at archlinux.de> wrote:
>> Am Sun, 7 Dec 2008 15:18:32 -0600
>> schrieb "Dan McGee" <dpmcgee at gmail.com>:
>>> I did quite a bit more work with GPG today. I wrapped my head around
>>> GPGME, which presents a nice C interface to the GPG stuff so we are
>>> now a lot closer to a working implementation:
>>> >From the script side of things, I didn't change much. The libalpm
>>> has changed considerably, and there is still a lot of room for
>>> improvement. Let me know if you guys have questions.
>> With heads/newgpg pacman doesn't check or find the .sig Files. If
>> starting with --debug i got these debug messages:
>> debug: md5(/var/cache/pacman/pkg/abook-0.5.6-3-i686.pkg.tar.gz) =79777684f62164 934a1264df66b8fdc6
>> debug: returning error 35 from gpgme_init : signature directory not configured correctly
>> debug: installing packages
>> debug: found cached pkg: /var/cache/pacman/pkg/abook-0.5.6-3-i686.pkg.tar.gz
>> debug: loading target '/var/cache/pacman/pkg/abook-0.5.6-3-i686.pkg.tar.gz'
>> debug: no package signature file found
>> Where or what have i to configure as the "gpgme_init : signature directory"?
>> My public key is in /root/.gnupg/pubring.gpg. I tried it also with /tmp/testing.gpg but the same error.
>> AFAI could read the code this may belongs to commit:
>> I see a prog gpgme-config, but don't see what i could do with ;-)
>> Help ;-)
> I didn't promise this worked out of the box- I just meant that it was
> a better start than the other code. You're either going to have to
> know C and understand what is going on (and fix it), or wait for it to
> be in a better state of completion.
> pacman-dev mailing list
> pacman-dev at archlinux.org
More information about the pacman-dev