You are not logged in.
When pacman 4 first came out, I just merged the pacnew file so that package signing was disabled. I did initialise the keys etc. but I didn't import or sign the master keys or enable signature checks.
So tonight I figured I would start seeing how this worked. I took the fingerprints from the master key list on archlinux's site and I checked they matched the fingerprints listed on Allan's blog. I then imported the five master keys using pacman-key, signed them locally and used --edit-key to assign each of the five marginal trust.
I then commented out the "Never" line for package signing in pacman.conf so that it would use the compiled in default to make signatures optional but check them if available. I also set PackageRequired for the core repository. I left the other repos I have enabled to default to the default policy as I think signing isn't complete for them.
I then ran pacman -Syu. This mostly went OK but I'm slightly worried about this bit:
error: gsm: key "7F2D434B9741E8AC" is unknown
:: Import PGP key 9741E8AC, "Pierre Schmitz <pierre@archlinux.de>", created 2011-04-10? [Y/n] y
error: jbig2dec: key "BBE43771487328A9" is unknown
:: Import PGP key 487328A9, "Bartlomiej Piotrowski <b@bpiotrowski.pl>", created 2011-10-10? [Y/n] y
error: p11-kit: key "E8F18BA1615137BC" is unknown
:: Import PGP key 615137BC, "Ionut Biru <ibiru@archlinux.org>", created 2011-04-19? [Y/n] y
error: pacmatic: key "396E3E25BAB142C1" is unknown
:: Import PGP key BAB142C1, "Kyle Keen <keenerd@gmail.com>", created 2011-02-03? [Y/n] y
error: patchutils: key "06096A6AD1CEDDAC" is unknown
:: Import PGP key D1CEDDAC, "Laurent Carlier <lordheavym@gmail.com>", created 2011-10-30? [Y/n] y
error: perl-encode-locale: key "F99FFE0FEAE999BD" is unknown
:: Import PGP key EAE999BD, "Allan McRae <me@allanmcrae.com>", created 2011-06-03? [Y/n] y
error: vlc: key "B7310AE5F04569AE" is unknown
:: Import PGP key F04569AE, "Giovanni Scafora <giovanni@archlinux.org>", created 2011-10-15? [Y/n] y
I initially thought I was just telling pacman to import the keys but now I'm wondering if I also told it to trust them and if I wasn't meant to do that? Should they have been automatically handled if they were signed correctly? I was trying to follow the instructions on Allan's blog which show this question and Allan answering yes. However, I now realise that I got confused and that that bit comes *before* Allan imports and trusts the master keys, but I'd already done that at this point. (But it didn't complain they were untrusted once imported...)
Could somebody either reassure me that I did this correctly (securely)? Or advise me on how to undo it if that's what I should do?
Last edited by cfr (2012-02-19 15:14:02)
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
That looks fine... You should not need to manually trust any of the developer keys as they will be signed by at least three of the master keys which you gave marginal trust. Pacman will only download the needed keys for you (if you select "y"), it will not given them any trust.
Offline
Great - thanks very much for the reassurance and quick response. I didn't do anything except say "y" as above and pacman seemed quite happy so it must be relying on the new keys being signed by the ones I'd given marginal trust. I'm quite surprised I managed to do it right!
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
I followed Allan's guide on page
http://allanmcrae.com/2011/12/pacman-pa … rch-linux/
and pacman -Syu gave:
error: xorg-bdftopcf: signature from "Allan McRae <me@allanmcrae.com>" is marginal trust
Which is suprising as his key is one of master keys. Currently several master keys were revoked.
Based on GPG's output it is maybe requires some additional input to mark the revoked key as trusted:
sub 3072R/B20030F3 created: 2011-11-25 revoked: 2011-11-25 usage: A
[ full ] (1). Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
gpg gives this:
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
full story:
[root@archbang ~]# for key in FFF979E7 CDFD6BB0 4C7EA887 6AC6A4C2 824B18E8; do
> printf 'trust\n3\nquit\n' | gpg --homedir /etc/pacman.d/gnupg/ --no-permission-warning --command-fd 0 --edit-key $key
> done
pub 3072R/4C7EA887 created: 2011-11-25 expires: never usage: SC
trust: marginal validity: full
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sub 1024R/93F91AC3 created: 2011-11-25 revoked: 2011-11-25 usage: E
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sub 3072R/B20030F3 created: 2011-11-25 revoked: 2011-11-25 usage: A
[ full ] (1). Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
pub 3072R/4C7EA887 created: 2011-11-25 expires: never usage: SC
trust: marginal validity: full
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sub 1024R/93F91AC3 created: 2011-11-25 revoked: 2011-11-25 usage: E
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sub 3072R/B20030F3 created: 2011-11-25 revoked: 2011-11-25 usage: A
[ full ] (1). Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
pub 3072R/4C7EA887 created: 2011-11-25 expires: never usage: SC
trust: marginal validity: full
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sub 1024R/93F91AC3 created: 2011-11-25 revoked: 2011-11-25 usage: E
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sub 3072R/B20030F3 created: 2011-11-25 revoked: 2011-11-25 usage: A
[ full ] (1). Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
pub 3072R/6AC6A4C2 created: 2011-11-18 expires: never usage: SC
trust: marginal validity: full
sub 1024R/86872C2F created: 2011-11-18 expires: never usage: E
sub 3072R/1B516B59 created: 2011-11-18 expires: never usage: A
[ full ] (1). Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
pub 3072R/6AC6A4C2 created: 2011-11-18 expires: never usage: SC
trust: marginal validity: full
sub 1024R/86872C2F created: 2011-11-18 expires: never usage: E
sub 3072R/1B516B59 created: 2011-11-18 expires: never usage: A
[ full ] (1). Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
pub 3072R/6AC6A4C2 created: 2011-11-18 expires: never usage: SC
trust: marginal validity: full
sub 1024R/86872C2F created: 2011-11-18 expires: never usage: E
sub 3072R/1B516B59 created: 2011-11-18 expires: never usage: A
[ full ] (1). Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
I got to go now I will try gpg key edit later. If someone knows what to do please help.
