Jump to content


Archlinux pacman 4.0.1-4 moves to core (package-signing)


  • Please log in to reply
22 replies to this topic

#1 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 14,370 posts

Posted 17 January 2012 - 12:28 AM

QUOTE
Pacman 4 has landed in core! Thanks to 24 contributors producing 893 commits, you'll find many new features. The one explicitly worth calling out is gpg signing. However, until the last few details regarding database signing and keyring distribution are ironed out, this is disabled in pacman's default config. If you're interested trying out package verification, please refer to the documentation on the wiki about pacman-key or Allan's blog post.

As always, please make sure to merge your pacnew files!

http://www.archlinux.org/news/pacman-4-moves-to-core/

To begin with you must remove yaourt and package-query before updating to Pacman 4 or you will get errors:
CODE
[root@Cerberus comhack]# pacman -Rns yaourt package-query
checking dependencies...

Remove (3): yaourt-0.10.2-1  package-query-0.9-1  yajl-2.0.4-1

Total Removed Size:   0.55 MB

Do you want to remove these packages? [Y/n]
(1/3) removing yaourt                                                                                             [########################################################################] 100%
(2/3) removing package-query                                                                                 [########################################################################] 100%
(3/3) removing yajl
                                                                                                    

Then I started the update:
CODE
[root@Cerberus comhack]# pacman -Syyu
:: Synchronizing package databases...
xorg110            3.4K 1633.6K/s 00:00:00 [#####################################################################] 100%
core              102.4K  236.3K/s 00:00:00 [#####################################################################] 100%
extra           1182.8K  591.8K/s 00:00:02 [#####################################################################] 100%
community   1016.0K  755.5K/s 00:00:01 [#####################################################################] 100%
multilib            68.4K  257.7K/s 00:00:00 [#####################################################################] 100%
:: The following packages should be upgraded first :
    pacman
:: Do you want to cancel the current operation
:: and upgrade these packages now? [Y/n]

resolving dependencies...
looking for inter-conflicts...

Targets (2): libarchive-3.0.3-2  pacman-4.0.1-4

Total Download Size:    2.13 MB
Total Installed Size:   6.16 MB

Proceed with installation? [Y/n]
:: Retrieving packages from core...
libarchive-3.0.3-2-x86_64   1173.8K  610.2K/s 00:00:02 [#############################################################] 100%
pacman-4.0.1-4-x86_64      1011.5K  795.5K/s 00:00:01 [#############################################################] 100%
(2/2) checking package integrity                                     [#############################################################] 100%
(2/2) checking for file conflicts                                        [#############################################################] 100%
(1/2) upgrading libarchive                                              [#############################################################] 100%
(2/2) upgrading pacman                                                 [#############################################################] 100%
warning: /etc/pacman.conf installed as /etc/pacman.conf.pacnew
>>> Run `pacman-key --init` to set up your pacman keyring.


So I ran pacman-key --init as root:
CODE
[root@Cerberus comhack]# pacman-key --init
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: Generating pacman keychain master key...

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 278 more bytes)

------------------
gpg: key CF192FA5 marked as ultimately trusted
gpg: Done
==> Updating trust database...
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u


Then I tried to install the package but got an error for one of the deps:
QUOTE
pacman -S yaourt package-query
resolving dependencies...
looking for inter-conflicts...

Targets (3): yajl-2.0.4-1 package-query-1.0-1 yaourt-1.0-1

Total Installed Size: 0.57 MiB

Proceed with installation? [Y/n]
(3/3) checking package integrity [########################################################################] 100%
error: yajl: key "1EB2638FF56C0C53" is unknown
:: Import PGP key F56C0C53, "Dave Reisner <d@falconindy.com>", created 2011-06-25? [Y/n] y
(3/3) checking package integrity [########################################################################] 100%
error: yajl: signature from "Dave Reisner <d@falconindy.com>" is unknown trust
error: failed to commit transaction (invalid or corrupted package)


To import the key, I simply copied the key from above and ran:
CODE
[root@Cerberus comhack]#  pacman-key --lsign-key 1EB2638FF56C0C53
==> Updating trust database...
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u


Now the update works fine:
CODE
[root@DarkStar comhack]# pacman -S yaourt package-query
resolving dependencies...
looking for inter-conflicts...

