Testing package signing with pacman 4 in git

berbae · 2011-10-05 12:25:20

I wanted to thank the Arch development team and all the contributors for the hard work currently undertaken for the final implementation of package signing, which should arrive in a short time now, I think, as pacman 4 is in rc2 stage.

I noticed that most of the packages are already signed in the repos now, which is great.

For those who want to already verify the packages gpg signature, I introduced the --verify option in the paccheck script in AUR.
The packagers' public keys are automatically imported in the local gpg keyring base, the first time they are required.

I could not find signatures for the sync databases, but I think that when they'll be added, the paccheck script will become deprecated altogether for all those afraid or worried about mirrors hacking.

Then Arch will become a very secured distribution.
I really look forward impatiently for the pacman 4 release.
Thanks again to all.

Last edited by berbae (2011-10-06 21:34:00)

falconindy · 2011-10-05 12:49:22

berbae wrote:

I really look forward impatiently for the pacman 4 release.

Actually using rc2, or building from git and providing testing-based feedback will alleviate your impatience and help us to provide a better release.

karol · 2011-10-05 13:15:35

falconindy wrote:

berbae wrote:
I really look forward impatiently for the pacman 4 release.
Actually using rc2, or building from git and providing testing-based feedback will alleviate your impatience and help us to provide a better release.

http://mailman.archlinux.org/pipermail/ … 21632.html

berbae · 2011-10-05 15:06:25

falconindy wrote:

Actually using rc2, or building from git and providing testing-based feedback will alleviate your impatience and help us to provide a better release.

It's a good suggestion, so I think I will decide to switch from paccheck to pacman 4rc2 to contribute in a better way maybe...

So the paccheck script will surely stop to the 1.7 release.

Can you give me some infos concerning the signature of the sync databases?
Will they be signed also? I could not find a signature for them in the repos.

Thanks karol for the link to the mail where the pacman 4rc2 package can be found, and to Dan McGee who provided it.

fsckd · 2011-10-05 15:47:47

Moving to Testing.

berbae · 2011-10-05 16:14:54

I just made the switch to pacman 4rc2.
I ran, as root of course:

pacman -U /home/berbae/downloads/pacman-4.0.0rc2-1-x86_64.pkg.tar.gz

pacdiff (to merge the differences in /etc/pacman.conf and /etc/makepkg.conf)

pacman-key --init --keyserver hkp://keys.gnupg.net

It asked me to do something to higher entropy on the system.
I ran a program as user in another console prompt, and it was happy with that and finished the initialisation without error.

In /etc/pacman.conf I uncommented the line:
#SigLevel = Optional TrustAll
to
SigLevel = Optional TrustAll

Then my first 'pacman -Syu' in the new era of package signing on Arch Linux.

It asked me to import missing keys. Everything works without problem.

Here are the packages which were updated:

xterm 271-1 -> 275-1
sane 1.0.22-2 -> 1.0.22-3
poppler-data 0.4.4-1 -> 0.4.5-1
mpfr 3.0.1.p4-2 -> 3.1.0-2
linux 3.0.4-1 -> 3.0.6-1
libpulse 1.0-2 -> 1.0-3
fakeroot 1.18-1 -> 1.18.1-1
cmake 2.8.5-1 -> 2.8.6-1

Nice job from the developers team!

Last edited by berbae (2011-10-05 16:25:54)

berbae · 2011-10-06 21:31:58

I test now the last git snapshot:
pacman-git 20111006-1

I made a PKGBUILD for it. The version which is the date the package is built is automatically generated during the build process.
I cannot choose it.

The last 'pacman -Syu' could not import the Florian Pritz' key 4CE1C13E the first time and aborted the update.
It worked the second time but it took some time to receive the key.

Maybe it's due to trafic on the key server.

I will post feedback if necessary from using the pacman development version.

Last edited by berbae (2011-10-06 21:53:44)

Allan · 2011-10-07 05:45:39

berbae wrote:

I made a PKGBUILD for it. The version which is the date the package is built is automatically generated during the build process.
I cannot choose it.

--holdver

berbae · 2011-10-07 16:19:37

Thanks Allan, the --holdver option works as expected.

So I use now:

pacman-git 4.0.0rc2-2
pacman-contrib-git 4.0.0rc2-2

which I built from the last git snapshot 2 days ago.

For those who want to see the PKGBUILD I used, it can be found at https://github.com/berbae/pacman-git
A pacman-git.tar.gz file, containing all the needed files to build, is also available there.