Thanks
Offline
llg179, please edit your post.
When pasting code, please use [ code ] tags https://bbs.archlinux.org/help.php#bbcode
like this
It makes the code more readable and more convenient to scroll through.
Offline
Try resetting your keys (remove /etc/pacman.d/gnupg) and reinitialize by following this procedure.
Burninate!
Offline
No need for that... you probably just need "pacman-key --refresh-keys"
Offline
Should be moved to TOPIC: Pacman and package issues
Satyam eva jayate
Registered linux user #535257
Offline
[root@archbang ~]
Are you using Arch or Archbang?
Should be moved to TOPIC: Pacman and package issues
I figured it was a I-am-trying-but-a-bit-confused question when I asked it rather than an "issue" with pacman or a package...
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
"I-am-trying-but-a-bit-confused" is a great description. As an ex-Ubuntu user after 3 days fustration with Gentoo and some net-search I ended up trying the Archbang distro. I'm amused by your prompt responses which gave me a very good first impression about the Arch community. After a reboot the hostname was changed so probably I worked on the file system of the install cd? At the 2nd trial (reinstall from CD) update went well:
http://bbs.archbang.org/viewtopic.php?id=2268
http://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/
sudo su -
pacman -Syy
pacman -S pacman
pacman-key --init
nano /etc/pacman.d/gnupg/gpg.conf
keyserver hkp://pgp.mit.edu:11371
cd /etc
mv /etc/pacman.conf ~/pacman.conf.1,old.backup
mv pacman.conf.pacnew pacman.conf
nano /etc/pacman.conf
SigLevel = Optional TrustedOnly
# SigLevel = Never
[core]
SigLevel = PackageRequired
[extra]
SigLevel = PackageRequired
#SigLevel = PackageOptional
[community]
#SigLevel = PackageOptional
SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
curl https://www.archlinux.org/{developers,trustedusers} | awk -F\" '(/pgp.mit.edu/) {sub(/.*search=0x/,"");print $1}' | xargs pacman-key --recv-keys
for key in FFF979E7 CDFD6BB0 4C7EA887 6AC6A4C2 824B18E8; do
pacman-key --recv-keys $key
pacman-key --lsign-key $key
printf 'trust\n3\nquit\n' | gpg --homedir /etc/pacman.d/gnupg/ \
--no-permission-warning --command-fd 0 --edit-key $key
done
pacman -Syuf
Thank you for your help!
Last edited by llg179 (2012-03-04 22:18:00)
Offline
If you are using archbang, you should ask questions on the archbang forum.
You should never run
pacman -Syuf
unless you wish to break your system.
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
EDIT: My foult, nothing to say
Last edited by atercor (2012-05-19 23:18:29)
Offline
If you are using archbang, you should ask questions on the archbang forum.
???????????????
Archbang is Arch Linux with Openbox...
Nothing wrong with asking questions here.
Philippe
Offline
cfr wrote:If you are using archbang, you should ask questions on the archbang forum.
???????????????
Archbang is Arch Linux with Openbox...
Nothing wrong with asking questions here.
Uh, no.
Community technical support shall only be provided for official Arch Linux distribution media installations and the Arch User Repository. Threads concerning issues with, and requesting support for, derivate distributions, or operating systems other than Arch Linux are prohibited and will be closed.
Offline
cfr wrote:If you are using archbang, you should ask questions on the archbang forum.
???????????????
Archbang is Arch Linux with Openbox...
Nothing wrong with asking questions here.
First of all, you're derailing the thread. Secondly, it is not correct to say that Archbang is exactly the same as Arch Linux with Openbox. Thirdly, they have their own forums - to not use those forums is disrespectful to the ArchBang community and therefore not consistent with the Arch Linux forum guidelines.
Last edited by /dev/zero (2012-05-20 02:21:41)
Offline
Wow!
I never thought I would hurt you so much by saying the word Archbang...
Objection noted, I'll never do it again.
Are we friends again?
Philippe
Offline
Wow!
I never thought I would hurt you so much by saying the word Archbang...
Objection noted, I'll never do it again.
Are we friends again?
Philippe
You'll note that cfr has over 500 posts, compared to your own 20-odd. So, maybe it was a little presumptuous of you to try and contradict cfr.
A better approach: start a new thread (to prevent derailing), link back to the old thread, and ask a question instead of asserting opposition.
Offline
Moderator Comment:
@Philippe1. As has been pointed out, Archbang is not Arch; it is a derivative of Arch, but it is not Arch. We have nothing against Archbang, or the fine people that publish it, or the good people who use it.
There are two issues. First, this is the Arch Linux forums. The resources to host this forum are finite and are not free. It is only fair that Archbang should carry that support load.
But the real issue is that there are differences. Advice provided on these forums may be flat out wrong on an Archbang system; But far more importantly, questions about Archbang on these forums will create confusion with issues that are not applicable to Arch and will muddy the waters of these forums. The moderation team will not tolerate this. As Jasonryan has pointed out, it is against our policy and I have explained why.
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way
Offline
Understood.
Have a nice day!
Philippe
Offline