FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux Development

 
 
LinkBack Thread Tools
 
Old 04-29-2012, 10:59 PM
Gaetan Bisson
 
Default Proposed news item: Package verification

Hi everyone,

How about the following news item?

========

Title: Having pacman verify packages

Over the past six months, pacman has had package verification features,
although they were turned off while we were still figuring out the
details of our public-key infrastructure. This work has resulted in the
<a href="https://www.archlinux.org/packages/core/any/archlinux-keyring/">archlinux-keyring package</a>
which contains all the data you need to authenticate packages as
made by official Arch packagers (developers and trusted users).

Having pacman verify packages is now as easy as doing:

pacman -Syu archlinux-keyring
pacman-key --init
pacman-key --populate archlinux

The archlinux-keyring package contains five master keys that are used to
authenticate official Arch packagers, so you do not need to know who
joins or leave the team: you just have to verify those five master keys
once and for all. This last command will prompt you to do so; please do
this cautiously by checking the fingerprints displayed against
<a href="https://www.archlinux.org/master-keys/">those published on our website</a>.

Then, set the following in your pacman.conf:

SigLevel = PackageRequired TrustedOnly

And you should be good to go!

For more details on the development of pacman and archlinux-keyring, see the blog posts of
<a href="http://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/">Allan</a>
and <a href="https://pierre-schmitz.com/verify-all-the-packages/">Pierre</a>.

========

Cheers.

--
Gaetan
 
Old 04-30-2012, 12:18 AM
Allan McRae
 
Default Proposed news item: Package verification

On 30/04/12 08:59, Gaetan Bisson wrote:
> Then, set the following in your pacman.conf:
>
> SigLevel = PackageRequired TrustedOnly

Setting that globally causes failures with "pacman -U" and unsigned
packages. So PackageRequired should only be enabled on a per repo basis
at the moment.

We could do a pacman update with an updated pacman.conf for people to
merge to help this along.

Allan
 
Old 04-30-2012, 10:51 AM
Pierre Schmitz
 
Default Proposed news item: Package verification

Am 30.04.2012 02:18, schrieb Allan McRae:
> On 30/04/12 08:59, Gaetan Bisson wrote:
>> Then, set the following in your pacman.conf:
>>
>> SigLevel = PackageRequired TrustedOnly
>
> Setting that globally causes failures with "pacman -U" and unsigned
> packages. So PackageRequired should only be enabled on a per repo basis
> at the moment.

Isn't TrustedOnly the default anyway?

> We could do a pacman update with an updated pacman.conf for people to
> merge to help this along.

Yes, we should.

--
Pierre Schmitz, https://pierre-schmitz.com
 
Old 04-30-2012, 11:02 AM
Gaetan Bisson
 
Default Proposed news item: Package verification

[2012-04-30 10:18:36 +1000] Allan McRae:
> On 30/04/12 08:59, Gaetan Bisson wrote:
> > Then, set the following in your pacman.conf:
> >
> > SigLevel = PackageRequired TrustedOnly
>
> Setting that globally causes failures with "pacman -U" and unsigned
> packages. So PackageRequired should only be enabled on a per repo basis
> at the moment.

Right.

> We could do a pacman update with an updated pacman.conf for people to
> merge to help this along.

That would be great.

In fact, package verification could even be enabled by default in the
new pacman.conf, archlinux-keyring added as a dependency of pacman, and
the news item summed up into a post-install message. Attached are a
patch to our pacman package and an updated news post doing this.
Comments welcome!

Cheers.

--
Gaetan
Title: Having pacman verify packages

Over the past six months, pacman has had package verification features,
although they were turned off while we were still figuring out the
details of our public-key infrastructure.

They have been enabled in pacman-4.0.3-2; when you upgrade, you will be
prompted to run:

pacman-key --init
pacman-key --populate archlinux

This sets up a pacman keyring, and populates it with all the data needed to
authenticate packages as made by official Arch packagers (developers and
trusted users). This consists in particular of five master keys used to
authenticate official Arch packagers, so you do not need to know who joins or
leave the team: you just have to verify those five master keys once and for
all. This last command will prompt you to do so; please do this cautiously by
checking the fingerprints displayed against
<a href="https://www.archlinux.org/master-keys/">those published on our website</a>.

Then, merge your pacman.conf with pacman.conf.new, that is, enable package
verification through the SigLevel option, and you should be good to go.

