[pacman-dev] Status of package signing work

[Allan McRae]

So...  a real work usage test of package signing is under way on my laptop!

I built a pacman-git package from my "gpg" branch 
(http://projects.archlinux.org/users/allan/pacman.git/log/?h=gpg).  Note 
that branch is on top of my working branch which contains a change to 
the local db format so be warned if you go to test it...


Here is my experience so far (long version):

1) Adding my signature to the pacman keyring with pacman-key worked. 
I'm not entirely up on gpg signing, but I had to set the trust level of 
my key to "ultimate" for things I signed to validate.  "full" trust was 
not enough.  Is this usual?

2) Building a package and signing it went flawlessly

3) Adding the package and signature to the repo worked, but a symlink to 
the signature needs to be created at repo.db.sig now that pacman looks 
for repo.db when downloading a db.  Not surprising given the patch for 
repo-add is about 30 months old!

4) Updating a repo and validating its signature went fine although it 
does give a lot of output which needs removed.  Also, the name displayed 
while downloading the sig file needs adjusted.

 > pacman -Syy
:: Synchronizing package databases...
  pacman          1.0K  318.7K/s 00:00:00 [######################] 100%
  pacman          0.3K   10.5M/s 00:00:00 [######################] 100%

summary=3
fpr=1A03113E773AA2652D2FA5DCE9241FABC8A82D92
status=0
timestamp=1290423916
wrong_key_usage=0
pka_trust=0
chain_model=0
validity=4
validity_reason=0
key=1
hash=2
  kernel64        1.5K   43.4M/s 00:00:00 [######################] 100%

That second "pacman" download is actually the sig file for the pacman 
repo...

I then tried setting "VerifySig = Optional" creating a new db without a 
signature and running a -Sy:

 > pacman -Sy
:: Synchronizing package databases...
  pacman           1.0K  376.6K/s 00:00:00 [######################] 100%
error: failed retrieving file 'pacman.db.sig' from disk : No such file 
or directory

summary=4
fpr=E9241FABC8A82D92
status=117440520
timestamp=0
wrong_key_usage=0
pka_trust=0
chain_model=0
validity=0
validity_reason=0
key=0
hash=0
error: File /var/lib/pacman/sync/pacman.db has an invalid signature.
error: failed to update pacman (invalid PGP signature)

Huh...  OK, it fails downloading the signature and then attempts to use 
the old signature file...   Lets remove the old signature file and try 
again:

 > pacman -Syy
:: Synchronizing package databases...
  pacman          1.0K  378.6K/s 00:00:00 [######################] 100%
error: failed retrieving file 'pacman.db.sig' from disk : No such file 
or directory

Better, but it is not really an error given the signature verification 
is optional.


5) Installing packages from a repo and verifying their signature works. 
  Again there is a lot of "debug" output but that will be fixed with the 
changes needed above.

6) Installing packages with signatures from the local filesystem does 
not really work...  The function that reads in the signature file 
assumes a certain size for the file (72 bytes) and that did not match my 
signature file size.  I have pinged Dan to see if he can remember where 
that assumption came from but given that code is over two years old...


tl:dr (short version):
package/db signing somewhat works, but needs _substantial_ polish.



I'm going to start with a bit more of a rebase of what is on the gpg 
branch.  E.g. the commits to makepkg/repo-add were initially made 30 
months ago and so a bunch of extra correction fixes have been made to 
keep up with current development.  Merging these should hopefully make 
the patch series less all over the place...

Then I think we should just work through each part polishing the 
implementation.  I think an obvious first step is the issues with the 
download and verification of database signatures I pointed out above.

Allan