Targets (3): yajl-2.0.4-1  package-query-1.0-1  yaourt-1.0-1

Total Installed Size:   0.57 MiB

Proceed with installation? [Y/n]
(3/3) checking package integrity                                                                                     [########################################################################] 100%
(3/3) loading package files                                                                                             [########################################################################] 100%
(3/3) checking for file conflicts                                                                                        [########################################################################] 100%
(1/3) installing yajl                                                                                                         [########################################################################] 100%
(2/3) installing package-query                                                                                         [########################################################################] 100%
(3/3) installing yaourt                                                                                                     [########################################################################] 100%
Optional dependencies for yaourt
    aurvote: vote for favorite packages from AUR for inclusion in [community]
    customizepkg: automatically modify PKGBUILD during install/upgrade
    rsync: retrieve PKGBUILD from official repositories
    pacman-color: fully colorized output


I had a few issues updating my servers with a bunch of unsigned packages so I followed the wiki entry to setup the GPG signature for both Master and Trusted Users:
https://wiki.archlinux.org/index.php/Pacman...quired_PGP_keys

I have still not decided if I am happy with the implementation but if you are not, you can easily remove this function from pacman:
QUOTE
To disable PGP key checking completely, add the following line to /etc/pacman.conf:
CODE
SigLevel     = Never



Also, at the top they say that this function is removed but that is only on the /etc/pacman.conf.pacnew file. So you  need to edit you /etc/pacman.conf file to disable it.
Posted ImagePosted Image Posted Image
Comhack.com/CNI Radio/G+ Profile/Configs/PGP Key π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#2 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 17,084 posts

Posted 17 January 2012 - 12:36 AM

Well, everyone whined about this. Now it's here. Yippee. I guess I'll attempt all this sometime tomorrow or the next day. Thanks, J. happy62.gif
Posted ImagePosted ImagePosted Image

#3 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 14,370 posts

Posted 17 January 2012 - 12:39 AM

QUOTE (V.T. Eric Layton @ Jan 16 2012, 10:36 PM) <{POST_SNAPBACK}>
Well, everyone whined about this. Now it's here. Yippee. I guess I'll attempt all this sometime tomorrow or the next day. Thanks, J. happy62.gif

No problem thumbsup.gif
Posted ImagePosted Image Posted Image
Comhack.com/CNI Radio/G+ Profile/Configs/PGP Key π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#4 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 14,370 posts

Posted 17 January 2012 - 02:46 AM

After running the script to add the GPG signature for the Master Keys, I have not had one issue with installing or updating applications. I imagine that I will run across a AUR package here and there that may require adding the key but it should work for the most part:
QUOTE
When the master keys are added, you do not need to validate every Arch Linux Developer's and Trusted User's PGP key as those are signed by at least three of these master keys.

https://wiki.archlinux.org/index.php/Pacman...quired_PGP_keys
Posted ImagePosted Image Posted Image
Comhack.com/CNI Radio/G+ Profile/Configs/PGP Key π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#5 OFFLINE   ichase

ichase

    Chasing the Penguin

  • Forum MVP
  • 1,687 posts

Posted 17 January 2012 - 08:24 AM

Great gouge Josh, also, if you have pacman-color installed, you will need to delete that as well for pacman 4.0 to properly update.  
CODE
[root@ichase01 ichase]# pacman -Rns yaourt package-query pacman-color


Ian Chase

Try Parted Magic The must have tool for any linux user's tool box.  (Contains Gparted, wifi support, Clonezilla, SuperGrubDisk/2, plop bootloader and more!!!)
CNI Radio

"I'm in repair.............I'm not together, but I'm getting there"
- John Mayer


Registered Linux User:  526317 10/22/2010
Posted Image  Posted Image  Posted Image Posted Image

#6 OFFLINE   ichase

ichase

    Chasing the Penguin

  • Forum MVP
  • 1,687 posts

Posted 17 January 2012 - 09:14 AM

I've read much over the last year in regards to Arch Linux and package signing.  Like Eric said, there was certainly a lot of whining because of it.  I see both sides of the argument.  I have been running Arch Linux exclusively now for I guess about 7 months and package signing (or lack there of) has never resulted in any issue that I am aware of.

Though I do see the benifit of it, at this point especially with the warning mentioned many times in the wiki:
CODE
Warning: Use with caution. Please check that the keys listed below match the master-keys. It is also possible that someone will hack the master-keys page and insert malicious PGP key(s), making the whole signing process useless.


I think I will continue doing things the way I have been doing them until I get bit on the backside.  wink.gif  I am a hard headed individual and it normally takes something like getting bit for me to change my ways.  wink.gif

Edited by ichase, 17 January 2012 - 09:15 AM.