I know that it exists such a package in AUR allready, but I modified the PKGBUILD a little, so it's not exactly the same.

In particular, I do not make a second clone of the git tree; instead I use './autoclean.sh' before the 'git pull origin' to start afresh with './autogen.sh'.
I am not sure if this is necessary, but this is lighter than copying again all the git tree, it seems to me.

So I hope that some other guys will want to contribute to the final development of pacman 4.

Last edited by berbae (2011-10-07 16:32:02)

newgargamel · 2011-10-15 11:02:33

berbae wrote:

I just made the switch to pacman 4rc2.
I ran, as root of course:
pacman -U /home/berbae/downloads/pacman-4.0.0rc2-1-x86_64.pkg.tar.gz
pacdiff (to merge the differences in /etc/pacman.conf and /etc/makepkg.conf)
pacman-key --init --keyserver hkp://keys.gnupg.net
It asked me to do something to higher entropy on the system.
I ran a program as user in another console prompt, and it was happy with that and finished the initialisation without error.
In /etc/pacman.conf I uncommented the line:
#SigLevel = Optional TrustAll
to
SigLevel = Optional TrustAll
Then my first 'pacman -Syu' in the new era of package signing on Arch Linux.
It asked me to import missing keys. Everything works without problem.
Here are the packages which were updated:
xterm 271-1 -> 275-1
sane 1.0.22-2 -> 1.0.22-3
poppler-data 0.4.4-1 -> 0.4.5-1
mpfr 3.0.1.p4-2 -> 3.1.0-2
linux 3.0.4-1 -> 3.0.6-1
libpulse 1.0-2 -> 1.0-3
fakeroot 1.18-1 -> 1.18.1-1
cmake 2.8.5-1 -> 2.8.6-1
Nice job from the developers team!

for me this doesn't work and I'm getting errors:

błąd:  glibc: signature from "Allan McRae <me@allanmcrae.com>" is unknown trust
błąd:  gcc-libs: signature from "Allan McRae <me@allanmcrae.com>" is unknown trust
błąd:  pcre: signature from "Allan McRae <me@allanmcrae.com>" is unknown trust
błąd:  libffi: signature from "Eric Belanger <eric@archlinux.org>" is unknown trust
błąd:  glib2: signature from "Ionut Biru <ibiru@archlinux.org>" is unknown trust
błąd:  shared-mime-info: signature from "Jan de Groot <jgc@archlinux.org>" is unknown trust
błąd:  coreutils: signature from "Allan McRae <me@allanmcrae.com>" is unknown trust
błąd:  perl: signature from "Florian Pritz <bluewind@xinu.at>" is unknown trust
błąd:  openssl: signature from "Pierre Schmitz <pierre@archlinux.de>" is unknown trust
błąd:  libmysqlclient: signature from "Andrea Scarpino (Arch Linux) <andrea@archlinux.org>" is unknown trust
błąd:  mysql-clients: signature from "Andrea Scarpino (Arch Linux) <andrea@archlinux.org>" is unknown trust
błąd:  mysql: signature from "Andrea Scarpino (Arch Linux) <andrea@archlinux.org>" is unknown trust
błąd:  akonadi: signature from "Andrea Scarpino (Arch Linux) <andrea@archlinux.org>" is unknown trust
błąd:  gd: signature from "Pierre Schmitz <pierre@archlinux.de>" is unknown trust
błąd:  geoip: signature from "Evangelos Foutras <evangelos@foutrelis.com>" is unknown trust

what am I doing wrong?

Last edited by newgargamel (2011-10-15 11:23:46)

karol · 2011-10-15 11:03:31

When pasting code, please use [ code ] tags https://bbs.archlinux.org/help.php#bbcode

like this

You need to set

SigLevel     = Optional TrustAll

in pacman.conf

Why aren't you reading the ML if you want to use [testing]??

Last edited by karol (2011-10-15 11:04:43)

newgargamel · 2011-10-15 11:22:58

karol wrote:

When pasting code, please use [ code ] tags https://bbs.archlinux.org/help.php#bbcode
like this

sorry

karol wrote:

You need to set
SigLevel     = Optional TrustAll
in pacman.conf
Why aren't you reading the ML if you want to use [testing]??

thanks! I commented it out in the wrong place. And ML is not that fun to read...

ngoonee · 2011-10-15 13:45:57

newgargamel wrote:

karol wrote:
You need to set
SigLevel     = Optional TrustAll
in pacman.conf
Why aren't you reading the ML if you want to use [testing]??
thanks! I commented it out in the wrong place. And ML is not that fun to read...

