FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux Pacman Development

 
 
LinkBack Thread Tools
 
Old 01-21-2012, 05:45 PM
kachelaqa
 
Default Checking whether a package was signed

I'm still trying to get to grips with package signing, so this question
may not make complete sense, but:


Is there a way to check whether the signature was verified when a
package was installed?
 
Old 01-21-2012, 06:57 PM
Dan McGee
 
Default Checking whether a package was signed

On Sat, Jan 21, 2012 at 12:45 PM, kachelaqa <kachelaqa@gmail.com> wrote:
> I'm still trying to get to grips with package signing, so this question may
> not make complete sense, but:
>
> Is there a way to check whether the signature was verified when a package
> was installed?
No. However, -Si shows the presence of a signature and the various
checksums (MD5, SHA256) in the database.

-Dan
 
Old 01-21-2012, 07:48 PM
kachelaqa
 
Default Checking whether a package was signed

On 21/01/12 19:57, Dan McGee wrote:

On Sat, Jan 21, 2012 at 12:45 PM, kachelaqa<kachelaqa@gmail.com> wrote:

I'm still trying to get to grips with package signing, so this question may
not make complete sense, but:

Is there a way to check whether the signature was verified when a package
was installed?

No. However, -Si shows the presence of a signature and the various
checksums (MD5, SHA256) in the database.


Okay, thanks.

Can I ask why this is? I would have expected there to be a least a log
message somewhere.


ISTM that many users might want to know which installed packages on
their systems have verified signatures, and which ones not. Would they
be misguided in seeking that information?
 
Old 01-21-2012, 08:06 PM
Dan McGee
 
Default Checking whether a package was signed

On Sat, Jan 21, 2012 at 2:48 PM, kachelaqa <kachelaqa@gmail.com> wrote:
> On 21/01/12 19:57, Dan McGee wrote:
>>
>> On Sat, Jan 21, 2012 at 12:45 PM, kachelaqa<kachelaqa@gmail.com> *wrote:
>>>
>>> I'm still trying to get to grips with package signing, so this question
>>> may
>>> not make complete sense, but:
>>>
>>> Is there a way to check whether the signature was verified when a package
>>> was installed?
>>
>> No. However, -Si shows the presence of a signature and the various
>> checksums (MD5, SHA256) in the database.
>
>
> Okay, thanks.
>
> Can I ask why this is? I would have expected there to be a least a log
> message somewhere.
It is a debug level message if one cares to look there. Obviously this
isn't all that helpful for the general end user though.

> ISTM that many users might want to know which installed packages on their
> systems have verified signatures, and which ones not. Would they be
> misguided in seeking that information?
Not misguided, but not something we currently track or anything. I
don't think we'd be against tracking this in some sort of
%VERIFICATION% field or something in the database; this could store
something like "md5", "sha256", "pgp", "none", etc. But it isn't
something we are likely to sit down and code; patches definitely
welcome.

-Dan
 
Old 01-21-2012, 08:33 PM
kachelaqa
 
Default Checking whether a package was signed

On 21/01/12 21:33, Allan McRae wrote:

I'd agree this would be something of interest to have in pacman, but not
something that will be on our high priority list to implement.

If this is something the OP wants to patch, great! If not, it would be
useful to file a feature request so it does not get lost and someone
else might see and fix.


Okay. I will have a look to see if this is something within the scope of
my meagre c-coding abilities.


If not, I will make a feature request.

Thanks.
 
Old 01-21-2012, 08:33 PM
Allan McRae
 
Default Checking whether a package was signed

On 22/01/12 07:06, Dan McGee wrote:
> On Sat, Jan 21, 2012 at 2:48 PM, kachelaqa <kachelaqa@gmail.com> wrote:
>> On 21/01/12 19:57, Dan McGee wrote:
>>>
>>> On Sat, Jan 21, 2012 at 12:45 PM, kachelaqa<kachelaqa@gmail.com> wrote:
>>>>
>>>> I'm still trying to get to grips with package signing, so this question
>>>> may
>>>> not make complete sense, but:
>>>>
>>>> Is there a way to check whether the signature was verified when a package
>>>> was installed?
>>>
>>> No. However, -Si shows the presence of a signature and the various
>>> checksums (MD5, SHA256) in the database.
>>
>>
>> Okay, thanks.
>>
>> Can I ask why this is? I would have expected there to be a least a log
>> message somewhere.
> It is a debug level message if one cares to look there. Obviously this
> isn't all that helpful for the general end user though.
>
>> ISTM that many users might want to know which installed packages on their
>> systems have verified signatures, and which ones not. Would they be
>> misguided in seeking that information?
> Not misguided, but not something we currently track or anything. I
> don't think we'd be against tracking this in some sort of
> %VERIFICATION% field or something in the database; this could store
> something like "md5", "sha256", "pgp", "none", etc. But it isn't
> something we are likely to sit down and code; patches definitely
> welcome.
>

I'd agree this would be something of interest to have in pacman, but not
something that will be on our high priority list to implement.

If this is something the OP wants to patch, great! If not, it would be
useful to file a feature request so it does not get lost and someone
else might see and fix.

Allan
 
Old 01-22-2012, 02:23 AM
kachelaqa
 
Default Checking whether a package was signed

On 21/01/12 21:33, kachelaqa wrote:

On 21/01/12 21:33, Allan McRae wrote:

I'd agree this would be something of interest to have in pacman, but not
something that will be on our high priority list to implement.

If this is something the OP wants to patch, great! If not, it would be
useful to file a feature request so it does not get lost and someone
else might see and fix.


Okay. I will have a look to see if this is something within the scope of
my meagre c-coding abilities.

If not, I will make a feature request.


https://bugs.archlinux.org/task/28040
 

Thread Tools




All times are GMT. The time now is 10:38 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org