You are not logged in.

#1 2019-11-24 15:34:27

vap0rtranz
Member
From: Chicago, USA, Earth, Sol
Registered: 2019-03-06
Posts: 4

signatures missing: bandaid vs permanent fix

Signatures were missing in my local Pacman database, so the .sig files weren't under /var/lib/pacman/sync.

I "fixed" this by switching to Optional signatures in the global Pacman config, so setting from

SigLevel = Required DatabaseOptional

to

SigLevel = Optional DatabaseOptional

My gut tells me this "fix" is a bit of a workaround and less secure smile  So what actually happened?  And what's a better fix?

BTW: the original Pacman error that got me poking around for a fix was very misleading.  It sounded like a networking issue, which is was not:

Operation too slow. Less than 1 bytes/sec transferred the last 10 seconds

After the above reconfig -- and NO networking changes (I remained on the same network, did not reboot any network gear or reconfigure anything like name resolution or firewalls, and my router logs say the ISP was always up) -- that error went away and Pacman went about it's merry way.  Seems odd ... like a catchall error being thrown.

Last edited by vap0rtranz (2019-11-24 15:36:45)

Offline

#2 2019-11-24 15:53:48

Scimmia
Bug Wrangler
Registered: 2012-09-01
Posts: 7,330

Re: signatures missing: bandaid vs permanent fix

The error you're taking about *is* a network error, it has nothing at all to do with signatures.

Offline

#3 2019-11-24 19:38:01

loqs
Member
Registered: 2014-03-06
Posts: 9,255

Re: signatures missing: bandaid vs permanent fix

As the databases are not signed the absence of sig files in /var/lib/pacman/sync is expected.

Offline

#4 2019-11-24 19:44:25

ayekat
Member
Registered: 2011-01-17
Posts: 1,359
Website

Re: signatures missing: bandaid vs permanent fix

On the other hand, unsetting signature checking for packages (as you have done there) is not recommended. Package signatures are kind of the "last line of defense" between your system and a malicious middle person.


{,META,RE}PKGBUILDSpacman-hacks (includes makemetapkg and remakepkg) │ dotfiles

Offline

#5 2019-11-25 12:07:24

vap0rtranz
Member
From: Chicago, USA, Earth, Sol
Registered: 2019-03-06
Posts: 4

Re: signatures missing: bandaid vs permanent fix

ayekat wrote:

(as you have done there)

I totally agree, and do not recall reconfiguring pacman to NOT have signatures before this date.  Perhaps folks are speed reading my post ... smile  Because I clearly say that I re-configured AFTER seeing this error.

I had just re-configured pacman to work around the error when posting, not re-configured and then sync'd pacman; so it's the other way around, aka. the error presented itself, I noticed no .sig files in the sync database, and so re-configured to not use them as a "bandaid".  This is NOT a configuration that I ever wanted, and I did NOT delete the .sig files, nor do I have a job that prunes files on my system, so I posted here to get ideas for what happened to pacman's sync database.

My post is two-fold: what happened to those signature files?  And what is the permanent fix?  Do I have to initialize the database keys again?  Is there a known process that removes signatures?  So I can avoid it, like an inadvertent alteration to pacman's database?  Or any known process that removes .sig files?

Offline

#6 2019-11-25 12:20:34

ayekat
Member
Registered: 2011-01-17
Posts: 1,359
Website

Re: signatures missing: bandaid vs permanent fix

vap0rtranz wrote:

Perhaps folks are speed reading my post ...

Possibly. Then again, the posts are wildly jumping around, the chronology is not very clear (at least to me), and so it's difficult to interpret things correctly.
From this:

Signatures were missing in my local Pacman database, so the .sig files weren't under /var/lib/pacman/sync.

I "fixed" this by switching to Optional signatures in the global Pacman config, so setting from

SigLevel = Required DatabaseOptional

to

SigLevel = Optional DatabaseOptional

… I assume that your current pacman.conf now says this:

SigLevel = Optional DatabaseOptional

That first `Optional` there means that pacman will happily carry on if a package is not signed, which is a bad idea.
As for database signing, as already mentioned in post #3, Arch Linux does not sign its package databases (so you won't see any .sig files under /var/lib/pacma/sync), hence the default is to put `DatabaseOptional`.


{,META,RE}PKGBUILDSpacman-hacks (includes makemetapkg and remakepkg) │ dotfiles

Offline

#7 2019-11-25 13:35:50

vap0rtranz
Member
From: Chicago, USA, Earth, Sol
Registered: 2019-03-06
Posts: 4

Re: signatures missing: bandaid vs permanent fix

ayekat wrote:

… I assume that your current pacman.conf now says this:

SigLevel = Optional DatabaseOptional

Right, like I said in the OP, I had switched to that.

ayekat wrote:

That first `Optional` there means that pacman will happily carry on if a package is not signed, which is a bad idea.
As for database signing, as already mentioned in post #3, Arch Linux does not sign its package databases (so you won't see any .sig files under /var/lib/pacma/sync), hence the default is to put `DatabaseOptional`.

Ah, Arch doesn't sign package databases.  Interesting.  I swore other forum members show .sig files under their /var/lib/pacman/sync, whereas my install has no .sig files.  Missed that detail.  Ty.

So my re-config of pacman's package signing verification was happenstance and not related to the networking error.  Maybe so.  I verified my gpg keys, based on the Wiki's pacman troubleshooting steps, and all that looks good too, but I did notice this comment in the Wiki:

If you have IPv6 disabled, gpg will fail when it found some IPv6 address.

That ^ isn't proper English but I assume it means that if IPv6 is blocked on my network, which it is, there would be issues with keyserver communication, and my networking error would make more sense.  I'll keep poking around.

Last edited by vap0rtranz (2019-11-25 13:37:22)

Offline

Board footer

Powered by FluxBB