Jump to content

Archlinux pacman 4.0.1-4 moves to core (package-signing)


securitybreach

Recommended Posts

securitybreach
Pacman 4 has landed in core! Thanks to 24 contributors producing 893 commits, you'll find many new features. The one explicitly worth calling out is gpg signing. However, until the last few details regarding database signing and keyring distribution are ironed out, this is disabled in pacman's default config. If you're interested trying out package verification, please refer to the documentation on the wiki about pacman-key or Allan's blog post.

 

As always, please make sure to merge your pacnew files!

http://www.archlinux.org/news/pacman-4-moves-to-core/

 

To begin with you must remove yaourt and package-query before updating to Pacman 4 or you will get errors:

[root@Cerberus comhack]# pacman -Rns yaourt package-query
checking dependencies...

Remove (3): yaourt-0.10.2-1  package-query-0.9-1  yajl-2.0.4-1

Total Removed Size:   0.55 MB

Do you want to remove these packages? [Y/n] 
(1/3) removing yaourt                                                                                             [########################################################################] 100%
(2/3) removing package-query                                                                                 [########################################################################] 100%
(3/3) removing yajl

 

Then I started the update:

[root@Cerberus comhack]# pacman -Syyu
:: Synchronizing package databases...
xorg110            3.4K 1633.6K/s 00:00:00 [#####################################################################] 100% 
core              102.4K  236.3K/s 00:00:00 [#####################################################################] 100%
extra           1182.8K  591.8K/s 00:00:02 [#####################################################################] 100%
community   1016.0K  755.5K/s 00:00:01 [#####################################################################] 100%
multilib            68.4K  257.7K/s 00:00:00 [#####################################################################] 100%
:: The following packages should be upgraded first :
    pacman
:: Do you want to cancel the current operation
:: and upgrade these packages now? [Y/n] 

resolving dependencies...
looking for inter-conflicts...

Targets (2): libarchive-3.0.3-2  pacman-4.0.1-4

Total Download Size:    2.13 MB
Total Installed Size:   6.16 MB

Proceed with installation? [Y/n] 
:: Retrieving packages from core...
libarchive-3.0.3-2-x86_64   1173.8K  610.2K/s 00:00:02 [#############################################################] 100%
pacman-4.0.1-4-x86_64      1011.5K  795.5K/s 00:00:01 [#############################################################] 100%
(2/2) checking package integrity                                     [#############################################################] 100%
(2/2) checking for file conflicts                                        [#############################################################] 100%
(1/2) upgrading libarchive                                              [#############################################################] 100%
(2/2) upgrading pacman                                                 [#############################################################] 100%
warning: /etc/pacman.conf installed as /etc/pacman.conf.pacnew
>>> Run `pacman-key --init` to set up your pacman keyring.

 

So I ran pacman-key --init as root:

[root@Cerberus comhack]# pacman-key --init
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: Generating pacman keychain master key...

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 278 more bytes)

------------------
gpg: key CF192FA5 marked as ultimately trusted
gpg: Done
==> Updating trust database...
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

 

Then I tried to install the package but got an error for one of the deps:

pacman -S yaourt package-query

resolving dependencies...

looking for inter-conflicts...

 

Targets (3): yajl-2.0.4-1 package-query-1.0-1 yaourt-1.0-1

 

Total Installed Size: 0.57 MiB

 

Proceed with installation? [Y/n]

(3/3) checking package integrity [########################################################################] 100%

error: yajl: key "1EB2638FF56C0C53" is unknown

:: Import PGP key F56C0C53, "Dave Reisner ", created 2011-06-25? [Y/n] y

(3/3) checking package integrity [########################################################################] 100%

error: yajl: signature from "Dave Reisner " is unknown trust

error: failed to commit transaction (invalid or corrupted package)

 

To import the key, I simply copied the key from above and ran:

[root@Cerberus comhack]#  pacman-key --lsign-key 1EB2638FF56C0C53
==> Updating trust database...
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u

 

Now the update works fine:

[root@DarkStar comhack]# pacman -S yaourt package-query
resolving dependencies...
looking for inter-conflicts...

Targets (3): yajl-2.0.4-1  package-query-1.0-1  yaourt-1.0-1

Total Installed Size:   0.57 MiB

Proceed with installation? [Y/n]
(3/3) checking package integrity                                                                                     [########################################################################] 100%
(3/3) loading package files                                                                                             [########################################################################] 100%
(3/3) checking for file conflicts                                                                                        [########################################################################] 100%
(1/3) installing yajl                                                                                                         [########################################################################] 100%
(2/3) installing package-query                                                                                         [########################################################################] 100%
(3/3) installing yaourt                                                                                                     [########################################################################] 100%
Optional dependencies for yaourt
    aurvote: vote for favorite packages from AUR for inclusion in [community]
    customizepkg: automatically modify PKGBUILD during install/upgrade
    rsync: retrieve PKGBUILD from official repositories
    pacman-color: fully colorized output

 

I had a few issues updating my servers with a bunch of unsigned packages so I followed the wiki entry to setup the GPG signature for both Master and Trusted Users:

https://wiki.archlinux.org/index.php/Pacman...quired_PGP_keys

 

I have still not decided if I am happy with the implementation but if you are not, you can easily remove this function from pacman:

To disable PGP key checking completely, add the following line to /etc/pacman.conf:

SigLevel     = Never

 

 

Also, at the top they say that this function is removed but that is only on the /etc/pacman.conf.pacnew file. So you need to edit you /etc/pacman.conf file to disable it.

