[pacman-dev] Why need keyrings to be signed?
Pierre Schmitz
pierre at archlinux.de
Sat Mar 3 10:25:08 EST 2012
Hi all,
while working on our keyring package again I am still stuck at this
question. pacman-key --populate checks if the files to import are
signed. The man page tell us:
This prevents a potentially malicious repository
adding keys to the pacman keyring without the users knowledge.
But I don't get the reasoning here at all. If I install a malicious
package, it's install function is run as root and can do anything;
including bypassing the --populate function and call gpg directly. If I
miss anything here please let me know as I couldn't find out.
Removing this check would safe me from reinventing the wheel and I
don't have to create a script which does exactly what --populate does
but without the check. This check prevents us from a simple bootstrap;
and we gain no improved security if we let the user do it manually.
(think about what a malicious package would do)
In details this means removing the call to verify_keyring_input in
pacman-key and then remove the now unused functions verify_keyring_input
and validate_with_gpg.
Greetings,
Pierre
--
Pierre Schmitz, http://pierre-schmitz.com
More information about the pacman-dev
mailing list