You are not logged in.
Hello friends,
I am trying to understand more about pacman and its package signing. In order to do so, I wanted to manually verify some of the signatures listed in the pacman database against my pacman keyring. In order to do so, I've done the following:
cat /var/lib/pacman/sync/core/archlinux-keyring-20170320-1/desc | grep PGPSIG -A 1 | tail -1 | sudo gpg --home /etc/pacman.d/gnupg --verify - archlinux-keyring-20170320-1-any.pkg.tar.xz
Basically, I extracted the signature indicated by the %PGPSIG% element from the package database and sent it directly into gpg (with the home set to pacman's gnupg database). This is done from the pacman cache directory, so the corresponding archlinux-keyring-20170320-1-any.pkg.tar.xz exists.
Anyway, when I do this, I get the output:
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.
I am positive that I am using all the tools right -- so I am fairly confused. Is the %PGPSIG% element in the package database not actually an OpenPGP signature? If not, is there a way to extract the signature?
Last edited by brandonio21 (2017-05-16 00:23:20)
Offline
The command to extract the signature should be:
tar --extract --to-stdout -f /var/lib/pacman/sync/core.db archlinux-keyring-20170320-1/desc | grep PGPSIG -A 1 | tail -1
Offline
Thanks for the reply berbae! I actually didn't know about
tar --extract --to-stdout -f
. Using that will actually make my life a lot easier as I analyze the Pacman database.
However, the primary problem still persists. Once I extract the signature, I am unable to verify the package with it due to the same "no valid OpenPGP data found" err.
Offline
The PGPSIG field is base64 encoded. You need to decode it before passing it to gpg. For example:
$ bsdtar xOf /var/lib/pacman/sync/core.db pacman-5.0.1-5/desc | sed -n '/^%PGPSIG%$/ { n; p; q; }' | base64 -d | gpg --verify - /var/cache/pacman/pkg/pacman-5.0.1-5-x86_64.pkg.tar.xz
gpg: Signature made Sat 11 Feb 2017 06:49:59 AM EST
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [full]
Offline
Thanks so much! This is exactly what I was looking for.
Is it safe to say that the PGP signatures in the Pacman database follow the OpenPGP message format defined in RFC4880? The answer to this post specifically defined in §2.4 (Conversion to Radix64) ?
Offline
Are you asking if raidix 64 and base 64 are the same? If so, yes, they are just two terms for the same thing.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
Not exactly. I was specifically asking if the entirety of %PGPSIG% follows the RFC4880 message format, namely those defined in §5.2.
However, I suppose if the signatures are generated via gpg, this would definitely be true. Thank you for your replies! Consider this thread solved!
Offline