FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 10-14-2011, 03:27 AM
Sander Jansen
 
Default pacman 4.0.0 signing

After upgrading to the new pacman 4.0, the system update following
fails due a lot of untrusted signatures (unknown trust error).

I'm guessing we need to verify we really trust these signatures. I've
found this guide regarding validating gpg keys:
http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume
this will be a lot similar, except using the pacman-key frontend to do
the verification.

So let me step through and see if understand correctly:

All the developers keys seem to be published here:
http://www.archlinux.org/developers/ and
http://www.archlinux.org/trustedusers

So to trust Andrea Scarpino's key I would get the pgp key from the
above webpage (PGP Key: 0xD30DB0AD) and finger it:

pacman-key --finger 0xD30DB0AD

then compare the finger print with the one thats linked to his profile:

http://pgp.mit.edu:11371/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0x D30DB0AD

It seems to match, so there is a good chance it's the real deal, so
now I can locally sign it:

pacman-key --lsign-key 0xD30DB0AD

Correct? In examples of the article also marks the key as trusted.
Would that be a good idea?

We have to do this for each and every Arch developer I guess? Is there
a faster way?

Sander
 
Old 10-14-2011, 03:32 AM
Karol Blazewicz
 
Default pacman 4.0.0 signing

On Fri, Oct 14, 2011 at 5:27 AM, Sander Jansen <s.jansen@gmail.com> wrote:
> After upgrading to the new pacman 4.0, the system update following
> fails due a lot of untrusted signatures (unknown trust error).
>
> I'm guessing we need to verify we really trust these signatures. I've
> found this guide regarding validating gpg keys:
> http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume
> this will be a lot similar, except using the pacman-key frontend to do
> the verification.
>
> So let me step through and see if understand correctly:
>
> All the developers keys seem to be published here:
> http://www.archlinux.org/developers/ and
> http://www.archlinux.org/trustedusers
>
> So to trust Andrea Scarpino's key I would get the pgp key from the
> above webpage (PGP Key: 0xD30DB0AD) and finger it:
>
> pacman-key --finger 0xD30DB0AD
>
> then compare the finger print with the one thats linked to his profile:
>
> http://pgp.mit.edu:11371/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0x D30DB0AD
>
> It seems to match, so there is a good chance it's the real deal, so
> now I can locally sign it:
>
> pacman-key --lsign-key 0xD30DB0AD
>
> Correct? In examples of the article also marks the key as trusted.
> Would that be a good idea?
>
> We have to do this for each and every Arch developer I guess? Is there
> a faster way?
>
> Sander
>


Maybe http://identi.ca/conversation/84528911#notice-84578762 helps.
 
Old 10-14-2011, 03:41 AM
Allan McRae
 
Default pacman 4.0.0 signing

On 14/10/11 13:27, Sander Jansen wrote:

After upgrading to the new pacman 4.0, the system update following
fails due a lot of untrusted signatures (unknown trust error).

I'm guessing we need to verify we really trust these signatures. I've
found this guide regarding validating gpg keys:
http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume
this will be a lot similar, except using the pacman-key frontend to do
the verification.

So let me step through and see if understand correctly:

All the developers keys seem to be published here:
http://www.archlinux.org/developers/ and
http://www.archlinux.org/trustedusers

So to trust Andrea Scarpino's key I would get the pgp key from the
above webpage (PGP Key: 0xD30DB0AD) and finger it:

pacman-key --finger 0xD30DB0AD

then compare the finger print with the one thats linked to his profile:

http://pgp.mit.edu:11371/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0x D30DB0AD

It seems to match, so there is a good chance it's the real deal, so
now I can locally sign it:

pacman-key --lsign-key 0xD30DB0AD

Correct? In examples of the article also marks the key as trusted.
Would that be a good idea?

We have to do this for each and every Arch developer I guess? Is there
a faster way?




You could do it this way... but yes, it will take a long time.

At the moment I just use "SigLevel = Optional TrustAll" which means
imported keys are automatically considered as trusted without you having
to manually verify them. That is obviously not the best solution, but
it is an option until Arch gets a proper keyring sorted.


Allan
 
Old 10-14-2011, 04:12 AM
Sander Jansen
 
Default pacman 4.0.0 signing

On Thu, Oct 13, 2011 at 10:41 PM, Allan McRae <allan@archlinux.org> wrote:
> On 14/10/11 13:27, Sander Jansen wrote:
>>
>> After upgrading to the new pacman 4.0, the system update following
>> fails due a lot of untrusted signatures (unknown trust error).
>>
>> I'm guessing we need to verify we really trust these signatures. I've
>> found this guide regarding validating gpg keys:
>> http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume
>> this will be a lot similar, except using the pacman-key frontend to do
>> the verification.
>>
>> So let me step through and see if understand correctly:
>>
>> All the developers keys seem to be published here:
>> http://www.archlinux.org/developers/ and
>> http://www.archlinux.org/trustedusers
>>
>> So to trust Andrea Scarpino's key I would get the pgp key from the
>> above webpage (PGP Key: 0xD30DB0AD) and finger it:
>>
>> pacman-key --finger 0xD30DB0AD
>>
>> then compare the finger print with the one thats linked to his profile:
>>
>>
>> http://pgp.mit.edu:11371/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0x D30DB0AD
>>
>> It seems to match, so there is a good chance it's the real deal, so
>> now I can locally sign it:
>>
>> pacman-key --lsign-key 0xD30DB0AD
>>
>> Correct? In examples of the article also marks the key as trusted.
>> Would that be a good idea?
>>
>> We have to do this for each and every Arch developer I guess? Is there
>> a faster way?
>>
>
>
> You could do it this way... but yes, it will take a long time.
>
> At the moment I just use "SigLevel = Optional TrustAll" which means imported
> keys are automatically considered as trusted without you having to manually
> verify them. *That is obviously not the best solution, but it is an option
> until Arch gets a proper keyring sorted.
>
> Allan
>

Ah ok. Just read your blog as well
(http://allanmcrae.com/2011/08/pacman-package-signing-3-pacman)

Thanks,

Sander
 

Thread Tools




All times are GMT. The time now is 05:07 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org