Arch Linux

heyom

Member

Registered: 2013-12-03

Posts: 43

Pacman Configuration Security Hardening (paranoid level)

Hello,

Since I'm a paranoid user, I really care a lot about Arch Linux security especially when it comes to its package manager, Pacman.

From pacman.conf file, I'm wondering if [core], [extra] and [community] databases are fully signed or not.

I couldn't find any good sources and I did search a lot by using Google, Youtube to see other's pacman.conf file and even Arch Linux form. None of them provide an ultimate way to harden pacman configurations.

I get error message saying:

error: core: missing required signature
error: extra: missing required signature
error: community: missing required signature

and each of them has the error message:

error: database 'core/extra/community' is not valid (invalid or corrupted database (PGP signature))

Noting that my configuration pacman.conf file like this at [options]:

SigLevel = Required DatabaseRequired TrustedOnly

Is there something wrong with my configuration or is it the databases haven't signed yet?

Thank you in advance and I'm looking forward to hearing from you guys

ewaller

Administrator

From: Pasadena, CA

Registered: 2009-07-13

Posts: 20,642

Re: Pacman Configuration Security Hardening (paranoid level)

Sounds like you have not signed the keys as trusted yet.
https://wiki.archlinux.org/index.php/Pacman-key

---

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
The shortest way to ruin a country is to give power to demagogues.— Dionysius of Halicarnassus
---
How to Ask Questions the Smart Way

heyom

Member

Registered: 2013-12-03

Posts: 43

Re: Pacman Configuration Security Hardening (paranoid level)

Sounds like you have not signed the keys as trusted yet.
https://wiki.archlinux.org/index.php/Pacman-key

I did sign the keys as trusted and the problem is still existed...

Trilby

Inspector Parrot

Registered: 2011-11-29

Posts: 30,459

Website

Re: Pacman Configuration Security Hardening (paranoid level)

The note in that wiki page is a bit old - but it hasn't been revised yet:

Note: Although all official packages are now signed, as of June 2012 signing of the databases is a work in progress. If Required is set then DatabaseOptional should also be set.

So if that wiki page is still correct, database signing has not been completed yet.

EDIT: perhaps that note should be revised either way.  If this has been implemented, the note should go.  If it hasn't been implemented maybe it should - instead - be called a "work not in progress"

Last edited by Trilby (2014-09-10 18:06:29)

---

"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

heyom

Member

Registered: 2013-12-03

Posts: 43

Re: Pacman Configuration Security Hardening (paranoid level)

My goal is having ALL my packages that I download/install from either [core], [extra] or [community] databases are signed however I couldn't achieve that .. unless of course not ALL packages are signed...

I'm wondering if there is any better way..

Trilby

Inspector Parrot

Registered: 2011-11-29

Posts: 30,459

Website

Re: Pacman Configuration Security Hardening (paranoid level)

Packages should all be signed.  The databases are not.  Your errors are coming from requiring databases be signed to.

---

"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

heyom

Member

Registered: 2013-12-03

Posts: 43

Re: Pacman Configuration Security Hardening (paranoid level)

No worries about packages. I'm just worrying about the database itself. Noting that I meant that packages signed with signatures.

I would be very appreciated if you could share any methods on maximizing my pacman.conf security

Trilby

Inspector Parrot

Registered: 2011-11-29

Posts: 30,459

Website

Re: Pacman Configuration Security Hardening (paranoid level)

You lost me.  How are these not contradictory:

My goal is having ALL my packages ... signed however I couldn't achieve that

No worries about packages. I'm just worrying about the database itself.

If the databases are not signed, there is no magic you can do on your end - they just aren't signed.  Packages are signed, and you can require that these signatures are valid.

Last edited by Trilby (2014-09-10 19:06:05)

---

"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

karol

Archivist

Registered: 2009-05-06

Posts: 25,440

Re: Pacman Configuration Security Hardening (paranoid level)

What exactly are you worried about?

https://pierre-schmitz.com/trust-the-master-keys/

heyom

Member

Registered: 2013-12-03

Posts: 43

Re: Pacman Configuration Security Hardening (paranoid level)

You lost me.  How are these not contradictory:

My goal is having ALL my packages ... signed however I couldn't achieve that

No worries about packages. I'm just worrying about the database itself.

If the databases are not signed, there is no magic you can do on your end - they just aren't signed.  Packages are signed, and you can require that these signatures are valid.

Yeah I'm sorry about that. I'm just lost to the level that I couldn't figure out what is the maximum level of security that pacman can be configured.

As I said at my 1st post, I don't know why I get the errors about databases and I though it can be possible to solve that..

I may have lack of information but I'm still confused on how to configure pacman.conf well enough..

Last edited by heyom (2014-09-10 19:18:27)

heyom

Member

Registered: 2013-12-03

Posts: 43

Re: Pacman Configuration Security Hardening (paranoid level)

What exactly are you worried about?

https://pierre-schmitz.com/trust-the-master-keys/

I'll check it out.

heyom

Member

Registered: 2013-12-03

Posts: 43

Re: Pacman Configuration Security Hardening (paranoid level)

According to what Allan says:

"We are still in a transition period so not all Developer and Trusted User keys are fully signed yet by the master keys yet, but we are not too far off. In the future we might provide a pacman-keyring package that streamlines this process a bit, or at least will save the individual downloading of each packager’s key.

That just leaves the signing of the databases, but that is a story for another day!"

I guess I have to leave my signing level in [options]:

SigLevel = PackageRequired TrustedOnly

Any better options would be appreciated.

heyom

Member

Registered: 2013-12-03

Posts: 43

Re: Pacman Configuration Security Hardening (paranoid level)

Could someone clarify to me in details this section and provide some examples?

Thank you in advance.

falconindy

Developer

From: New York, USA

Registered: 2009-10-22

Posts: 4,111

Website

Re: Pacman Configuration Security Hardening (paranoid level)

Could someone clarify to me in details this section and provide some examples?

It's poorly worded, and not important for 99% of users. I've clarified that section to mention the word "debugging", which is the only likely reason you'd want to play around with gpg directly.

---

blog | ±github

heyom

Member

Registered: 2013-12-03

Posts: 43

Re: Pacman Configuration Security Hardening (paranoid level)

Any other detailed explanation would be appreciate.

falconindy

Developer

From: New York, USA

Registered: 2009-10-22

Posts: 4,111

Website

Re: Pacman Configuration Security Hardening (paranoid level)

I'm really not sure what you're expecting. It's an ordinary gpg keyring... pacman-key exists to wrap the common use cases for the keyring. For everything else, there's master^H^H^H^H^H^Hgpg.

---

blog | ±github