[pacman-dev] Finishing off the package signing issue -- call for contributors

Allan McRae allan at archlinux.org
Sat May 21 00:48:14 EDT 2011 

Hi,

I'm going to point out what the current state of the package signing 
code is and what is currently being worked on.  As a warning I have just 
got home from a stay in hospital, so I might be ever so slightly terse 
in my reply.  Don't take this as me being an arse... I just figured that 
it was better to reply now as opposed to giving no reply (as I will be 
heading back to hospital again soon).


On 21/05/11 09:07, Kerrick Staley wrote:
 > As far as I can tell, there is no work going on right now on this issue.

What!!!  There has there been no progress... in two weeks!!!   That's 
right...  it has been only two weeks since the last commit to do with 
package signing was pushed to the master git repo 
(http://projects.archlinux.org/pacman.git/commit/?id=70cf4546).  In 
fact, it currently 10 days, so it was 9 days when the original emails to 
this thread were sent.  Shock, horror development has stalled!

If that was not enough, one way to know the current status of 
development would be to look through this email lists archives.  Hmm.. 
"trustdb locking issues" would be the last one.  Seems a pretty big 
issue not being able to verify a package that has a signature file 
without root privileges.  So that is probably a blocker that the people 
working on this have not solved yet.  Note there were very, very few 
replies with suggestions on how to deal with that.


On 21/05/11 09:07, Kerrick Staley wrote:
 > I think each developer should have their own key, that each package will
 > only need one signature, and that the repolists will also be signed by
 > the last dev to edit them.

Good to see you came up with the exact implementation we already have... 
  Pacman reads a single signature for a package (either detached for -U 
or -Q operations, or in the repo db for -S operation) and the repo has a 
single detached signature.  How those key are distributed across 
developers and what exactly is used in signing what is not a pacman 
concern and so has nothing to do with the implementation in pacman. 
Pacman just needs to take signatures and verify them.  Note that how 
Arch will deal with signing in their repos is being finalised elsewhere, 
but to reiterate, that has nothing to do with the pacman implementation.


So... onwards to what the current status is:

- makepkg can build a package and sign it (using gpg)
- repo-add can add a package signature to the database and sign the database
- a key management tool call pacman-key is implemented.  It still needs 
work and there are a bunch of patches on the mailing list for it.  I 
hope to find time to finalise this in the near future...
- pacman has basic signing support.  It can:
   - download and verify the signature for the repo dbs
   - read package and verify their signatures from repo dbs on -S operations
   - read and verify detached signatures on -U operations (and -Q, but 
note above the issues with trustdb locking and root privileges)

Things that need done:
- figure out the locking issues  (1777 permissions on the pacman gpg 
keyring directory is a workaround, but we may take the yum approach of 
copying that folder to a writeable location)
...

In fact, just look at the list on my wiki page: 
https://wiki.archlinux.org/index.php/User:Allan/Package_Signing . There 
is no point me replicating the list here.  If you have specific queries 
about any point, ask specific questions.  Most should be fairly clear if 
you actually take the code for a test spin.

As far as what branches to use, all the gpg signing code that I had on a 
branch has been merged in to the pacman master branch (as stated on the 
above wiki page...).   You might find WIP patches on a gpg branch in 
Dan's repo depending on what he is doing, or maybe my working branch.


I was going to go into more detail on the status of what is done and 
what needs done, but the quickest way for anyone to find out is to grab 
the git repo, build it and start using it.  Everything for makepkg and 
repo-add is documented in the man pages so hopefully that should be 
clear.  So you should easily be able to create a signed package and add 
it to a local repo.  If not, ask specific questions and we can improve 
the documentation.  Then you can play around with pacman to see what 
appears to work and what does not.  About the only thing that you need 
to know is there is a VerifySig option for pacman.conf that takes the 
value Always/Optional/Never and is given for each repo.

If people want further info, ask specific questions.  I'm not going to 
spend my time answering very basic questions about the current 
implementation that can be easily seen by anyone who spends a small 
amount of time doing some actual investigation by taking the code for a 
spin.  If you don't have time to do this, then I doubt you have time to 
contribute anything...

Cheers,
Allan

More information about the pacman-dev mailing list