For more details on the development of pacman and archlinux-keyring, see the blog posts of
<a href="http://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/">Allan</a>
and <a href="https://pierre-schmitz.com/verify-all-the-packages/">Pierre</a>.
diff -Naur old/pacman.conf new/pacman.conf
--- old/pacman.conf 2012-04-30 12:03:12.870704414 +0200
+++ new/pacman.conf 2012-04-30 12:35:33.646325388 +0200
@@ -42,12 +42,6 @@
# you to locally sign and trust packager keys using `pacman-key` for them to be
# considered valid.
#SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# For now, off by default unless you read the above.
-SigLevel = Never

#
# REPOSITORIES
@@ -77,11 +71,11 @@
#Include = /etc/pacman.d/mirrorlist

[core]
-#SigLevel = PackageRequired
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

[extra]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

#[community-testing]
@@ -89,7 +83,7 @@
#Include = /etc/pacman.d/mirrorlist

[community]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

# An example of a custom package repository. See the pacman manpage for
diff -Naur old/pacman.conf.x86_64 new/pacman.conf.x86_64
--- old/pacman.conf.x86_64 2012-04-30 12:03:12.870704414 +0200
+++ new/pacman.conf.x86_64 2012-04-30 12:35:22.966314170 +0200
@@ -42,12 +42,6 @@
# you to locally sign and trust packager keys using `pacman-key` for them to be
# considered valid.
#SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# For now, off by default unless you read the above.
-SigLevel = Never

#
# REPOSITORIES
@@ -77,11 +71,11 @@
#Include = /etc/pacman.d/mirrorlist

[core]
-#SigLevel = PackageRequired
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

[extra]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

#[community-testing]
@@ -89,7 +83,7 @@
#Include = /etc/pacman.d/mirrorlist

[community]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

# If you want to run 32 bit applications on your x86_64 system,
@@ -100,7 +94,7 @@
#Include = /etc/pacman.d/mirrorlist

#[multilib]
-#SigLevel = PackageOptional
+#SigLevel = PackageRequired
#Include = /etc/pacman.d/mirrorlist

# An example of a custom package repository. See the pacman manpage for
diff -Naur old/pacman.install new/pacman.install
--- old/pacman.install 2012-04-30 12:03:12.870704414 +0200
+++ new/pacman.install 2012-04-30 12:36:13.366366907 +0200
@@ -9,7 +9,9 @@
if [ "$(vercmp $2 3.5.0)" -lt 0 ]; then
_warnupgrade
fi
- _check_pubring
+ if [ ! -f "etc/pacman.d/gnupg/pubring.gpg" ] || [ "$(vercmp $2 4.0.3-2)" -lt 0 ]; then
+ _check_pubring
+ fi
}

post_install() {
@@ -17,9 +19,9 @@
}

_check_pubring() {
- if [ ! -f "etc/pacman.d/gnupg/pubring.gpg" ]; then
- echo " >>> Run `pacman-key --init` to set up your pacman keyring."
- fi
+ echo " >>> Run `pacman-key --init; pacman-key --populate archlinux`"
+ echo " >>> to import the data required by pacman for package verification."
+ echo " >>> See: https://www.archlinux.org/news/having-pacman-verify-packages"
}

_warnupgrade() {
diff -Naur old/PKGBUILD new/PKGBUILD
--- old/PKGBUILD 2012-04-30 12:03:12.870704414 +0200
+++ new/PKGBUILD 2012-04-30 12:36:46.533068001 +0200
@@ -5,14 +5,14 @@

pkgname=pacman
pkgver=4.0.3
-pkgrel=1
+pkgrel=2
pkgdesc="A library-based package manager with dependency support"
arch=('i686' 'x86_64')
url="http://www.archlinux.org/pacman/"
license=('GPL')
groups=('base')
depends=('bash' 'glibc>=2.15' 'libarchive>=3.0.2' 'curl>=7.19.4'
- 'gpgme' 'pacman-mirrorlist')
+ 'gpgme' 'pacman-mirrorlist' 'archlinux-keyring')
makedepends=('asciidoc')
optdepends=('fakeroot: for makepkg usage as normal user')
backup=(etc/pacman.conf etc/makepkg.conf)
@@ -24,8 +24,8 @@
makepkg.conf)
md5sums=('387965c7125e60e5f0b9ff3b427fe0f9'
'1a70392526c8768470da678b31905a6e'
- '4605b3490d4fd1e5c6e20db17da9ded6'
- 'a0edf98ad1845a4c7d902a86638d5d2d'
+ '5c0f4b106a4eba6ded854d545762e9a5'
+ '40479a57e5bd71a6cb7d1ece3af8c61d'
'589cd34eb9d5b678455e8289394f523e')

build() {
 
Old 04-30-2012, 11:06 AM
Pierre Schmitz
 
Default Proposed news item: Package verification

Am 30.04.2012 13:02, schrieb Gaetan Bisson:
> In fact, package verification could even be enabled by default in the
> new pacman.conf, archlinux-keyring added as a dependency of pacman, and
> the news item summed up into a post-install message. Attached are a
> patch to our pacman package and an updated news post doing this.
> Comments welcome!

