You are not logged in.
If a PKGBUILD contains the line
validpgpkeys=(123456)and this key is not in your keyring, makepkg will fail with
==> Verifying source file signatures with gpg...
file ... FAILED (unknown public key 123456)But I don't understand the thread model here. Why does makepkg check if the key 123456 is in my keyring? If I don't trust the PKGBUILD file, running makepkg is already game over and if I do trust the PKGBUILD file, I know that 123456 is the correct PGP key.
I understand why it checks the signature at all - if I trust the PKGBUILD file, but not the server it downloads code from (or the server does not use TLS) I should not use --skippgpcheck. But why is there no --use-pgp-key-from-validpgpkeys-even-if-its-not-in-keyring flag?
Last edited by volker_weissmann (2022-06-04 23:39:58)
Offline
I read that. I know what makepkg does, I just do not understand why it does that.
Offline
You need the public key to verify a signature. makepkg does not automatically fetch that key, but you could set up gpg to do that. (See auto-key-retrieve
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |
Offline
You need the public key to verify a signature. makepkg does not automatically fetch that key, but you could set up gpg to do that. (See auto-key-retrieve
Is there a reason why makepkg does not automatically fetch that key?
Offline
and this key is not in your keyring, makepkg will fail
Thankfully it does so. If you already trust the source, simply edit the PKGBUILD instead of asking makepkg to undermine its own safety measures...
Last edited by dogknowsnx (2022-06-04 18:46:25)
volker_weissmann wrote:and this key is not in your keyring, makepkg will fail
Thankfully it does so. If you already trust the source, simply edit the PKGBUILD instead of asking makepkg to undermine its own safety measures...
What do you mean with "source"? Are you talking about the PKGBUILD? If you do not trust PKGBUILD, running makepkg is game over either way.
Why would you trust the PKGBUILD but not the key inside the PKGBUILD?
Offline
I think we're talking past each other. You're suggesting a picklock-flag for makepkg, and my question is why you would possibly want that in its code...
Last edited by dogknowsnx (2022-06-04 19:16:10)
The pgp key is used to validate files in source= array that are signed with that key.
This vastly reduces the chance someone modified, replaced or hacked those files.
The key is not added automagickally because you're supposed to verify whom the key is from and whether they can be trusted to sign that particular file.
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
The pgp key is used to validate files in source= array that are signed with that key.
This vastly reduces the chance someone modified, replaced or hacked those files.
I get that part.
The key is not added automagickally because you're supposed to verify whom the key is from and whether they can be trusted to sign that particular file.
But we trust the PKGBUILD file. Otherwise we would not run makepkg. And the PKGBUILD file says that the guy with the key 123456 can be trusted.
Offline
But we trust the PKGBUILD file. Otherwise we would not run makepkg. And the PKGBUILD file says that the guy with the key 123456 can be trusted.
You trust the PKGBUILD - makepkg has got no AI (hence "automagickally") but has to resort to a keyring...
EDIT: I'm afraid '--skippgpcheck' is the flag you're looking for (I've never used it before, tbh)...
Last edited by dogknowsnx (2022-06-04 21:13:46)
volker_weissmann wrote:But we trust the PKGBUILD file. Otherwise we would not run makepkg. And the PKGBUILD file says that the guy with the key 123456 can be trusted.
You trust the PKGBUILD - makepkg has got no AI (hence "automagickally") but has to resort to a keyring...
makepkg is literally executing parts of the PKGBUILD file as shell comands. makepkg trusts the PKGBUILD file.
EDIT: I'm afraid '--skippgpcheck' is the flag you're looking for (I've never used it before, tbh)...
Again, what if I trust the key, but not the server? Then, https://wiki.archlinux.org/title/GPG#Use_a_keyserver is more secure than --skippgpcheck
Offline
makepkg is literally executing parts of the PKGBUILD file as shell comands. makepkg trusts the PKGBUILD file.
That's generalizing (PKGBUILD is a shell script after all)
Why does makepkg check if the key 123456 is in my keyring?
Because w/o the key, the signature cannot be verified - "123456" isn't the key but some ID to find it by.
makepkg trusts the PKGBUILD file.
https://wiki.archlinux.org/title/Arch_U … g_packages - see step #2
*You* are required to vet the PKGBUILD, that includes the signature keys.
One might argue that vetting the key does not strictly imply to have added them to your keyring, but in reality, not having added them means that you didn't inspect them and most likely didn't look at the PKGBUILD either.
--use-pgp-key-from-validpgpkeys-even-if-its-not-in-keyring
Is there a reason why makepkg does not automatically fetch that key?
The link progandy posted has a tip and that tip shows how to activate auto-key-retrieve and immeditaly links (more or less) https://man.archlinux.org/man/gpg.1#no- … y-retrieve to explain why that's not the default gpg behavior.
The signatures are tested in /usr/share/makepkg/integrity/verify_signature.sh and you could add the option there if you for some reason don't want it globally but think for makepkg it's ok.
If you want to know/debate whether makepkg should forward that option, this forum is the wrong platform => https://archlinux.org/pacman/#_bugs
Offline
Why does makepkg check if the key 123456 is in my keyring?
Because w/o the key, the signature cannot be verified - "123456" isn't the key but some ID to find it by.
makepkg trusts the PKGBUILD file.
https://wiki.archlinux.org/title/Arch_U … g_packages - see step #2
*You* are required to vet the PKGBUILD, that includes the signature keys.
One might argue that vetting the key does not strictly imply to have added them to your keyring, but in reality, not having added them means that you didn't inspect them and most likely didn't look at the PKGBUILD either.--use-pgp-key-from-validpgpkeys-even-if-its-not-in-keyring
Is there a reason why makepkg does not automatically fetch that key?
The link progandy posted has a tip and that tip shows how to activate auto-key-retrieve and immeditaly links (more or less) https://man.archlinux.org/man/gpg.1#no- … y-retrieve to explain why that's not the default gpg behavior.
The signatures are tested in /usr/share/makepkg/integrity/verify_signature.sh and you could add the option there if you for some reason don't want it globally but think for makepkg it's ok.
If you want to know/debate whether makepkg should forward that option, this forum is the wrong platform => https://archlinux.org/pacman/#_bugs
Ok, thanks. IMHO that is a slight missdesign. If the public key would be in the .sig file, makepkg could verify the signature of the public key and achieve the same amount of security.
Offline
Ok, thanks. IMHO that is a slight missdesign. If the public key would be in the .sig file, makepkg could verify the signature of the public key and achieve the same amount of security.
Offline