You are not logged in.

#1 2014-08-18 18:23:51

jjacky
Member
Registered: 2011-11-09
Posts: 347
Website

Verifying PGP signatures w/ next makepkg (via makechrootpkg)

Hey,

I need a little help figuring out how things work/how to setup things, when it comes to makepkg and verifying PGP signatures (i.e. of source code, obviously).

First of all, I should make it clear that I'm using pacman-git and, as such, the upcoming version of makepkg. This is important because a few things changed when it comes to the signatures check, most notably :
- when the key to be used wasn't found, a warning would be emitted. makepkg will now error out instead.
- if the key is known, but not trusted, again makepkg will now error out as well.

This means that for things to work, I need to have, and trust, the key(s) needed to verify signatures.

Alright, so if I try to build a package, things fail. I then go find the developper key and add it to my pubring. Key becomes known, but isn't trusted, so things still don't work.

At this point, what I do is verify things as much as I can, and ltsign the key. This works, in that the key is trusted, signatures are verified, yay. This might not be the best way to do this, but unless/until I have a large enough web of trust (WOT), I don't believe there's a better way?


Then, we move on a bit: I don't actually want to build my packages via makepkg directly, but in a "chroot" via devtools' makechrootpkg. This little script will copy over to the chroot my pubring so the key is known; However it doesn't touch the trustdb so the key isn't trusted, things fail.

I'm not sure what the proper solution is here. At the moment I have patched makechrootpkg so that my trustdb is also copied over in the chroot, but I'm not sure if this is right? (And, if not, what would be?)


Then I have an extra question: some of the packages I'll be building are GNU stuff (e.g. gdb) and they provide... a keyring. How am I supposed to do then? Should I just do the same with the key needed for the source file I'm trying to verify, and simply wait that over time the WOT kicks in, or is there a better/faster way (i.e. in identifying which keys to "verify" & ltsign, so all/most other keys get trusted) ?

Of course, I also don't know how to make it work in the chroot: adding the file in my ~/.gnupg and a line "keyring gnu.gpg" in gnupg.conf is easy enough, but again none of that is carried over to the chroot, so it won't work in the end. What's the solution for such a case? Is there something I'm missing, would more patching of makechrootpkg be needed, or?

Any help appreciated,
Thanks.

Offline

#2 2014-08-19 02:33:54

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: Verifying PGP signatures w/ next makepkg (via makechrootpkg)

I do not even sign locally.  Once I have verified the correctness of the key I add something like this to the PKGBUILD:

validpgpkeys=('6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD')

(obviously with the correct key fingerprint)

Offline

#3 2014-08-20 14:17:15

jjacky
Member
Registered: 2011-11-09
Posts: 347
Website

Re: Verifying PGP signatures w/ next makepkg (via makechrootpkg)

Ah, I see; it does makes things simpler, Thanks!

So would that be the "recommended" way, as in can we expect to see such fields to appear in PKGBUILDs after the next pacman release?

Offline

Board footer

Powered by FluxBB