You are not logged in.

#1 2018-11-27 03:30:21

chr0mag
Member
From: Canada
Registered: 2017-02-02
Posts: 63

[SOLVED] files.sig & db.sig downloads return 404 Not Found

What is the current status of package database & file database signing/validation?

I've noticed that pacman is attempting, but unable to download any of the database signature files (*.db.sig & *.files.sig).

eg. sudo pacman --verbose --files --refresh --refresh --debug against mirrors.kernel.org shows the following:

debug: pacman v5.1.1 - libalpm v11.0.1
debug: config: attempting to read file /etc/pacman.conf
debug: config: new section 'options'
debug: config: HoldPkg: pacman
debug: config: HoldPkg: glibc
debug: config: arch: x86_64
debug: config: SigLevel: Required
debug: config: SigLevel: DatabaseOptional
debug: config: LocalFileSigLevel: Optional
debug: config: new section 'core'
debug: config file /etc/pacman.conf, line 76: including /etc/pacman.d/mirrorlist
debug: config: new section 'extra'
debug: config file /etc/pacman.conf, line 79: including /etc/pacman.d/mirrorlist
debug: config: new section 'community'
debug: config file /etc/pacman.conf, line 85: including /etc/pacman.d/mirrorlist
debug: config: finished parsing /etc/pacman.conf
debug: setup_libalpm called
debug: option 'dbext' = .files
debug: option 'logfile' = /var/log/pacman.log
debug: option 'gpgdir' = /etc/pacman.d/gnupg/
debug: option 'hookdir' = /etc/pacman.d/hooks/
debug: option 'cachedir' = /var/cache/pacman/pkg/
debug: registering sync database 'core'
debug: database path for tree core set to /var/lib/pacman/sync/core.files
debug: "/var/lib/pacman/sync/core.files.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/core.files.sig could not be opened
debug: missing optional signature
debug: setting usage of 15 for core repository
debug: adding new server URL to database 'core': http://mirrors.kernel.org/archlinux/core/os/x86_64
debug: registering sync database 'extra'
debug: database path for tree extra set to /var/lib/pacman/sync/extra.files
debug: "/var/lib/pacman/sync/extra.files.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/extra.files.sig could not be opened
debug: missing optional signature
debug: setting usage of 15 for extra repository
debug: adding new server URL to database 'extra': http://mirrors.kernel.org/archlinux/extra/os/x86_64
debug: registering sync database 'community'
debug: database path for tree community set to /var/lib/pacman/sync/community.files
debug: "/var/lib/pacman/sync/community.files.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/community.files.sig could not be opened
debug: missing optional signature
debug: setting usage of 15 for community repository
debug: adding new server URL to database 'community': http://mirrors.kernel.org/archlinux/community/os/x86_64
Root      : /
Conf File : /etc/pacman.conf
DB Path   : /var/lib/pacman/
Cache Dirs: /var/cache/pacman/pkg/  
Hook Dirs : /usr/share/libalpm/hooks/  /etc/pacman.d/hooks/  
Lock File : /var/lib/pacman/db.lck
Log File  : /var/log/pacman.log
GPG Dir   : /etc/pacman.d/gnupg/
Targets   : None
:: Synchronizing package databases...
debug: url: http://mirrors.kernel.org/archlinux/core/os/x86_64/core.files
debug: maxsize: 26214400
debug: opened tempfile for download: /var/lib/pacman/sync/core.files.part (wb)
downloading core.files...
debug: curl returned error 0 from transfer
debug: response code: 200
debug: url: http://mirrors.edge.kernel.org/archlinux/core/os/x86_64/core.files.sig
debug: maxsize: 16384
debug: opened tempfile for download: /var/lib/pacman/sync/core.files.sig.part (wb)
debug: curl returned error 0 from transfer
debug: response code: 404
debug: "/var/lib/pacman/sync/core.files.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/core.files.sig could not be opened
debug: missing optional signature
debug: url: http://mirrors.kernel.org/archlinux/extra/os/x86_64/extra.files
debug: maxsize: 26214400
debug: opened tempfile for download: /var/lib/pacman/sync/extra.files.part (wb)
downloading extra.files...
debug: curl returned error 0 from transfer
debug: response code: 200
debug: url: http://mirrors.edge.kernel.org/archlinux/extra/os/x86_64/extra.files.sig
debug: maxsize: 16384
debug: opened tempfile for download: /var/lib/pacman/sync/extra.files.sig.part (wb)
debug: curl returned error 0 from transfer
debug: response code: 404
debug: "/var/lib/pacman/sync/extra.files.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/extra.files.sig could not be opened
debug: missing optional signature
debug: url: http://mirrors.kernel.org/archlinux/community/os/x86_64/community.files
debug: maxsize: 26214400
debug: opened tempfile for download: /var/lib/pacman/sync/community.files.part (wb)
downloading community.files...
debug: curl returned error 0 from transfer
debug: response code: 200
debug: url: http://mirrors.edge.kernel.org/archlinux/community/os/x86_64/community.files.sig
debug: maxsize: 16384
debug: opened tempfile for download: /var/lib/pacman/sync/community.files.sig.part (wb)
debug: curl returned error 0 from transfer
debug: response code: 404
debug: "/var/lib/pacman/sync/community.files.sig" is not readable: No such file or directory
debug: sig path /var/lib/pacman/sync/community.files.sig could not be opened
debug: missing optional signature
debug: unregistering database 'local'
debug: unregistering database 'core'
debug: unregistering database 'extra'
debug: unregistering database 'community'

I've tried 4-5 different mirrors all with the same result.

I'm using the default pacman.conf setting:

SigLevel    = Required DatabaseOptional

...and the wiki has the following note:

Although all official packages are now signed, as of June 2012 signing of the databases is a work in progress. If Required is set then DatabaseOptional should also be set.

Is this still a work in progress? Are there any mirrors that do provide db.sig & files.sig files?

Lastly, I'm trying to understand the security implications of not signing/validating db.sig & files.sig. If package signing/validation by "TrustedOnly" sources is "Required" is the danger limited to package omission only? Sure, a malicious mirror could add a package but with the default SigLevel setting only a legitimate package would ever actually get installed.

Last edited by chr0mag (2018-11-27 21:26:15)

Offline

#2 2018-11-27 03:44:54

Allan
Member
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,779
Website

Re: [SOLVED] files.sig & db.sig downloads return 404 Not Found

They are not signed.   Still a "work in progress" but that does not mean anyone is actually working on it.

Not signing databases is fun...   This does not allow you to install a package that has not been signed by the Arch team, so the packages are "safe".  However, an attacker could delay the update of a package with a known security issue.

Would that be noticed?  Probably... Not sure at what speed. Is that something you should care about?  Not really - no-one cares who you are enough to target you directly and you are probably using Arch for a personal machine.

Offline

#3 2018-11-27 21:25:46

chr0mag
Member
From: Canada
Registered: 2017-02-02
Posts: 63

Re: [SOLVED] files.sig & db.sig downloads return 404 Not Found

Thanks Allan.

Offline

Board footer

Powered by FluxBB