You should add the PackageRequired line to the testing repositories as
well. I wonder if this would break net istnalls; or is that broken
anyway by now?

--
Pierre Schmitz, https://pierre-schmitz.com
 
Old 04-30-2012, 11:11 AM
Gaetan Bisson
 
Default Proposed news item: Package verification

[2012-04-30 13:06:11 +0200] Pierre Schmitz:
> You should add the PackageRequired line to the testing repositories as
> well.

It is already there.

> I wonder if this would break net istnalls; or is that broken
> anyway by now?

Ah, I haven't thought of that... Do installs try to run pacman without
user intervention, and after it has been upgraded?

--
Gaetan
 
Old 05-02-2012, 09:38 PM
Gaetan Bisson
 
Default Proposed news item: Package verification

[2012-04-30 13:11:01 +0200] Gaetan Bisson:
> [2012-04-30 13:06:11 +0200] Pierre Schmitz:
> > I wonder if this would break net istnalls; or is that broken
> > anyway by now?
>
> Ah, I haven't thought of that... Do installs try to run pacman without
> user intervention, and after it has been upgraded?

It appears pacman only runs once, so the install succeeds.

However, the install message is drown in the flood of packages, so most
users will likely struggle when they run pacman next.

--
GaŽtan
 
Old 05-31-2012, 01:07 PM
Gaetan Bisson
 
Default Proposed news item: Package verification

[2012-05-02 23:38:22 +0200] Gaetan Bisson:
> However, the install message is drown in the flood of packages, so most
> users will likely struggle when they run pacman next.

All in all, that seems like a minor con, especially since, on top of the
install message, we'll have a news post about this. It is far outweighed
by the pro of bringing users' setups to the same page as ours.

Attached are an updated proposed news post and pacman-4.0.3-2 release.
Please do have a look and let me know if you disagree with anything. I
would like to push this to [testing] in a couple of days or so.

Cheers.

--
Gaetan
Title: Having pacman verify packages

Over the past six months, pacman has had package verification features,
although they were turned off while we were still figuring out the
details of our public-key infrastructure.

They have been enabled in pacman-4.0.3-2; when you upgrade, you will be
prompted to run:

pacman-key --init
pacman-key --populate archlinux

This sets up a local keyring for pacman, and populates it with the data needed
to authenticate official packages. This includes five master keys used to
authenticate official Arch Linux packagers (developers and trusted users), so
you do not need to know who joins or leaves the team: you only have to verify
those five master keys once and for all. The populate command will prompt you
to do so; please do this cautiously by checking the fingerprints displayed
against
<a href="https://www.archlinux.org/master-keys/">those published on our website</a>.

Then, merge your pacman.conf with pacman.conf.new, that is, enable package
verification through the SigLevel option, and you should be good to go.

For details on the development of pacman and archlinux-keyring, see the blog posts of
<a href="http://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/">Allan</a>
and <a href="https://pierre-schmitz.com/verify-all-the-packages/">Pierre</a>.
diff -Naur old/pacman.conf new/pacman.conf
--- old/pacman.conf 2012-05-31 22:15:59.600458792 +1000
+++ new/pacman.conf 2012-05-31 22:35:29.778949346 +1000
@@ -36,18 +36,13 @@
CheckSpace
#VerbosePkgLists

-# PGP signature checking
-# NOTE: None of this will work without running `pacman-key --init` first.
-# The compiled in default is equivalent to the following line. This requires
-# you to locally sign and trust packager keys using `pacman-key` for them to be
-# considered valid.
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
#SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# For now, off by default unless you read the above.
-SigLevel = Never
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.