Link to comment
Share on other sites

V.T. Eric Layton

Well, everyone whined about this. Now it's here. Yippee. I guess I'll attempt all this sometime tomorrow or the next day. Thanks, J. :yes:

Link to comment
Share on other sites

securitybreach
Well, everyone whined about this. Now it's here. Yippee. I guess I'll attempt all this sometime tomorrow or the next day. Thanks, J. :yes:

No problem :thumbsup:

Link to comment
Share on other sites

securitybreach

After running the script to add the GPG signature for the Master Keys, I have not had one issue with installing or updating applications. I imagine that I will run across a AUR package here and there that may require adding the key but it should work for the most part:

When the master keys are added, you do not need to validate every Arch Linux Developer's and Trusted User's PGP key as those are signed by at least three of these master keys.

https://wiki.archlinux.org/index.php/Pacman...quired_PGP_keys

Link to comment
Share on other sites

Great gouge Josh, also, if you have pacman-color installed, you will need to delete that as well for pacman 4.0 to properly update.

[root@ichase01 ichase]# pacman -Rns yaourt package-query pacman-color

 

Link to comment
Share on other sites

I've read much over the last year in regards to Arch Linux and package signing. Like Eric said, there was certainly a lot of whining because of it. I see both sides of the argument. I have been running Arch Linux exclusively now for I guess about 7 months and package signing (or lack there of) has never resulted in any issue that I am aware of.

 

Though I do see the benifit of it, at this point especially with the warning mentioned many times in the wiki:

Warning: Use with caution. Please check that the keys listed below match the master-keys. It is also possible that someone will hack the master-keys page and insert malicious PGP key(s), making the whole signing process useless.

 

I think I will continue doing things the way I have been doing them until I get bit on the backside. ;) I am a hard headed individual and it normally takes something like getting bit for me to change my ways. ;)

Edited by ichase
Link to comment
Share on other sites

V.T. Eric Layton

I'm leaning toward your thoughts, Ian. I didn't have any issues with Pacman as it was. Maybe I'll just leave it alone for a bit and see that all the bugs are worked out of the newer method after a few weeks/months or so. I've never been the adventurous sort. ;)

Link to comment
Share on other sites

securitybreach
OK, so I was a bit adventurous after all. I upgraded pacman. All went will. Yaourt works now too. YAY! :)

Sweet :thumbsup:

 

Did you run the Master key script?

Link to comment
Share on other sites

V.T. Eric Layton
Did you run the Master key script?

 

Ummm... no. Do I need to? I just assumed since it all worked that it was working.

 

Link to comment
Share on other sites

securitybreach
Ummm... no. Do I need to? I just assumed since it all worked that it was working.

You may get an unknown key error if you do not but maybe I am confused. Anyway if it works, it works :thumbsup:

Link to comment
Share on other sites

This might be the right thing to do, but it will be useful only when the packages are all signed.

I have been holding off doing this for a week or more. My update is 129 packages and only about half are signed with keys which reference the Master Keys.

 

What a pain in the butt.

 

I added the SigLevel = Never line to my .conf. I can wait a while.

Link to comment
Share on other sites

V.T. Eric Layton

Maybe I'm not doing something right, but I'm not having any updating issues. Pacman and Yaourt both work as they always have.

Link to comment
Share on other sites

securitybreach
This might be the right thing to do, but it will be useful only when the packages are all signed.

I have been holding off doing this for a week or more. My update is 129 packages and only about half are signed with keys which reference the Master Keys.

 

What a pain in the butt.

 

I added the SigLevel = Never line to my .conf. I can wait a while.

I am also not having issues either and I applied the key checking and the Master/Trusted scripts.. The master should of added the Trusts ones ad well but it may be worth trying.

Link to comment
Share on other sites

V.T. Eric Layton

I didn't add those scripts that you mention, J. What does that mean for me? Everything is working fine, though.

Link to comment
Share on other sites

securitybreach
I didn't add those scripts that you mention, J. What does that mean for me? Everything is working fine, though.

Did you copy the new /etc/pacman.conf.pacnew to /etc/pacman.conf?

Link to comment
Share on other sites

  • 1 month later...
securitybreach

Looks like all of the packages in the Core/Community/Extra repos have been signed now:

Some time in the last couple of days, the last of the packages in the Community repository were signed and, thanks to the tremendous work of the Arch developers and Trusted Users, you can fully implement package signing in your /etc/pacman.conf.

 

You can check the state of the signed packages with this expac one-liner; it will return a list of any unsigned packages:

 

expac -S '%r %n %g'|awk '$3=="(null)" {print $1 "/" $2}'

Now that the packages are all signed, I updated my /etc/pacman.conf to take advantage of this. My overall SigLevel setting requires signed packages, and—as of yesterday—I was able to move the last repository entry over to do the same.

http://jasonwryan.com/post/19751467083/keysigning

 

[root@Cerberus comhack]# expac -S '%r %n %g'|awk '$3=="(null)" {print $1 "/" $2}'

[root@Cerberus comhack]#

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...