[pacman-dev] Why need keyrings to be signed?

Pierre Schmitz pierre at archlinux.de
Sat Mar 3 10:25:08 EST 2012

Hi all,

while working on our keyring package again I am still stuck at this
question. pacman-key --populate checks if the files to import are
signed. The man page tell us:

       This prevents a potentially malicious repository
       adding keys to the pacman keyring without the users knowledge.

But I don't get the reasoning here at all. If I install a malicious
package, it's install function is run as root and can do anything;
including bypassing the --populate function and call gpg directly. If I
miss anything here please let me know as I couldn't find out.

Removing this check would safe me from reinventing the wheel and I
don't have to create a script which does exactly what --populate does
but without the check. This check prevents us from a simple bootstrap;
and we gain no improved security if we let the user do it manually.
(think about what a malicious package would do)

In details this means removing the call to verify_keyring_input in
pacman-key and then remove the now unused functions verify_keyring_input
and validate_with_gpg.



Pierre Schmitz, http://pierre-schmitz.com

More information about the pacman-dev mailing list