#
# REPOSITORIES
@@ -77,11 +72,11 @@
#Include = /etc/pacman.d/mirrorlist

[core]
-#SigLevel = PackageRequired
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

[extra]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

#[community-testing]
@@ -89,7 +84,7 @@
#Include = /etc/pacman.d/mirrorlist

[community]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

# An example of a custom package repository. See the pacman manpage for
diff -Naur old/pacman.conf.x86_64 new/pacman.conf.x86_64
--- old/pacman.conf.x86_64 2012-05-31 22:15:59.600458792 +1000
+++ new/pacman.conf.x86_64 2012-05-31 22:38:21.699215405 +1000
@@ -36,18 +36,13 @@
CheckSpace
#VerbosePkgLists

-# PGP signature checking
-# NOTE: None of this will work without running `pacman-key --init` first.
-# The compiled in default is equivalent to the following line. This requires
-# you to locally sign and trust packager keys using `pacman-key` for them to be
-# considered valid.
+# By default, pacman accepts packages signed by keys that its local keyring
+# trusts (see pacman-key and its man page), as well as unsigned packages.
#SigLevel = Optional TrustedOnly
-# If you wish to check signatures but avoid local sign and trust issues, use
-# the following line. This will treat any key imported into pacman's keyring as
-# trusted.
-#SigLevel = Optional TrustAll
-# For now, off by default unless you read the above.
-SigLevel = Never
+
+# NOTE: You must run `pacman-key --init` before first using pacman; the local
+# keyring can then be populated with the keys of all official Arch Linux
+# packagers with `pacman-key --populate archlinux`.

#
# REPOSITORIES
@@ -77,11 +72,11 @@
#Include = /etc/pacman.d/mirrorlist

[core]
-#SigLevel = PackageRequired
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

[extra]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

#[community-testing]
@@ -89,7 +84,7 @@
#Include = /etc/pacman.d/mirrorlist

[community]
-#SigLevel = PackageOptional
+SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

# If you want to run 32 bit applications on your x86_64 system,
@@ -100,7 +95,7 @@
#Include = /etc/pacman.d/mirrorlist

#[multilib]
-#SigLevel = PackageOptional
+#SigLevel = PackageRequired
#Include = /etc/pacman.d/mirrorlist

# An example of a custom package repository. See the pacman manpage for
diff -Naur old/pacman.install new/pacman.install
--- old/pacman.install 2012-05-31 22:15:59.600458792 +1000
+++ new/pacman.install 2012-04-30 20:36:13.366366907 +1000
@@ -9,7 +9,9 @@
if [ "$(vercmp $2 3.5.0)" -lt 0 ]; then
_warnupgrade
fi
- _check_pubring
+ if [ ! -f "etc/pacman.d/gnupg/pubring.gpg" ] || [ "$(vercmp $2 4.0.3-2)" -lt 0 ]; then
+ _check_pubring
+ fi
}

post_install() {
@@ -17,9 +19,9 @@
}

_check_pubring() {
- if [ ! -f "etc/pacman.d/gnupg/pubring.gpg" ]; then
- echo " >>> Run `pacman-key --init` to set up your pacman keyring."
- fi
+ echo " >>> Run `pacman-key --init; pacman-key --populate archlinux`"
+ echo " >>> to import the data required by pacman for package verification."
+ echo " >>> See: https://www.archlinux.org/news/having-pacman-verify-packages"
}

_warnupgrade() {
diff -Naur old/PKGBUILD new/PKGBUILD
--- old/PKGBUILD 2012-05-31 22:15:59.600458792 +1000
+++ new/PKGBUILD 2012-05-31 22:41:54.882878202 +1000
@@ -5,14 +5,14 @@

pkgname=pacman
pkgver=4.0.3
-pkgrel=1
+pkgrel=2
pkgdesc="A library-based package manager with dependency support"
arch=('i686' 'x86_64')
url="http://www.archlinux.org/pacman/"
license=('GPL')
groups=('base')
depends=('bash' 'glibc>=2.15' 'libarchive>=3.0.2' 'curl>=7.19.4'
- 'gpgme' 'pacman-mirrorlist')
+ 'gpgme' 'pacman-mirrorlist' 'archlinux-keyring')
makedepends=('asciidoc')
optdepends=('fakeroot: for makepkg usage as normal user')
backup=(etc/pacman.conf etc/makepkg.conf)
@@ -24,8 +24,8 @@
makepkg.conf)
md5sums=('387965c7125e60e5f0b9ff3b427fe0f9'
'1a70392526c8768470da678b31905a6e'
- '4605b3490d4fd1e5c6e20db17da9ded6'
- 'a0edf98ad1845a4c7d902a86638d5d2d'
+ '99734ea46795f466d41c503e9e23b6d4'
+ '556d49489e82b5750cf026d3b18c8f4f'
'589cd34eb9d5b678455e8289394f523e')

build() {
 

Thread Tools




All times are GMT. The time now is 01:01 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org