securitybreach Posted January 17, 2012 Share Posted January 17, 2012 Pacman 4 has landed in core! Thanks to 24 contributors producing 893 commits, you'll find many new features. The one explicitly worth calling out is gpg signing. However, until the last few details regarding database signing and keyring distribution are ironed out, this is disabled in pacman's default config. If you're interested trying out package verification, please refer to the documentation on the wiki about pacman-key or Allan's blog post. As always, please make sure to merge your pacnew files! http://www.archlinux.org/news/pacman-4-moves-to-core/ To begin with you must remove yaourt and package-query before updating to Pacman 4 or you will get errors: [root@Cerberus comhack]# pacman -Rns yaourt package-query checking dependencies... Remove (3): yaourt-0.10.2-1 package-query-0.9-1 yajl-2.0.4-1 Total Removed Size: 0.55 MB Do you want to remove these packages? [Y/n] (1/3) removing yaourt [########################################################################] 100% (2/3) removing package-query [########################################################################] 100% (3/3) removing yajl Then I started the update: [root@Cerberus comhack]# pacman -Syyu :: Synchronizing package databases... xorg110 3.4K 1633.6K/s 00:00:00 [#####################################################################] 100% core 102.4K 236.3K/s 00:00:00 [#####################################################################] 100% extra 1182.8K 591.8K/s 00:00:02 [#####################################################################] 100% community 1016.0K 755.5K/s 00:00:01 [#####################################################################] 100% multilib 68.4K 257.7K/s 00:00:00 [#####################################################################] 100% :: The following packages should be upgraded first : pacman :: Do you want to cancel the current operation :: and upgrade these packages now? [Y/n] resolving dependencies... looking for inter-conflicts... Targets (2): libarchive-3.0.3-2 pacman-4.0.1-4 Total Download Size: 2.13 MB Total Installed Size: 6.16 MB Proceed with installation? [Y/n] :: Retrieving packages from core... libarchive-3.0.3-2-x86_64 1173.8K 610.2K/s 00:00:02 [#############################################################] 100% pacman-4.0.1-4-x86_64 1011.5K 795.5K/s 00:00:01 [#############################################################] 100% (2/2) checking package integrity [#############################################################] 100% (2/2) checking for file conflicts [#############################################################] 100% (1/2) upgrading libarchive [#############################################################] 100% (2/2) upgrading pacman [#############################################################] 100% warning: /etc/pacman.conf installed as /etc/pacman.conf.pacnew >>> Run `pacman-key --init` to set up your pacman keyring. So I ran pacman-key --init as root: [root@Cerberus comhack]# pacman-key --init gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created gpg: no ultimately trusted keys found gpg: Generating pacman keychain master key... Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 278 more bytes) ------------------ gpg: key CF192FA5 marked as ultimately trusted gpg: Done ==> Updating trust database... gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u Then I tried to install the package but got an error for one of the deps: pacman -S yaourt package-query resolving dependencies... looking for inter-conflicts... Targets (3): yajl-2.0.4-1 package-query-1.0-1 yaourt-1.0-1 Total Installed Size: 0.57 MiB Proceed with installation? [Y/n] (3/3) checking package integrity [########################################################################] 100% error: yajl: key "1EB2638FF56C0C53" is unknown :: Import PGP key F56C0C53, "Dave Reisner ", created 2011-06-25? [Y/n] y (3/3) checking package integrity [########################################################################] 100% error: yajl: signature from "Dave Reisner " is unknown trust error: failed to commit transaction (invalid or corrupted package) To import the key, I simply copied the key from above and ran: [root@Cerberus comhack]# pacman-key --lsign-key 1EB2638FF56C0C53 ==> Updating trust database... gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u Now the update works fine: [root@DarkStar comhack]# pacman -S yaourt package-query resolving dependencies... looking for inter-conflicts... Targets (3): yajl-2.0.4-1 package-query-1.0-1 yaourt-1.0-1 Total Installed Size: 0.57 MiB Proceed with installation? [Y/n] (3/3) checking package integrity [########################################################################] 100% (3/3) loading package files [########################################################################] 100% (3/3) checking for file conflicts [########################################################################] 100% (1/3) installing yajl [########################################################################] 100% (2/3) installing package-query [########################################################################] 100% (3/3) installing yaourt [########################################################################] 100% Optional dependencies for yaourt aurvote: vote for favorite packages from AUR for inclusion in [community] customizepkg: automatically modify PKGBUILD during install/upgrade rsync: retrieve PKGBUILD from official repositories pacman-color: fully colorized output I had a few issues updating my servers with a bunch of unsigned packages so I followed the wiki entry to setup the GPG signature for both Master and Trusted Users: https://wiki.archlinux.org/index.php/Pacman...quired_PGP_keys I have still not decided if I am happy with the implementation but if you are not, you can easily remove this function from pacman: To disable PGP key checking completely, add the following line to /etc/pacman.conf: SigLevel = Never Also, at the top they say that this function is removed but that is only on the /etc/pacman.conf.pacnew file. So you need to edit you /etc/pacman.conf file to disable it. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 17, 2012 Share Posted January 17, 2012 Well, everyone whined about this. Now it's here. Yippee. I guess I'll attempt all this sometime tomorrow or the next day. Thanks, J. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted January 17, 2012 Author Share Posted January 17, 2012 Well, everyone whined about this. Now it's here. Yippee. I guess I'll attempt all this sometime tomorrow or the next day. Thanks, J. No problem Quote Link to comment Share on other sites More sharing options...
