You are not logged in.
- Topics: Active | Unanswered
#1 2015-01-16 18:08:10
- 7tupel
- Member
- Registered: 2015-01-16
- Posts: 1
pacman proxy and package filtering by signature
hi, i would like to impelent the following scenario:
I have an arbitrary number of clients and a server all running arch. Now i would like to configure them to do the following:
All clients must not use any official arch repository, but only a local repository provided by the server. They may only install packages that are in this repository. Further they will not install any package that was not signed by a specified private key (the key of the server) even if the package is in the local repository. That includes official packages that are not signed by this key.
The server may download any package from the official repositories or any other repositories configured. Now the server does some checking on each package and if a package passes this check, then the package gets signed by the server with its key.
This way the clients can only use packages authorized by the local server.
Now my question, is there any solution in existence that does exactly what i want or do i need to configure the chain by hand using the various pacman tools ? Or is it even impossible?
So far i have the following idea to make this work:
First remove all repositories from the clients and add only a local repository. then delete the pacman keyring, initialize a new keyring and add only the key from the server as trusted key. (does this work or would the keyring initialization automatically add the official master keys as trusted keys to the keyring?)
On the server: setup pacman to locally store all packages downloaded from any repository available through the servers pacman config. Run a script that performs some checking tasks and if the test passes, then sign the package with the private key of my server.
Why do i need this? I'm working as administrator at a local school and the school board of the city is considering a new city wide solution for the it infrastructure for all schools. I would like to contribute in this process and suggest a system that is not based on Microsoft. One of the constraints the school board made is that the new system needs a mechanism to regulate which software may be installed on the clients through a central position.
cheers mo
Offline
#2 2015-01-16 19:34:23
- clfarron4
- Member
- From: London, UK
- Registered: 2013-06-28
- Posts: 2,174
- Website
Re: pacman proxy and package filtering by signature
[snip]
They may only install packages that are in this repository. Further they will not install any package that was not signed by a specified private key (the key of the server) even if the package is in the local repository. That includes official packages that are not signed by this key.
The server may download any package from the official repositories or any other repositories configured. Now the server does some checking on each package and if a package passes this check, then the package gets signed by the server with its key.
[snip]
So far i have the following idea to make this work:
First remove all repositories from the clients and add only a local repository. then delete the pacman keyring, initialize a new keyring and add only the key from the server as trusted key. (does this work or would the keyring initialization automatically add the official master keys as trusted keys to the keyring?)
On the server: setup pacman to locally store all packages downloaded from any repository available through the servers pacman config. Run a script that performs some checking tasks and if the test passes, then sign the package with the private key of my server.[snip]
I don't see why this wouldn't work and I'm pretty sure that you can piece together all the bits you need from the Wiki to do it. Managing the keyring and trusting users not to manually connect to an ArchLinux server is probably going to be the harder part.
Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository
Offline
#3 2015-01-16 19:58:12
- Leonid.I
- Member
- From: Aethyr
- Registered: 2009-03-22
- Posts: 999
Re: pacman proxy and package filtering by signature
hi, i would like to impelent the following scenario:
I have an arbitrary number of clients and a server all running arch. Now i would like to configure them to do the following:
All clients must not use any official arch repository, but only a local repository provided by the server. They may only install packages that are in this repository. Further they will not install any package that was not signed by a specified private key (the key of the server) even if the package is in the local repository. That includes official packages that are not signed by this key.
The server may download any package from the official repositories or any other repositories configured. Now the server does some checking on each package and if a package passes this check, then the package gets signed by the server with its key.
This way the clients can only use packages authorized by the local server.
Now my question, is there any solution in existence that does exactly what i want or do i need to configure the chain by hand using the various pacman tools ? Or is it even impossible?
So far i have the following idea to make this work:
First remove all repositories from the clients and add only a local repository. then delete the pacman keyring, initialize a new keyring and add only the key from the server as trusted key. (does this work or would the keyring initialization automatically add the official master keys as trusted keys to the keyring?)
On the server: setup pacman to locally store all packages downloaded from any repository available through the servers pacman config. Run a script that performs some checking tasks and if the test passes, then sign the package with the private key of my server.
What you want is definitely possible, but the way you want to do it makes little sense to me. And it is definitely too convoluted.
First, you don't accomplish anything by playing with the keys. Why don't you want to have archlinux-keyring installed on the clients? What do you gain by re-signing packages on the fan-out server? Would you be able to guarantee the integrity of the server signing key?
What I'd do is to setup a local mirror (it's in the wiki) that only downloads proper (whatever your criteria are) packages and their sigs. Then, point to it all your clients in /etc/pacman.d/mirrorlist.
Alternatively, you could setup a local repo (not mirror) and roll out a set of "meta-packages" that contain no files and depend only on the proper arch packages (like it is done with xorg-utils, iirc). Then, you'd need a server key of course to sign these meta-packages.
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
#4 2015-01-16 23:55:19
- Allan
- Pacman
- From: Brisbane, AU
- Registered: 2007-06-09
- Posts: 11,672
- Website
Re: pacman proxy and package filtering by signature
Note, don't install archlinux-keyring. That imports all the developer keys!
Offline