You are not logged in.

#1 2012-07-11 14:11:10

scjet
Banned
Registered: 2011-07-23
Posts: 172

[SOLVED]: Arch-Netinstall and "pacman-key --init" ?

...when I try to use:

pacman-key --init; pacman-key --populate archlinux

during an automated-post-install within an /etc/rc.local it just hangs forever at the "pacman-key --init" phase? Also, I can't seem to open up another Teminal\2nd-console (ctrl-Alt-F3) to help generate entropy, if that is indeed the problem, unless of course rc.local is before init 6 levels?. Gawd, I'm getting rusty in unix basics again.-lol.

My pacman.conf "SigLevel"'s are only:

...
[core]
SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

[extra]
SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

[community]
SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

[multilib]
SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist
...

However, and of course if I run the above after it finishes booting up to my desktop(GUI),..., then I can successfully run the above "pacman-key" commands with no problems. The network is obviously up long before /etc/rc.local is called, I have verified that.

...has anyone else experienced this sort-o-thing using an Arch Netinstall lately ?

thanks again.
Rick.

Last edited by scjet (2012-07-13 12:13:29)


The "BSD" things in life are "Free", and "Open", and so is "Arch"

Offline

#2 2012-07-11 14:17:40

scjet
Banned
Registered: 2011-07-23
Posts: 172

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

Sorry, I must have missed this during my search, although the below link does not specifically deal with an automated-netinstall. wink
https://bbs.archlinux.org/viewtopic.php?id=137601
I'll read up on that, but still NO Luck so far.

Last edited by scjet (2012-07-11 14:40:15)


The "BSD" things in life are "Free", and "Open", and so is "Arch"

Offline

#3 2012-07-11 14:54:46

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,447
Website

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

Anything run in rc.local does block the boot/login process until it is complete unless it is backgrounded.

Perhaps this would work

(pacman-key --init; pacman-key --populate archlinux) &

I don't know if this would cause other problems.  It seems a bit odd to automate these in rc.local to me, but this should fix the immediate issue of not being able to change tty's to generate entropy.

edit: you may also need to use 'nohup', though I'm not sure where it'd need to go in such an ugly incantation.  Perhaps

#untested
nohup (pacman-key --init; pacman-key --populate archlinux) &

Last edited by Trilby (2012-07-11 14:56:48)


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#4 2012-07-12 06:05:14

scjet
Banned
Registered: 2011-07-23
Posts: 172

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

the "pacman-key --init" worked fine within the bootup-script, it just was a pain waiting/generating the entropy.
and "pacman-key --populate archlinux" defaults to pgp sig errors because the [y/N] queries skip by in the bootup-script.
It would be a handy option(for scripting),  if a "--yes", or similar  could forcibly agree to sig-signings importing within the "pacman-key --populate ..." command during an unattended install.
I'll need to study up a lot more in regards to the "Keys" to Arch, ... wink

Anyway, thanks for the reply and tip.

Last edited by scjet (2012-07-12 06:15:21)


The "BSD" things in life are "Free", and "Open", and so is "Arch"

Offline

#5 2012-07-12 06:23:19

Awebb
Member
Registered: 2010-05-06
Posts: 6,275

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

Populating the keyring means you have to trust those keys. The process is not automatic, because you have to actively trust those keys by looking them up. It's hard to automate trust.

Offline

#6 2012-07-12 06:28:04

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

Actually...  we are probably getting rid of the need for confirmation.  If someone has root privileges required to run --populate or adjust the imported file, they can do whatever they want to your pacman keyring...   So there is really no security benefit to manually saying "y" all the time.

Offline

#7 2012-07-12 06:42:26

Awebb
Member
Registered: 2010-05-06
Posts: 6,275

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

I thought the untrusted part was the import process, you know, little gnomes hijacking your network, spoofing Arch dev keys...

Offline

#8 2012-07-12 06:58:46

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

Awebb wrote:

I thought the untrusted part was the import process, you know, little gnomes hijacking your network, spoofing Arch dev keys...

I thought so, too. But what about shipping the installation image with a certificate? Then download a signed list with trusted keys, verify it and only trust certificates on this list.


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#9 2012-07-12 14:10:31

scjet
Banned
Registered: 2011-07-23
Posts: 172

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

Awebb wrote:

I thought the untrusted part was the import process, you know, little gnomes hijacking your network, spoofing Arch dev keys...


Yes, that may always be a possibility to an extent, with an unattended netinstall, but I prefer @Allan's:

...we are probably getting rid of the need for confirmation...

