[Solved] Using pacman's package signing correctly

cfr · 2012-02-19 04:32:22

When pacman 4 first came out, I just merged the pacnew file so that package signing was disabled. I did initialise the keys etc. but I didn't import or sign the master keys or enable signature checks.

So tonight I figured I would start seeing how this worked. I took the fingerprints from the master key list on archlinux's site and I checked they matched the fingerprints listed on Allan's blog. I then imported the five master keys using pacman-key, signed them locally and used --edit-key to assign each of the five marginal trust.

I then commented out the "Never" line for package signing in pacman.conf so that it would use the compiled in default to make signatures optional but check them if available. I also set PackageRequired for the core repository. I left the other repos I have enabled to default to the default policy as I think signing isn't complete for them.

I then ran pacman -Syu. This mostly went OK but I'm slightly worried about this bit:

error: gsm: key "7F2D434B9741E8AC" is unknown
:: Import PGP key 9741E8AC, "Pierre Schmitz <pierre@archlinux.de>", created 2011-04-10? [Y/n] y
error: jbig2dec: key "BBE43771487328A9" is unknown
:: Import PGP key 487328A9, "Bartlomiej Piotrowski <b@bpiotrowski.pl>", created 2011-10-10? [Y/n] y
error: p11-kit: key "E8F18BA1615137BC" is unknown
:: Import PGP key 615137BC, "Ionut Biru <ibiru@archlinux.org>", created 2011-04-19? [Y/n] y
error: pacmatic: key "396E3E25BAB142C1" is unknown
:: Import PGP key BAB142C1, "Kyle Keen <keenerd@gmail.com>", created 2011-02-03? [Y/n] y
error: patchutils: key "06096A6AD1CEDDAC" is unknown
:: Import PGP key D1CEDDAC, "Laurent Carlier <lordheavym@gmail.com>", created 2011-10-30? [Y/n] y
error: perl-encode-locale: key "F99FFE0FEAE999BD" is unknown
:: Import PGP key EAE999BD, "Allan McRae <me@allanmcrae.com>", created 2011-06-03? [Y/n] y
error: vlc: key "B7310AE5F04569AE" is unknown
:: Import PGP key F04569AE, "Giovanni Scafora <giovanni@archlinux.org>", created 2011-10-15? [Y/n] y

I initially thought I was just telling pacman to import the keys but now I'm wondering if I also told it to trust them and if I wasn't meant to do that? Should they have been automatically handled if they were signed correctly? I was trying to follow the instructions on Allan's blog which show this question and Allan answering yes. However, I now realise that I got confused and that that bit comes *before* Allan imports and trusts the master keys, but I'd already done that at this point. (But it didn't complain they were untrusted once imported...)

Could somebody either reassure me that I did this correctly (securely)? Or advise me on how to undo it if that's what I should do?

Last edited by cfr (2012-02-19 15:14:02)

Allan · 2012-02-19 05:39:35

That looks fine... You should not need to manually trust any of the developer keys as they will be signed by at least three of the master keys which you gave marginal trust. Pacman will only download the needed keys for you (if you select "y"), it will not given them any trust.

cfr · 2012-02-19 15:13:04

Great - thanks very much for the reassurance and quick response. I didn't do anything except say "y" as above and pacman seemed quite happy so it must be relying on the new keys being signed by the ones I'd given marginal trust. I'm quite surprised I managed to do it right!

llg179 · 2012-03-04 09:00:18

I followed Allan's guide on page
http://allanmcrae.com/2011/12/pacman-pa … rch-linux/

and pacman -Syu gave:
error: xorg-bdftopcf: signature from "Allan McRae <me@allanmcrae.com>" is marginal trust

Which is suprising as his key is one of master keys. Currently several master keys were revoked.

Based on GPG's output it is maybe requires some additional input to mark the revoked key as trusted:

sub 3072R/B20030F3 created: 2011-11-25 revoked: 2011-11-25 usage: A
[ full ] (1). Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

gpg gives this:
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

full story:

