Arch Linux

berbae

Member

From: France

Registered: 2007-02-12

Posts: 1,304

Question after going to TrustedOnly signatures

First thanks to all developers and contributors for the new pacman 4 release and the implementation of package signing.

I tested pacman 4 for weeks before its official release and I used:

SigLevel = Optional TrustAll

Now I went to:

SigLevel = Optional TrustedOnly

I followed the procedure to sign master keys and to change their trust parameter to marginal, as explained in Allan's blog or wiki.

But the developer's and TU's signatures were added in my local keyring database weeks ago, and I thought that they could not yet have been signed by master keys then, when I first added them.

I verified for Tobias Powalowski's signature with:

root -bash-4.2.20:~]# pacman-key --list-sigs 7EDF681F
pub   2048R/7EDF681F 2011-07-18
uid                  Tobias Powalowski <tpowa@archlinux.org>
sig 3        7EDF681F 2011-07-18  Tobias Powalowski <tpowa@archlinux.org>
sub   2048R/5BF91F41 2011-07-18
sig          7EDF681F 2011-07-18  Tobias Powalowski <tpowa@archlinux.org>

Note the 'sig 3' info which means verified key (but I had not verified the key)

I then run:

pacman-key --refresh-keys 7EDF681F

And:

root -bash-4.2.20:~]# pacman-key --list-sigs 7EDF681F
pub   2048R/7EDF681F 2011-07-18
uid                  Tobias Powalowski <tobias.powalowski@googlemail.com>
sig 3        7EDF681F 2011-11-20  Tobias Powalowski <tobias.powalowski@googlemail.com>
sig          824B18E8 2011-11-20  Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>
sig          6AC6A4C2 2011-11-20  Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig          4C7EA887 2011-11-26  Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sig          FFF979E7 2011-12-05  Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>
uid                  Tobias Powalowski <tpowa@archlinux.org>
sig 3        7EDF681F 2011-07-18  Tobias Powalowski <tobias.powalowski@googlemail.com>
sig          824B18E8 2011-11-20  Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>
sig          6AC6A4C2 2011-11-20  Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sig          4C7EA887 2011-11-26  Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sig          FFF979E7 2011-12-05  Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>
sub   2048R/5BF91F41 2011-07-18
sig          7EDF681F 2011-07-18  Tobias Powalowski <tobias.powalowski@googlemail.com>

So that confirms what I thought about not uptodate keys allready present in the keyring database.

Then I ran for all the keys:

pacman-key --refresh-keys

My question concerns the 'sig 3' info in the list of the keys.
It was already present before I launched the --refresh-keys update.

Is that correct to have 'sig 3' there for all the keys ?
I am not sure if that is correct because it means 'verified key'.
Do you have that also in the output of 'pacman-key --list-sigs' ?

Thanks for telling me.

Leonid.I

Member

From: Aethyr

Registered: 2009-03-22

Posts: 999

Re: Question after going to TrustedOnly signatures

I thought this is indicative of the fact that people (master keys in our case) who signed a given key verified it. You didn't sign the key with you own, so you couldn't have verified it... Am I wrong?

---

Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

berbae

Member

From: France

Registered: 2007-02-12

Posts: 1,304

Re: Question after going to TrustedOnly signatures

After reading more carefully the man pages for gpg, I think that you are right Leonid.I.

The 3 after sig in the list output from 'pacman-key --list-sigs' means that the default cert level, if the owner of the key signs another key with it, will be 3, ie the key about to be signed was fully verified by the one who signs it with his own key.

So the command 'pacman-key --list-sigs' lists all the keys which were used to sign the keys in the keyring database (all the lines which begin by sig after the one with 'sig 3').

And all that leads to the necessity to refresh the keyring database, for keys added some time ago, to get all the signatures of the keys.

--refresh-keys
Request  updates from a keyserver for keys that already exist on the local keyring. This is useful for updating a key with the latest signatures, user IDs, etc.

Can someone please confirms all this is correct, before I add that to the wiki? Thanks.

Last edited by berbae (2012-01-20 23:31:24)

Allan

Pacman

From: Brisbane, AU

Registered: 2007-06-09

Posts: 11,672

Website

Re: Question after going to TrustedOnly signatures

Yes, it is useful to run --refresh-keys.

---

PGP Key: F99FFE0FEAE999BD | I develop pacman - buy me a drink!

berbae

Member

From: France

Registered: 2007-02-12

Posts: 1,304

Re: Question after going to TrustedOnly signatures

Thanks Allan.
I have added that to the pacman-key wiki page now, waiting for the package providing all the keys directly uptodate.