Then don't use [testing]. What does it being fun have anything to do with it?

nathan28 · 2011-10-15 16:04:03

Noob question, but I had never even noticed the "Mailing Lists" link on the front page. Which ones deal with information like this?

edit: Apologies for not searching, i found the answer was sitting in another browser tab i had open. double noob points today for me, i switched to decaf yesterday

Last edited by nathan28 (2011-10-15 16:13:23)

karol · 2011-10-15 16:11:21

nathan28 wrote:

Noob question, but I had never even noticed the "Mailing Lists" link on the front page. Which ones deal with information like this?

arch-dev-public
Pleeeeease, search before posting: https://wiki.archlinux.org/index.php/Te … testing.5D

berbae · 2011-10-22 22:06:19

When making today a new build of the last snapshot in git, I had to modify the ltmain.sh script.
Because the libtool package was updated (2.4-5 -> 2.4.2-1) yesterday, and the ltmain.sh script in the git tree was not updated to that new libtool release version.
The change was from

PROGRAM=libtool
PACKAGE=libtool
VERSION=2.4
TIMESTAMP=""
package_revision=1.3293

to

PROGRAM=libtool
PACKAGE=libtool
VERSION=2.4.2
TIMESTAMP=""
package_revision=1.3337

Without doing that I got that error:

libtool: Version mismatch error. This is libtool 2.4, but the
libtool: definition of this LT_INIT comes from libtool 2.4.2.
libtool: You should recreate aclocal.m4 with macros from libtool 2.4
libtool: and run autoconf again.
make[3]: *** [add.lo] Erreur 63

I could finish successfully the build after I made the modification in ltmain.sh to the last libtool version.

Where can I report that bug in the git tree?
Have I to subscribe to pacman-dev mailing list, or is there another way to report a bug?

karol · 2011-10-22 22:14:59

@berbae
https://bbs.archlinux.org/viewtopic.php … 7#p1006517

You can report directly to the bug tracker.

Allan · 2011-10-22 22:25:41

karol wrote:

@berbae
https://bbs.archlinux.org/viewtopic.php … 7#p1006517

Absolutely nothing to do with the issue....

Allan · 2011-10-22 22:27:01

berbae wrote:

Where can I report that bug in the git tree?
Have I to subscribe to pacman-dev mailing list, or is there another way to report a bug?

Or use the bug tracker. There is a pacman section.

But look at the archives for the pacman-dev list. I provided the needed fix yesterday.

Arch Linux

#1 2011-10-05 12:25:20

Testing package signing with pacman 4 in git

#2 2011-10-05 12:49:22

Re: Testing package signing with pacman 4 in git

#3 2011-10-05 13:15:35

Re: Testing package signing with pacman 4 in git

#4 2011-10-05 15:06:25

Re: Testing package signing with pacman 4 in git

#5 2011-10-05 15:47:47

Re: Testing package signing with pacman 4 in git

#6 2011-10-05 16:14:54

Re: Testing package signing with pacman 4 in git

#7 2011-10-06 21:31:58

Re: Testing package signing with pacman 4 in git

#8 2011-10-07 05:45:39

Re: Testing package signing with pacman 4 in git

#9 2011-10-07 16:19:37

Re: Testing package signing with pacman 4 in git

#10 2011-10-15 11:02:33

Re: Testing package signing with pacman 4 in git

#11 2011-10-15 11:03:31

Re: Testing package signing with pacman 4 in git

#12 2011-10-15 11:22:58

Re: Testing package signing with pacman 4 in git

#13 2011-10-15 13:45:57

Re: Testing package signing with pacman 4 in git

#14 2011-10-15 16:04:03

Re: Testing package signing with pacman 4 in git

#15 2011-10-15 16:11:21

Re: Testing package signing with pacman 4 in git

#16 2011-10-22 22:06:19

Re: Testing package signing with pacman 4 in git

#17 2011-10-22 22:14:59

Re: Testing package signing with pacman 4 in git

#18 2011-10-22 22:25:41

Re: Testing package signing with pacman 4 in git

#19 2011-10-22 22:27:01

Re: Testing package signing with pacman 4 in git

Board footer