[pacman-dev] Checking package validity

Allan McRae allan at archlinux.org
Sat Jul 30 23:28:38 EDT 2011 

On 31/07/11 11:15, Allan McRae wrote:
> I was thinking of how we currently check package validity and had
> planned to do something like:
>
> 1) signature check
> 2) md5sum check _only_ if no signature to check
>
> with the intention of adding an sha256sum check in the middle in the
> future (perhaps only if pacman is built using openssl to save us having
> to provide the routines...).
>
> But as far as I can tell, _alpm_check_pgp_helper does not allow you to
> distinguish between a successful signature check and the case where no
> signature is available and signature checking is not required. Is that
> correct or am I missing something?
>


It appears that this is an area that needs work anyway...


 > pacman -Sw libcups
resolving dependencies...

Targets (1): libcups-1.4.7-3

Total Download Size:    0.00 MiB

Proceed with download? [Y/n]
(1/1) checking package integrity 
[######################] 100%
error: failed to commit transaction (invalid or corrupted package 
(checksum))
libcups-1.4.7-3-i686.pkg.tar.xz is invalid or corrupted
Errors occurred, no packages were upgraded.


This happened with a lot of packages so it definitely was not a checksum 
error...


[12:11:35] debug: using cachedir: /home/arch/pkgcache/i686/
checking package integrity...
[12:11:35] debug: found cached pkg: 
/home/arch/pkgcache/i686/libcups-1.4.7-3-i686.pkg.tar.xz
[12:11:35] debug: replacing pkgcache entry with package file for target 
libcups
[12:11:35] debug: md5sum: 772cf71cb8abb5afce923ae870130a51
[12:11:35] debug: checking md5sum for 
/home/arch/pkgcache/i686/libcups-1.4.7-3-i686.pkg.tar.xz
[12:11:35] debug: base64_sig: (null)
[12:11:35] debug: checking signatures for 
/home/arch/pkgcache/i686/libcups-1.4.7-3-i686.pkg.tar.xz
[12:11:35] debug: checking signature for 
/home/arch/pkgcache/i686/libcups-1.4.7-3-i686.pkg.tar.xz
[12:11:35] debug: 1 signatures returned
[12:11:35] debug: fingerprint: 976AC6FA3B94FA10
[12:11:35] debug: summary: key missing
[12:11:35] debug: status: No public key
[12:11:35] debug: timestamp: 1311845034
[12:11:35] debug: exp_timestamp: 0
[12:11:35] debug: validity: unknown; reason: Success
[12:11:35] debug: key lookup failed, unknown key
[12:11:35] debug: signature is not valid
[12:11:35] debug: returning error 33 from _alpm_sync_commit : invalid or 
corrupted package (checksum)
error: failed to commit transaction (invalid or corrupted package 
(checksum))


My cache is essentially a mirror of the repo so has a bunch of signature 
files in it.  So when I "download" a package from the repos and pacman 
finds its signature in the cache, that gets checked.  So, that was quite 
unexpected for me (but I suppose it is a good thing?).  We just need to 
fix that error message.

Allan

More information about the pacman-dev mailing list