Are packages signed?

nullvoid · 2009-03-13 13:10:13

Hello.

Topic says it all. Are the packages downloaded from the arch repository signed to prevent DNS spoofing and so on?

Regards,
Linus Johansson

Last edited by nullvoid (2009-03-14 18:24:56)

SamC · 2009-03-13 13:12:57

No. This has been discussed many times. If you are so worried about this, write the code to support it yourself. Search the forums for more information.

rson451 · 2009-03-13 13:22:41

At one point I think there was a branch of pacman development working on this but I'm not sure if it's still active or not. As SamC said, there have been many discussions about this in the past but it always comes down to the fact that no one has stepped up with an implementation (at that point).

nullvoid · 2009-03-13 15:16:38

Thanks for the quick reply. I really have no idea about the internals of pacman. It should not be too hard to make it support https using openssl.

Anyways, I will simply tunnel FTP over an SSH connection for now, so I can use my arch box on a hostile network.

Runiq · 2009-03-13 16:00:44

Isn't this an idea for a GSoC project - to get all packages GPG signed?

Pierre · 2009-03-13 16:15:07

nullvoid wrote:

Thanks for the quick reply. I really have no idea about the internals of pacman. It should not be too hard to make it support https using openssl.
Anyways, I will simply tunnel FTP over an SSH connection for now, so I can use my arch box on a hostile network.

That does not help much because the main problem is that you cannot trust the mirrors. So gpg signing is the only solution.

nullvoid · 2009-03-13 16:57:06

Pierre wrote:

nullvoid wrote:
Thanks for the quick reply. I really have no idea about the internals of pacman. It should not be too hard to make it support https using openssl.
Anyways, I will simply tunnel FTP over an SSH connection for now, so I can use my arch box on a hostile network.
That does not help much because the main problem is that you cannot trust the mirrors. So gpg signing is the only solution.

Correct, but I do however trust the mirrors, my problem is that I will run Arch on a hostile network so I can't really make sure it's really the mirror I am talking to. But GPG signing would be even better.

Allan · 2009-03-13 23:07:49

rson451 wrote:

At one point I think there was a branch of pacman development working on this but I'm not sure if it's still active or not. As SamC said, there have been many discussions about this in the past but it always comes down to the fact that no one has stepped up with an implementation (at that point).

Yes, there is this branch: http://code.toofishes.net/cgit/dan/pacm … /?h=newgpg
Which along with these patches (may need fixing...) makes a good start:
http://archlinux.org/pipermail/pacman-d … 07808.html
http://archlinux.org/pipermail/pacman-d … 07836.html
http://archlinux.org/pipermail/pacman-d … 07837.html

Runiq wrote:

Isn't this an idea for a GSoC project - to get all packages GPG signed?

It would, but you require a mentor with time...

fukawi2 · 2009-03-14 11:06:07

nullvoid wrote:

Topic says it all.

Topic actually says "packets"

Arch Linux

#1 2009-03-13 13:10:13

Are packages signed?

#2 2009-03-13 13:12:57

Re: Are packages signed?

#3 2009-03-13 13:22:41

Re: Are packages signed?

#4 2009-03-13 15:16:38

Re: Are packages signed?

#5 2009-03-13 16:00:44

Re: Are packages signed?

#6 2009-03-13 16:15:07

Re: Are packages signed?

#7 2009-03-13 16:57:06

Re: Are packages signed?

#8 2009-03-13 23:07:49

Re: Are packages signed?

#9 2009-03-14 11:06:07

Re: Are packages signed?

Board footer