[root@archbang ~]# for key in FFF979E7 CDFD6BB0 4C7EA887 6AC6A4C2 824B18E8; do
> printf 'trust\n3\nquit\n' | gpg --homedir /etc/pacman.d/gnupg/ --no-permission-warning --command-fd 0 --edit-key $key
> done

pub 3072R/4C7EA887 created: 2011-11-25 expires: never usage: SC
trust: marginal validity: full
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sub 1024R/93F91AC3 created: 2011-11-25 revoked: 2011-11-25 usage: E
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sub 3072R/B20030F3 created: 2011-11-25 revoked: 2011-11-25 usage: A
[ full ] (1). Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

pub 3072R/4C7EA887 created: 2011-11-25 expires: never usage: SC
trust: marginal validity: full
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sub 1024R/93F91AC3 created: 2011-11-25 revoked: 2011-11-25 usage: E
This key was revoked on 2011-11-25 by RSA key 4C7EA887 Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>
sub 3072R/B20030F3 created: 2011-11-25 revoked: 2011-11-25 usage: A
[ full ] (1). Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>

pub 3072R/6AC6A4C2 created: 2011-11-18 expires: never usage: SC
trust: marginal validity: full
sub 1024R/86872C2F created: 2011-11-18 expires: never usage: E
sub 3072R/1B516B59 created: 2011-11-18 expires: never usage: A
[ full ] (1). Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

pub 3072R/6AC6A4C2 created: 2011-11-18 expires: never usage: SC
trust: marginal validity: full
sub 1024R/86872C2F created: 2011-11-18 expires: never usage: E
sub 3072R/1B516B59 created: 2011-11-18 expires: never usage: A
[ full ] (1). Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>

I got to go now I will try gpg key edit later. If someone knows what to do please help.

Thanks

karol · 2012-03-04 09:20:06

llg179, please edit your post.
When pasting code, please use [ code ] tags https://bbs.archlinux.org/help.php#bbcode

like this

It makes the code more readable and more convenient to scroll through.

Gcool · 2012-03-04 09:22:53

Try resetting your keys (remove /etc/pacman.d/gnupg) and reinitialize by following this procedure.

Allan · 2012-03-04 09:45:24

No need for that... you probably just need "pacman-key --refresh-keys"

San2ban · 2012-03-04 09:55:30

Should be moved to TOPIC: Pacman and package issues

cfr · 2012-03-04 14:16:43

[root@archbang ~]

Are you using Arch or Archbang?

Should be moved to TOPIC: Pacman and package issues

I figured it was a I-am-trying-but-a-bit-confused question when I asked it rather than an "issue" with pacman or a package...

llg179 · 2012-03-04 22:06:13

"I-am-trying-but-a-bit-confused" is a great description. As an ex-Ubuntu user after 3 days fustration with Gentoo and some net-search I ended up trying the Archbang distro. I'm amused by your prompt responses which gave me a very good first impression about the Arch community. After a reboot the hostname was changed so probably I worked on the file system of the install cd? At the 2nd trial (reinstall from CD) update went well:

http://bbs.archbang.org/viewtopic.php?id=2268

http://allanmcrae.com/2011/12/pacman-package-signing-4-arch-linux/

sudo su -
pacman -Syy
pacman -S pacman
pacman-key --init
nano /etc/pacman.d/gnupg/gpg.conf
                 keyserver hkp://pgp.mit.edu:11371
cd /etc
mv /etc/pacman.conf ~/pacman.conf.1,old.backup
mv pacman.conf.pacnew pacman.conf
nano /etc/pacman.conf
        SigLevel = Optional TrustedOnly
        # SigLevel = Never
        [core]
        SigLevel = PackageRequired

        [extra]
        SigLevel = PackageRequired
        #SigLevel = PackageOptional

        [community]
        #SigLevel = PackageOptional
        SigLevel = PackageRequired
        Include = /etc/pacman.d/mirrorlist
curl https://www.archlinux.org/{developers,trustedusers} | awk -F\" '(/pgp.mit.edu/) {sub(/.*search=0x/,"");print $1}' | xargs pacman-key --recv-keys

for key in FFF979E7 CDFD6BB0 4C7EA887 6AC6A4C2 824B18E8; do
    pacman-key --recv-keys $key
    pacman-key --lsign-key $key
    printf 'trust\n3\nquit\n' | gpg --homedir /etc/pacman.d/gnupg/ \
        --no-permission-warning --command-fd 0 --edit-key $key
done

pacman -Syuf

Thank you for your help!

Last edited by llg179 (2012-03-04 22:18:00)

cfr · 2012-03-05 03:21:02

If you are using archbang, you should ask questions on the archbang forum.

You should never run

pacman -Syuf

unless you wish to break your system.

atercor · 2012-05-19 23:13:46

EDIT: My foult, nothing to say

Last edited by atercor (2012-05-19 23:18:29)

Philippe1 · 2012-05-20 02:07:00

cfr wrote:

If you are using archbang, you should ask questions on the archbang forum.