, not for arguements sake, but because I'm dead lazy, wink
(simple methods prefer I), for automated-Netinstalls, plus, I will be the only one with "root" priv's on a couple of these unattended Netinstall boxes,...

again, thanks all, for the replies, this is pointing me in the right learning direction for arch security, and 'da "Keys".
Sooo, please guard them closely for us, you #1's out there. !
cool

Last edited by scjet (2012-07-12 21:32:50)


The "BSD" things in life are "Free", and "Open", and so is "Arch"

Offline

#10 2012-07-13 03:58:34

cjpembo
Member
Registered: 2008-08-06
Posts: 105

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

I tried hitting random keys; I had multiple terminals running ls -R / .  Nothing worked.  Only haveged worked (in a fraction of a second). Of course you have to edit pacman.conf and disable package signing to get haveged installed...... irony.  This is the silliest thing I've had to do in over 15 YEARS installing Linux.  I'm speechless.  Put haveged in [core]; install it by default; make it integral to pacman-key.  Is this what KISS has become?

Offline

#11 2012-07-13 04:45:08

Xyne
Administrator/PM
Registered: 2008-08-03
Posts: 6,963
Website

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

Allan wrote:

Actually...  we are probably getting rid of the need for confirmation.  If someone has root privileges required to run --populate or adjust the imported file, they can do whatever they want to your pacman keyring...   So there is really no security benefit to manually saying "y" all the time.

Huh? Isn't the point of confirming the keys to avoid MITM attacks such as compromised servers? Automating the process would abolish any security from having signed packages and databases. The lazy users who don't care about security and who can't be bothered to check the keys can just disable it. There's no reason to reduce security for everyone just to keep the lazy happy.

Am I missing something?


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#12 2012-07-13 07:17:30

scjet
Banned
Registered: 2011-07-23
Posts: 172

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

@Xyne
ok sure agreed.
Then you're more than welcome to ssh in (for "security" reasons of course), to all of our Netinstalls, hit about 327 random keys just to generate enough entropy (they're older boxes), and then of course manually agree everytime by hittin "y" to the --populate ... every single time ...

PGP-Signed: LAZY KISS'S

Last edited by scjet (2012-07-13 07:19:53)


The "BSD" things in life are "Free", and "Open", and so is "Arch"

Offline

#13 2012-07-13 09:56:46

Awebb
Member
Registered: 2010-05-06
Posts: 6,275

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

You cannot care about security while not caring about security, but I'd be cool if --populate showed you a list of keys, asking you to verify them and then hit OKAY once.

Offline

#14 2012-07-13 12:12:21

scjet
Banned
Registered: 2011-07-23
Posts: 172

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

Thanks all, my unattended Netinstall is solved now:

Also, a thanks to "@cjpembo" for the "haveged" tip, <- Edit: which he got from: https://wiki.archlinux.org/index.php/Pa … he_keyring
Along with the above haveged package I grabbed "expect"/[extra], and called "pacman-key --populate archlinux" answering "y" to all in a script. It's a "lazy" one, but it'll suffice for now.
I would have never "expect"ed to have to use this <- smile -it's a bad pun, I know.

#!/usr/bin/expect
spawn pacman-key --populate archlinux
for {} 1 {} {
expect eof break \
{Really sign? (y/N)} { send "y\r" }
}

NOTE: As others here have dutifully warned/explained, Know The Risks, if using anything similar to this. !

Thanks.

Last edited by scjet (2012-07-13 13:38:13)


The "BSD" things in life are "Free", and "Open", and so is "Arch"

Offline

#15 2012-07-13 13:27:04

cjpembo
Member
Registered: 2008-08-06
Posts: 105

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

The haveged tip is not mine... I'm not that smart!  I got it straight from the archlinux bug pages relating to this issue.  In my case, I couldn't create enough entropy with a few terminials flying and shaking the mouse; and it is a very fast machine.  I looked like an idiot for 30 minutes - and felt like one too.   It is probably the case that this new feature was only tested on an existing arch system... probably had gnome or something installed and background entropy was high. 

Just to reitterate my point:  I hope the devs fix this entropy issue soon - IT IS BROKEN.   When you add a showstopper feature to the install, it needs to just work.

The beauty of arch was always how easy and reliable it was to install.  Kind of like OpenBSD.

Offline

#16 2012-07-13 13:32:51

scjet
Banned
Registered: 2011-07-23
Posts: 172

Re: [SOLVED]: Arch-Netinstall and "pacman-key --init" ?

cjpembo wrote:

...The beauty of arch was always how easy and reliable it was to install. Kind of like OpenBSD.

-by mentioning "haveged" (which I never heard of before), you helped point me to what I wanted to accomplish, it's dirty but it works great, for now.
So again, Thanks.

And yep, +1 for OpenBSD too !
big_smile

Last edited by scjet (2012-07-13 13:49:36)


The "BSD" things in life are "Free", and "Open", and so is "Arch"

Offline

Board footer

Powered by FluxBB