Arch Linux

Arhat

Member

Registered: 2010-07-02

Posts: 49

Website

[SOLVED] package signing, trusted keys and keyrings

Hi,

1.

I want to use package signing and have followed the instructions in

Allan's blog post

and the wiki

pacman-key

to set it up two systems.

However I have 6 more systems, a netbook and a notebook to set it up on and (since I'm lazy) am wondering if there is a way to just set up a keyring on one system and then copy it to the other systems? In a way import the keyring as the man page seems to suggest?

I know I can use a script to sign the master keys, still it is quite time consuming to do it for each system.

2.

Again being lazy I use a Archlinux (arconis) image with a base install to set up a new server if I need one, instead of installing Archlinux from scratch every time. Can I include a key-ring into that image? Or will I run into trouble because I need to generate a unique master key for every system and the key-ring is somehow linked to the master key?

3.

I've been trying to find more detailed documentation on how the package signing for pacman works on an Archlinux, but can't find any, has  someone got some links for me?

Last edited by Arhat (2015-07-06 15:28:43)

Allan

Pacman

From: Brisbane, AU

Registered: 2007-06-09

Posts: 11,398

Website

Re: [SOLVED] package signing, trusted keys and keyrings

1) copy the files in /etc/pacman.d/gnupg

2) see 1), probably...

3) my blogs are probably the most detailed...

---

PGP Key: F99FFE0FEAE999BD

Arhat

Member

Registered: 2010-07-02

Posts: 49

Website

Re: [SOLVED] package signing, trusted keys and keyrings

I'm "befuddled"   about the role of the unique master key.

It also generates the “Pacman Keychain Master Key”, which is your ultimate trust point for starting a PGP web of trust.

1) copy the files in /etc/pacman.d/gnupg

Does that mean do:

# pacman-key --init

and then copy the files in /etc/pacman.d/gnupg?

Or copy first and then pacman-key --init?

Or that it makes no difference which way round it is done?

2) see 1), probably...

Does the probably refer to .. "I can probably include the keyring in the image" or that I'll "probably run into trouble because of the unique master key which I need for every system."

3) my blogs are probably the most detailed...

Strike0

Member

From: Germany

Registered: 2011-09-05

Posts: 1,429

Re: [SOLVED] package signing, trusted keys and keyrings

I'm "befuddled"   about the role of the unique master key.

It also generates the “Pacman Keychain Master Key”, which is your ultimate trust point for starting a PGP web of trust.

1) copy the files in /etc/pacman.d/gnupg

Does that mean do:

# pacman-key --init

and then copy the files in /etc/pacman.d/gnupg?

Or copy first and then pacman-key --init?

Or that it makes no difference which way round it is done?

That means you can just include the contents of that directory into your acronis image and don't have to do the key-init on your other machines.

However, you want not only to key-init your first machine, but also retrieve all relevant keys (Arch master keys, Developers, .. see wiki .. really any keys you might need for installation and updates on the other machines) and set the appropriate trust-levels to them in the key-ring (after a sound manual comparison of key-fingerprints as theonewhobrokeit describes in his blog).

I have not tried the exciting new feature yet, but the master-key that is referred to is used as private key by pacman to validate the signed packages upon downloading against the trusted keys in (the copied) key-ring. It is of course linked to the key ring, because it is used to de-/encrypt the keys.
But for that it does not have to be unique for the machines, if you only ever use it for that (passive signature verification). Once you want to sign a package yourself with it that gets different ... The master key generated by pacman is no saver than your root password anyway.

It does not interfere with anything else (e.g. a gnome keyring), since it is setup a separate keyring for pacman only. See others with

find / -name *.gpg

But looking ahead: If you use it and _one_ of the keys in your initial keyring changes (e.g. a new developer joins or a key just expires), you obviously have to update the initally setup key-rings on all machines (key management).

Since you seem to have more than one machine with Arch already, it should be easy to test yourself. Just copy the directory and pacman.conf and go -Syu.