You are not logged in.

Pages: 1

#1 2012-02-24 17:29:11

uzer
Member
Registered: 2012-02-24
Posts: 6

Repositories

Hello!
Maybe I have not found an answer to this question. What about packages security in Arch repositories? Are they have md5, sha sums or maybe they have digital signature when they downloads from mirrors,ftp,etc?
Thank you for you answers!

Offline

#2 2012-02-24 17:31:23

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Repositories

Almost all Arch packages are signed: https://wiki.archlinux.org/index.php/Package_signing

Last edited by karol (2012-02-24 17:33:18)

Offline

#3 2012-02-24 18:02:53

Earnestly
Member
Registered: 2011-08-18
Posts: 805

Re: Repositories

Currently: (2012-02-24)

Repository	Packages	Percentage
core:   	191 / 191	[100%]
community:   	2063 / 2344	[88%]
extra:   	2573 / 2785	[92%]
multilib:   	143 / 143	[100%]

Offline

#4 2012-02-29 12:16:42

uzer
Member
Registered: 2012-02-24
Posts: 6

Re: Repositories

So, i changed a default SigLevel to Siglevel =  Required TrustedOnly in pacman.conf. All mirrors in my mirrorlists doesn't passed a PGP sign. Of course i previously runnig #pacman-key --init

Offline

#5 2012-02-29 12:33:51

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 30,465
Website

Re: Repositories

I don't know that the mirrors have to pass anything - packages do.

Can you share the error messages you get?  Have you imported the primary keys?  Is it just asking you whether to import keys with a [Y/n] option?

"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Offline

#6 2012-02-29 12:48:19

uzer
Member
Registered: 2012-02-24
Posts: 6

Re: Repositories

This is after "pacman -Syu"

error: libarchive: signature from "Dave Reisner <d@falconindy.com>" is unknown trust
error: linux-firmware: signature from "Thomas Bächler <thomas@archlinux.org>" is unknown trust
error: linux: signature from "Tobias Powalowski <tobias.powalowski@googlemail.com>" is unknown trust
error: linux-docs: signature from "Tobias Powalowski <tobias.powalowski@googlemail.com>" is unknown trust
error: linux-headers: signature from "Tobias Powalowski <tobias.powalowski@googlemail.com>" is unknown trust
error: nvidia: signature from "Tobias Powalowski <tobias.powalowski@googlemail.com>" is unknown trust
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

And this cat of /etc/pacman.d/gnupg/gpg.conf 

no-greeting
no-permission-warning
lock-never
keyserver hkp://pgp.mit.edu
keyserver-options timeout=10

Cat after "pacman -Syy"

error: core: missing required signature
error: extra: missing required signature
error: community: missing required signature
error: multilib: missing required signature
  
bla bla bla

error: community: missing required signature
error: failed to update community (invalid or corrupted database (PGP signature))
error: failed to update multilib (no servers configured for repository)
error: failed to synchronize any databases
error: failed to init transaction (no servers configured for repository)

Offline

#7 2012-02-29 13:14:13

Gcool
Member
Registered: 2011-08-16
Posts: 1,456

Re: Repositories

Sounds like one (or multiple) of the master keys isn't trusted. Have you signed them as indicated here?

Burninate!

Offline

#8 2012-02-29 13:27:06

uzer
Member
Registered: 2012-02-24
Posts: 6

Re: Repositories

Yes, i've done it

#pacman-key -r 0x6AC6A4C2 0x824B18E8 0x4C7EA887 0xCDFD6BB0 0xFFF979E7
gpg: requesting key 6AC6A4C2 from hkp server pgp.mit.edu
gpg: requesting key 824B18E8 from hkp server pgp.mit.edu
gpg: requesting key 4C7EA887 from hkp server pgp.mit.edu
gpg: requesting key CDFD6BB0 from hkp server pgp.mit.edu
gpg: requesting key FFF979E7 from hkp server pgp.mit.edu
gpg: key 6AC6A4C2: "Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>" not changed
gpg: key 824B18E8: public key "Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>" imported
gpg: key 4C7EA887: public key "Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>" imported
gpg: key CDFD6BB0: public key "Dan McGee (Arch Linux Master Key) <dan@master-key.archlinux.org>" imported
gpg: key FFF979E7: public key "Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 5
gpg:               imported: 4  (RSA: 4)
gpg:              unchanged: 1
==> Updating trust database...
gpg: no need for a trustdb check

After pacman -Syu

error: core: missing required signature
error: extra: missing required signature
error: community: missing required signature
error: multilib: missing required signature
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 community is up to date
error: failed to update multilib (no servers configured for repository)
error: database 'core' is not valid (invalid or corrupted database (PGP signature))
error: database 'extra' is not valid (invalid or corrupted database (PGP signature))
error: database 'community' is not valid (invalid or corrupted database (PGP signature))
error: database 'multilib' is not valid (invalid or corrupted database (PGP signature))

maybe problems in mirror?

Offline

#9 2012-02-29 13:54:06

Gcool
Member
Registered: 2011-08-16
Posts: 1,456

Re: Repositories

I overlooked the fact that you have "Siglevel =  Required TrustedOnly" earlier, sorry.

The databases themselves are not signed yet. So you'll need to add "DatabaseOptional" to that line in your pacman.conf.

Burninate!

Offline

#10 2012-02-29 13:59:22

wonder
Developer
From: Bucharest, Romania
Registered: 2006-07-05
Posts: 5,941
Website

Re: Repositories

you can use PackageRequired if you want. As for  "unknown trust", is not enough to just import the master keys. See pacman-key wiki

Give what you have. To someone, it may be better than you dare to think.

Offline

#11 2012-02-29 17:14:30

uzer
Member
Registered: 2012-02-24
Posts: 6

Re: Repositories

Hmm, in pacman-key wiki I don't found something about Primary key.
This strings:

gpg> lsign
...
 Primary key fingerprint: ...
...
Really sign? (y/N)

Offline

#12 2012-02-29 17:30:35

fsckd
Forum Fellow
Registered: 2009-06-15
Posts: 4,173

Re: Repositories

moderator action: Moving from Arch Discussion to Pacman & Package Upgrade Issues.

aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies

Offline

Pages: 1

Board footer

Powered by FluxBB