???????????????

Archbang is Arch Linux with Openbox...

Nothing wrong with asking questions here.

Philippe

jasonwryan · 2012-05-20 02:16:39

Philippe1 wrote:

cfr wrote:
If you are using archbang, you should ask questions on the archbang forum.
???????????????
Archbang is Arch Linux with Openbox...
Nothing wrong with asking questions here.

Uh, no.

Forum Etiquette wrote:

Community technical support shall only be provided for official Arch Linux distribution media installations and the Arch User Repository. Threads concerning issues with, and requesting support for, derivate distributions, or operating systems other than Arch Linux are prohibited and will be closed.

/dev/zero · 2012-05-20 02:20:03

Philippe1 wrote:

cfr wrote:
If you are using archbang, you should ask questions on the archbang forum.
???????????????
Archbang is Arch Linux with Openbox...
Nothing wrong with asking questions here.

First of all, you're derailing the thread. Secondly, it is not correct to say that Archbang is exactly the same as Arch Linux with Openbox. Thirdly, they have their own forums - to not use those forums is disrespectful to the ArchBang community and therefore not consistent with the Arch Linux forum guidelines.

Last edited by /dev/zero (2012-05-20 02:21:41)

Philippe1 · 2012-05-20 02:22:32

Wow!

I never thought I would hurt you so much by saying the word Archbang...

Objection noted, I'll never do it again.

Are we friends again?

Philippe

/dev/zero · 2012-05-20 02:27:19

Philippe1 wrote:

Wow!
I never thought I would hurt you so much by saying the word Archbang...
Objection noted, I'll never do it again.
Are we friends again?

Philippe

You'll note that cfr has over 500 posts, compared to your own 20-odd. So, maybe it was a little presumptuous of you to try and contradict cfr.

A better approach: start a new thread (to prevent derailing), link back to the old thread, and ask a question instead of asserting opposition.

ewaller · 2012-05-20 03:48:22

Moderator Comment:

@Philippe1. As has been pointed out, Archbang is not Arch; it is a derivative of Arch, but it is not Arch. We have nothing against Archbang, or the fine people that publish it, or the good people who use it.

There are two issues. First, this is the Arch Linux forums. The resources to host this forum are finite and are not free. It is only fair that Archbang should carry that support load.

But the real issue is that there are differences. Advice provided on these forums may be flat out wrong on an Archbang system; But far more importantly, questions about Archbang on these forums will create confusion with issues that are not applicable to Arch and will muddy the waters of these forums. The moderation team will not tolerate this. As Jasonryan has pointed out, it is against our policy and I have explained why.

Philippe1 · 2012-05-20 11:17:19

Understood.

Have a nice day!

Philippe

Arch Linux

#1 2012-02-19 04:32:22

[Solved] Using pacman's package signing correctly

#2 2012-02-19 05:39:35

Re: [Solved] Using pacman's package signing correctly

#3 2012-02-19 15:13:04

Re: [Solved] Using pacman's package signing correctly

#4 2012-03-04 09:00:18

Re: [Solved] Using pacman's package signing correctly

#5 2012-03-04 09:20:06

Re: [Solved] Using pacman's package signing correctly

#6 2012-03-04 09:22:53

Re: [Solved] Using pacman's package signing correctly

#7 2012-03-04 09:45:24

Re: [Solved] Using pacman's package signing correctly

#8 2012-03-04 09:55:30

Re: [Solved] Using pacman's package signing correctly

#9 2012-03-04 14:16:43

Re: [Solved] Using pacman's package signing correctly

#10 2012-03-04 22:06:13

Re: [Solved] Using pacman's package signing correctly

#11 2012-03-05 03:21:02

Re: [Solved] Using pacman's package signing correctly

#12 2012-05-19 23:13:46

Re: [Solved] Using pacman's package signing correctly

#13 2012-05-20 02:07:00

Re: [Solved] Using pacman's package signing correctly

#14 2012-05-20 02:16:39

Re: [Solved] Using pacman's package signing correctly

#15 2012-05-20 02:20:03

Re: [Solved] Using pacman's package signing correctly

#16 2012-05-20 02:22:32

Re: [Solved] Using pacman's package signing correctly

#17 2012-05-20 02:27:19

Re: [Solved] Using pacman's package signing correctly

#18 2012-05-20 03:48:22

Re: [Solved] Using pacman's package signing correctly

#19 2012-05-20 11:17:19

Re: [Solved] Using pacman's package signing correctly

Board footer