[pacman-dev] [PATCH 0/5] Manage signing keys using a WKD (FS#63171)

Jonas Witschel diabonas at gmx.de
Mon Aug 5 10:42:51 UTC 2019


Hi,

good news everyone, thanks to Florian Pritz we now have a working WKD
[1] I had to modify the fingerprint check again [2] because the key used
for signing might be a subkey, so we need to loop trough all subkeys and
check if one of these key IDs matches the one used for signing the package.

The latest patch series now works with the keys published in the Arch
Linux WKD. I tested this by creating a new keyring containing only the
master signing keys, then installing a random package from each of the
developers whose key is ready for WKD support (the ones with three "Yes"
in the table in [3]). This worked successfully, so from my side, this
code is now ready for merging. I welcome any feedback on the code and
any testing whether everything works as expected. For convenience I
cloned the pacman repository on Gitlab and provide the patch series in
the "wkd" branch there [4]. A possible test setup looks like this:

# Build pacman with WKD patches added
git clone --branch wkd https://gitlab.com/diabonas/pacman.git
mkdir pacman/build && cd pacman/build
meson .. && ninja

# Prepare keyring (similar to what pacman-key --populate archlinux would
# do, but only import the master signing keys)
fakeroot pacman-key --init --gpgdir keyring
fakeroot pacman-key --gpgdir keyring --recv-keys \
    $(cut -d':' -f1 /usr/share/pacman/keyrings/archlinux-trusted)
fakeroot pacman-key --gpgdir keyring --lsign \
    $(cut -d':' -f1 /usr/share/pacman/keyrings/archlinux-trusted)
gpg --homedir keyring --import-ownertrust \
    /usr/share/pacman/keyrings/archlinux-trusted


mkdir -p root/var/lib/pacman

# Install a package, key will be looked up in the WKD
# Output should be:
# debug: looking up key for arojas at archlinux.org using WKD
# debug: unknown key, found Antonio Rojas <arojas at archlinux.org> remotely
fakeroot ./pacman --root root --gpgdir keyring --debug -Syu libaio

Other interesting test cases are:
- Use a package by a packager that doesn't use an Arch Linux UID (first
column in [3] is No), e.g. "linux-headers": the WKD key lookup should
fail with "key lookup failed, unknown key", but the key should be found
and imported from a keyserver.
- Disable keyserver access by adding the line "keyserver broken.invalid"
to "keyring/gpg.conf". Now importing the key for "libaio" from the WKD
should still work, while installing "linux-headers" fails with 'error:
key "A5E9288C4FA415FA" could not be looked up remotely'. (Don't forget
to delete the keys from the pacman keyring using "gpg --homedir keyring
--delete-keys 9D74DF6F91B7BDABD5815CA84AC5588F941C2A25
8218F88849AAC522E94CF470A5E9288C4FA415FA" first if you've already
imported them.)
- Test whether installing a file directly using

fakeroot ./pacman --root root --gpgdir keyring --debug -U \
https://mex.mirror.pkgbuild.com/core/os/x86_64/libaio-0.3.112-1-x86_64.pkg.tar.xz

instead of using the database also retrieves the key from the WKD.

Cheers,
Jonas

[1] https://bugs.archlinux.org/task/63171#comment180697
[2] https://lists.archlinux.org/pipermail/pacman-dev/2019-August/023518.html
[3]
https://wiki.archlinux.org/index.php/User:Diabonas/WKD_support_by_developer_key
[4] https://gitlab.com/diabonas/pacman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20190805/1d5ce35a/attachment-0001.sig>


More information about the pacman-dev mailing list