[pacman-dev] [PATCH] (newgpg) Let pacman specify GnuPG's home directory.
Gerhard Brauer
gerbra at archlinux.de
Mon Dec 15 15:11:21 EST 2008
Am Mon, 15 Dec 2008 13:50:49 -0600
schrieb Chris Brannon <cmbrannon at cox.net>:
> Try removing trustdb from the gpg
> directory, while leaving pubring intact. You'll see what I mean.
> To summarize, it checks the signature if the key is found in pubring.
Yes, you're right. Got this in debug when the key is not trusted (no
trustdb):
summary=0
fpr=0403BBB7C3907CDA95FBB3E61221825A96A08062
status=0
timestamp=1228738371
wrong_key_usage=0
pka_trust=0
chain_model=0
validity=0
validity_reason=0
key=17
hash=2
error: Package /var/cache/pacman/pkg/abook-0.5.6-4-i686.pkg.tar.gz has
an invalid signature. abook-0.5.6-4-i686.pkg.tar.gz is invalid or corrupted
And this when the signing pubkey is trusted:
summary=3
fpr=0403BBB7C3907CDA95FBB3E61221825A96A08062
status=0
timestamp=1228738371
wrong_key_usage=0
pka_trust=0
chain_model=0
validity=4
validity_reason=0
key=17
hash=2
debug: installing packages
debug: found cached pkg: /var/cache/pacman/pkg/abook-0.5.6-4-i686.pkg.tar.gz
debug: loading target '/var/cache/pacman/pkg/abook-0.5.6-4-i686.pkg.tar.gz'
debug: no package signature file found
The last line confused me...
> I think pacman should at least complain if the signing key is not
> found in the public keyring. Thoughts?
IMHO pacman should refuse to install anything from core and extra if
the signature is not found or corrupted.
I don't know what to to with community (maybe a second keyring with
TU signatures?)
My thoughts were to make a option to each repo section in pacman.conf.
With this option: Keyring = /foo/bar we have an indicator that pacman
should check for correct signatures and users could have their
unsigned or self-signed repos additionally.
> -- Chris
Regards
Gerhard
More information about the pacman-dev
mailing list