securitybreach Posted January 17, 2012 Author Share Posted January 17, 2012 After running the script to add the GPG signature for the Master Keys, I have not had one issue with installing or updating applications. I imagine that I will run across a AUR package here and there that may require adding the key but it should work for the most part: When the master keys are added, you do not need to validate every Arch Linux Developer's and Trusted User's PGP key as those are signed by at least three of these master keys. https://wiki.archlinux.org/index.php/Pacman...quired_PGP_keys Quote Link to comment Share on other sites More sharing options...
ichase Posted January 17, 2012 Share Posted January 17, 2012 Great gouge Josh, also, if you have pacman-color installed, you will need to delete that as well for pacman 4.0 to properly update. [root@ichase01 ichase]# pacman -Rns yaourt package-query pacman-color Quote Link to comment Share on other sites More sharing options...
ichase Posted January 17, 2012 Share Posted January 17, 2012 (edited) I've read much over the last year in regards to Arch Linux and package signing. Like Eric said, there was certainly a lot of whining because of it. I see both sides of the argument. I have been running Arch Linux exclusively now for I guess about 7 months and package signing (or lack there of) has never resulted in any issue that I am aware of. Though I do see the benifit of it, at this point especially with the warning mentioned many times in the wiki: Warning: Use with caution. Please check that the keys listed below match the master-keys. It is also possible that someone will hack the master-keys page and insert malicious PGP key(s), making the whole signing process useless. I think I will continue doing things the way I have been doing them until I get bit on the backside. I am a hard headed individual and it normally takes something like getting bit for me to change my ways. Edited January 17, 2012 by ichase Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 18, 2012 Share Posted January 18, 2012 I'm leaning toward your thoughts, Ian. I didn't have any issues with Pacman as it was. Maybe I'll just leave it alone for a bit and see that all the bugs are worked out of the newer method after a few weeks/months or so. I've never been the adventurous sort. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 18, 2012 Share Posted January 18, 2012 OK, so I was a bit adventurous after all. I upgraded pacman. All went will. Yaourt works now too. YAY! Quote Link to comment Share on other sites More sharing options...
securitybreach Posted January 18, 2012 Author Share Posted January 18, 2012 OK, so I was a bit adventurous after all. I upgraded pacman. All went will. Yaourt works now too. YAY! Sweet Did you run the Master key script? Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 18, 2012 Share Posted January 18, 2012 Did you run the Master key script? Ummm... no. Do I need to? I just assumed since it all worked that it was working. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted January 18, 2012 Author Share Posted January 18, 2012 Ummm... no. Do I need to? I just assumed since it all worked that it was working. You may get an unknown key error if you do not but maybe I am confused. Anyway if it works, it works Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 18, 2012 Share Posted January 18, 2012 No errors as of last night. I'll boot into Arch in a minute and check it. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 18, 2012 Share Posted January 18, 2012 OK. All still working fine and dandy. Quote Link to comment Share on other sites More sharing options...
amenditman Posted January 23, 2012 Share Posted January 23, 2012 This might be the right thing to do, but it will be useful only when the packages are all signed. I have been holding off doing this for a week or more. My update is 129 packages and only about half are signed with keys which reference the Master Keys. What a pain in the butt. I added the SigLevel = Never line to my .conf. I can wait a while. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 23, 2012 Share Posted January 23, 2012 Maybe I'm not doing something right, but I'm not having any updating issues. Pacman and Yaourt both work as they always have. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted January 23, 2012 Author Share Posted January 23, 2012 This might be the right thing to do, but it will be useful only when the packages are all signed. I have been holding off doing this for a week or more. My update is 129 packages and only about half are signed with keys which reference the Master Keys. What a pain in the butt. I added the SigLevel = Never line to my .conf. I can wait a while. I am also not having issues either and I applied the key checking and the Master/Trusted scripts.. The master should of added the Trusts ones ad well but it may be worth trying. Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 23, 2012 Share Posted January 23, 2012 I didn't add those scripts that you mention, J. What does that mean for me? Everything is working fine, though. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted January 23, 2012 Author Share Posted January 23, 2012 I didn't add those scripts that you mention, J. What does that mean for me? Everything is working fine, though. Did you copy the new /etc/pacman.conf.pacnew to /etc/pacman.conf? Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 23, 2012 Share Posted January 23, 2012 Yup. Quote Link to comment Share on other sites More sharing options...
securitybreach Posted January 23, 2012 Author Share Posted January 23, 2012 Yup. I have no idea then Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted January 23, 2012 Share Posted January 23, 2012 It's working, though. So... I guess I did something right, huh? Quote Link to comment Share on other sites More sharing options...
securitybreach Posted March 23, 2012 Author Share Posted March 23, 2012 Looks like all of the packages in the Core/Community/Extra repos have been signed now: Some time in the last couple of days, the last of the packages in the Community repository were signed and, thanks to the tremendous work of the Arch developers and Trusted Users, you can fully implement package signing in your /etc/pacman.conf. You can check the state of the signed packages with this expac one-liner; it will return a list of any unsigned packages: expac -S '%r %n %g'|awk '$3=="(null)" {print $1 "/" $2}' Now that the packages are all signed, I updated my /etc/pacman.conf to take advantage of this. My overall SigLevel setting requires signed packages, and—as of yesterday—I was able to move the last repository entry over to do the same. http://jasonwryan.com/post/19751467083/keysigning [root@Cerberus comhack]# expac -S '%r %n %g'|awk '$3=="(null)" {print $1 "/" $2}' [root@Cerberus comhack]# Quote Link to comment Share on other sites More sharing options...
V.T. Eric Layton Posted March 23, 2012 Share Posted March 23, 2012 Yippee! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.