[pacman-dev] Status of package signing work
Allan McRae
allan at archlinux.org
Mon Nov 22 13:48:13 CET 2010
So... a real work usage test of package signing is under way on my laptop!
I built a pacman-git package from my "gpg" branch
(http://projects.archlinux.org/users/allan/pacman.git/log/?h=gpg). Note
that branch is on top of my working branch which contains a change to
the local db format so be warned if you go to test it...
Here is my experience so far (long version):
1) Adding my signature to the pacman keyring with pacman-key worked.
I'm not entirely up on gpg signing, but I had to set the trust level of
my key to "ultimate" for things I signed to validate. "full" trust was
not enough. Is this usual?
2) Building a package and signing it went flawlessly
3) Adding the package and signature to the repo worked, but a symlink to
the signature needs to be created at repo.db.sig now that pacman looks
for repo.db when downloading a db. Not surprising given the patch for
repo-add is about 30 months old!
4) Updating a repo and validating its signature went fine although it
does give a lot of output which needs removed. Also, the name displayed
while downloading the sig file needs adjusted.
> pacman -Syy
:: Synchronizing package databases...
pacman 1.0K 318.7K/s 00:00:00 [######################] 100%
pacman 0.3K 10.5M/s 00:00:00 [######################] 100%
summary=3
fpr=1A03113E773AA2652D2FA5DCE9241FABC8A82D92
status=0
timestamp=1290423916
wrong_key_usage=0
pka_trust=0
chain_model=0
validity=4
validity_reason=0
key=1
hash=2
kernel64 1.5K 43.4M/s 00:00:00 [######################] 100%
That second "pacman" download is actually the sig file for the pacman
repo...
I then tried setting "VerifySig = Optional" creating a new db without a
signature and running a -Sy:
> pacman -Sy
:: Synchronizing package databases...
pacman 1.0K 376.6K/s 00:00:00 [######################] 100%
error: failed retrieving file 'pacman.db.sig' from disk : No such file
or directory
summary=4
fpr=E9241FABC8A82D92
status=117440520
timestamp=0
wrong_key_usage=0
pka_trust=0
chain_model=0
validity=0
validity_reason=0
key=0
hash=0
error: File /var/lib/pacman/sync/pacman.db has an invalid signature.
error: failed to update pacman (invalid PGP signature)
Huh... OK, it fails downloading the signature and then attempts to use
the old signature file... Lets remove the old signature file and try
again:
> pacman -Syy
:: Synchronizing package databases...
pacman 1.0K 378.6K/s 00:00:00 [######################] 100%
error: failed retrieving file 'pacman.db.sig' from disk : No such file
or directory
Better, but it is not really an error given the signature verification
is optional.
5) Installing packages from a repo and verifying their signature works.
Again there is a lot of "debug" output but that will be fixed with the
changes needed above.
6) Installing packages with signatures from the local filesystem does
not really work... The function that reads in the signature file
assumes a certain size for the file (72 bytes) and that did not match my
signature file size. I have pinged Dan to see if he can remember where
that assumption came from but given that code is over two years old...
tl:dr (short version):
package/db signing somewhat works, but needs _substantial_ polish.
I'm going to start with a bit more of a rebase of what is on the gpg
branch. E.g. the commits to makepkg/repo-add were initially made 30
months ago and so a bunch of extra correction fixes have been made to
keep up with current development. Merging these should hopefully make
the patch series less all over the place...
Then I think we should just work through each part polishing the
implementation. I think an obvious first step is the issues with the
download and verification of database signatures I pointed out above.
Allan
More information about the pacman-dev
mailing list