On Sun, Jun 17, 2012 at 10:00:27PM +0200, Geoffroy PLANQUART wrote:
> > However: Distributing a pacman keychain master key to more than one machine is
> > rarely a sensible solution. If you actually want the very specific additional
> > security checks offered by only allowing signed packages, you must ensure a
> > properly secured master key with a diligently confirmed web of trust. If the
> > private master key, which is being generated with --init, leaks, it is trivial
> > for a hypothetical attacker to directly sign manipulated packages with this
> > key, which basically invalidates the security benefit signed packages are
> > supposed to offer.
> Good point, I though about this one too, but what about automatic `pacman-key
> --init' at install time? This would solve the problem no?
Sort of. That will leave the issue of waiting for enough entropy to be
generated, which can be countered on a VM by running a command generating disk
I/O in parallel until the key generation is finished. Otherwise you'll get
complaints of "hanging" installers.
In addition, you'll need to take care of the initial key import and, more
importantly, initial trusting of the Archlinux Master Keys, which is only 95%
automated by the --populate call. It's your call whether you'll want to educate
your users and supply a source they can compare the displayed fingerprints to
manually, or "force" automatic trusting by piping 'yes' into the process.
Either way presents specific security issues which may or may not be of
relevance to you.
You may also choose to publicize your own repository containing a combination
of core, extra, community and the AUR as you need it, and re-sign all packages
with a wholly independent set of keys, or even only a single key, of your
choice, so that people using the repo have to trust keys which are easier for
them to verify.
All these considerations aside: You are going to need manual intervention by an
educated user during the installation to have a decent chance at the key
management not being built upon false premises from the get go. You can make it
easier, but probably shouldn't automate it away entirely, as this gives an
entirely unwarranted sense of security to the user. There's a reason why
--populate specifically asks the user to manually verify the fingerprints of
the master keys.
It all boils down to your specific security concerns you want to be addressed
by package/database signing in the first place. For example, if the VMs are in
an isolated, proxied network with the only package source definitely being
under your control, you can probably do away with the whole signing issue
altogether without facing a significantly higher risk of package manipulation
by a third party.
In your case, maybe you can include the fingerprints of the master keys in some
(printed) installation document for the users to use for verifying the master
keys during the --populate call. That way, the users may actually do the chore
diligently instead of hammering the enter key, and you can be reasonably sure
that the fingerprints they compare the output with are actually the right ones.
Unless somebody manages to manipulate your docs or the installation itself, of
Good luck either way!