You are not logged in.

#1 2012-06-05 15:26:12

Klink-a-dink-dink
Member
From: New York, USA
Registered: 2010-12-17
Posts: 9

Verifying the sigs of all installed packages, and signing progress

Now that package signing is enabled by default, I want to verify the signatures on all of my currently installed packages.

Is there any way to do this without reinstalling them all?

Next question: is there anywhere online where I can check the progress of how many packages are signed in each repo? I'd like to set my SigLevel for [community] and [multilib] to PackageRequired, but from what I've heard not all packages in those repos are fully signed.

Also, I can't find much information about database signing, other than it being mentioned in the pacman.conf(5) manual. I tried setting each repo to Required (or at least including DatabaseRequired) but it just caused my next pacman -Syu to fail. Does this mean that database signing isn't implemented yet?


edit: s/keys/sigs in title

Last edited by Klink-a-dink-dink (2012-06-05 15:27:21)

Offline

#2 2012-06-05 16:20:37

Gcool
Member
Registered: 2011-08-16
Posts: 1,456

Re: Verifying the sigs of all installed packages, and signing progress

It's basically the install source (tar.xz package) that's signed, so I'm not sure there's a way of verifying that once the actual package is installed (someone feel free to correct me on that if I'm wrong). A nice little script to check the progress of package signing in each repo can be found here.

As for the database signing, this hasn't been implemented as of yet. Once all packages in all repos are correctly signed, this will be implemented I reckon.


Burninate!

Offline

#3 2012-06-05 16:36:20

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,839

Re: Verifying the sigs of all installed packages, and signing progress

If you still have the tarballs of your installed packages in your cache, you could check them there.

Offline

#4 2012-06-05 19:40:59

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: Verifying the sigs of all installed packages, and signing progress

As far as I know, [community] and [multilib] packages are now all signed. The new default pacman.conf has "PackageRequired" for these repos and I've used this setting for a while now without issue.

I'm not sure how secure it would be to check already installed packages. If any of those had been compromised, nothing on your system would be trustworthy - including the programmes needed to check the integrity of the packages. Presumably, you'd need to do the checking from another machine or by booting a known-good "live" environment of some sort? I realise checking in place might reveal an issue so perhaps it is slightly better than not checking, but if it is worth the effort, I'd think it would be better not to do the check from Arch itself...


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#5 2012-06-05 20:26:24

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: Verifying the sigs of all installed packages, and signing progress

Klink-a-dink-dink wrote:

Now that package signing is enabled by default, I want to verify the signatures on all of my currently installed packages.

Is there any way to do this without reinstalling them all?

Yes. Create a list of installed packages from the cache, e.g. pkgN.tar.xz. The problem is that sigs are not stored in the cache, so create a loop which runs over all packages. Inside the loop fetch "pkgN.tar.xz.sig" via wget from your favorite mirror and run "gpg --homedir=/etc/pacman.d/gnupg --verify pkgN.tar.xz.sig pkgN.tar.xz || echo pkgN.tar.xz".

Klink-a-dink-dink wrote:

Also, I can't find much information about database signing, other than it being mentioned in the pacman.conf(5) manual. I tried setting each repo to Required (or at least including DatabaseRequired) but it just caused my next pacman -Syu to fail. Does this mean that database signing isn't implemented yet?

No, it hasn't been implemented yet. I don't really know about the plans, but personally I don't see much value in it. If a mirror is compromised and someone alters the *.db files, the worst what can happen is that you won't get your update -- not a big deal IMHO. Such attacks may be profitable against RHEL/SLES (when lack of updates may open critical servers to an intrusion) but not against arch.

Last edited by Leonid.I (2012-06-05 20:27:19)


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#6 2012-06-05 21:51:58

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: Verifying the sigs of all installed packages, and signing progress

Klink-a-dink-dink wrote:

Is there any way to do this without reinstalling them all?

No

Klink-a-dink-dink wrote:

is there anywhere online where I can check the progress of how many packages are signed in each repo?

They have been fully signed for months.

Klink-a-dink-dink wrote:

Does this mean that database signing isn't implemented yet?

Not yet...

Leonid.I wrote:

If a mirror is compromised and someone alters the *.db files, the worst what can happen is that you won't get your update -- not a big deal IMHO.

That is a bigger attack vector than altering packages...  Hold back an update to an already signed package that has had a major security vulnerability found in it.

Offline

#7 2012-06-05 23:03:47

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: Verifying the sigs of all installed packages, and signing progress

Allan wrote:
Klink-a-dink-dink wrote:

Is there any way to do this without reinstalling them all?

No

Provided the packages hasn't been updated on a mirror... why not? That's how I verify packages if I need to have a look at a binary or wish to install a select peckage from [testing] w/o enabling it.

On a different note, is there a pacman option to download signatures into the same cache dir as the corresponding package (suppose I don't care about filling up /var)? Or is this an ignorant question to ask?

Allan wrote:
Klink-a-dink-dink wrote:

is there anywhere online where I can check the progress of how many packages are signed in each repo?

They have been fully signed for months.

Klink-a-dink-dink wrote:

Does this mean that database signing isn't implemented yet?

Not yet...

Leonid.I wrote:

If a mirror is compromised and someone alters the *.db files, the worst what can happen is that you won't get your update -- not a big deal IMHO.

That is a bigger attack vector than altering packages...  Hold back an update to an already signed package that has had a major security vulnerability found in it.

Yes, that's what I basically said... but I don't think it is a bigger problem than downloading a rooted kernel with a non-functional firewall or a backdoor.

Last edited by Leonid.I (2012-06-05 23:04:41)


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

Board footer

Powered by FluxBB