Ian Chase

Try Parted Magic The must have tool for any linux user's tool box.  (Contains Gparted, wifi support, Clonezilla, SuperGrubDisk/2, plop bootloader and more!!!)
CNI Radio

"I'm in repair.............I'm not together, but I'm getting there"
- John Mayer


Registered Linux User:  526317 10/22/2010
Posted Image  Posted Image  Posted Image Posted Image

#7 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 17,084 posts

Posted 17 January 2012 - 08:53 PM

I'm leaning toward your thoughts, Ian. I didn't have any issues with Pacman as it was. Maybe I'll just leave it alone for a bit and see that all the bugs are worked out of the newer method after a few weeks/months or so. I've never been the adventurous sort. wink.gif
Posted ImagePosted ImagePosted Image

#8 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 17,084 posts

Posted 17 January 2012 - 10:00 PM

OK, so I was a bit adventurous after all. I upgraded pacman. All went will. Yaourt works now too. YAY! smile.gif
Posted ImagePosted ImagePosted Image

#9 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 14,370 posts

Posted 17 January 2012 - 11:47 PM

QUOTE (V.T. Eric Layton @ Jan 17 2012, 08:00 PM) <{POST_SNAPBACK}>
OK, so I was a bit adventurous after all. I upgraded pacman. All went will. Yaourt works now too. YAY! smile.gif

Sweet thumbsup.gif

Did you run the Master key script?
Posted ImagePosted Image Posted Image
Comhack.com/CNI Radio/G+ Profile/Configs/PGP Key π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#10 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 17,084 posts

Posted 18 January 2012 - 02:21 PM

QUOTE (securitybreach @ Jan 17 2012, 10:47 PM) <{POST_SNAPBACK}>
Did you run the Master key script?


Ummm... no. Do I need to? I just assumed since it all worked that it was working.

Posted ImagePosted ImagePosted Image

#11 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 14,370 posts

Posted 18 January 2012 - 03:34 PM

QUOTE (V.T. Eric Layton @ Jan 18 2012, 12:21 PM) <{POST_SNAPBACK}>
Ummm... no. Do I need to? I just assumed since it all worked that it was working.

You may get an unknown key error if you do not but maybe I am confused. Anyway if it works, it works thumbsup.gif
Posted ImagePosted Image Posted Image
Comhack.com/CNI Radio/G+ Profile/Configs/PGP Key π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#12 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 17,084 posts

Posted 18 January 2012 - 05:23 PM

No errors as of last night. I'll boot into Arch in a minute and check it. smile.gif
Posted ImagePosted ImagePosted Image

#13 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 17,084 posts

Posted 18 January 2012 - 05:59 PM

OK. All still working fine and dandy. smile.gif
Posted ImagePosted ImagePosted Image

#14 OFFLINE   amenditman

amenditman

    Posting Prodigy

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 2,183 posts

Posted 22 January 2012 - 08:07 PM

This might be the right thing to do, but it will be useful only when the packages are all signed.
I have been holding off doing this for a week or more. My update is 129 packages and only about half are signed with keys which reference the Master Keys.

What a pain in the butt.

I added the SigLevel = Never line to my .conf. I can wait a while.
Tweak it 'til it breaks, then learn how to fix it.  L.I.F.E. (Linux Is For Everyone)
Registered Linux User # 474004 (06/16/2008)

The HeliOS Project  -  B.O.D.
A Child's Exposure to Technology Should Never Be
  Predicated On The Ability To Afford It

#15 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 17,084 posts

Posted 23 January 2012 - 12:49 AM

Maybe I'm not doing something right, but I'm not having any updating issues. Pacman and Yaourt both work as they always have.
Posted ImagePosted ImagePosted Image

#16 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 14,370 posts

Posted 23 January 2012 - 01:34 AM

QUOTE (amenditman @ Jan 22 2012, 06:07 PM) <{POST_SNAPBACK}>
This might be the right thing to do, but it will be useful only when the packages are all signed.
I have been holding off doing this for a week or more. My update is 129 packages and only about half are signed with keys which reference the Master Keys.

What a pain in the butt.

I added the SigLevel = Never line to my .conf. I can wait a while.

I am also not having issues either and I applied the key checking and the Master/Trusted scripts.. The master should of added the Trusts ones ad well but it may be worth trying.
Posted ImagePosted Image Posted Image
Comhack.com/CNI Radio/G+ Profile/Configs/PGP Key π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#17 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 17,084 posts

Posted 23 January 2012 - 02:20 PM

I didn't add those scripts that you mention, J. What does that mean for me? Everything is working fine, though.
Posted ImagePosted ImagePosted Image

#18 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 14,370 posts

Posted 23 January 2012 - 03:24 PM

QUOTE (V.T. Eric Layton @ Jan 23 2012, 12:20 PM) <{POST_SNAPBACK}>
I didn't add those scripts that you mention, J. What does that mean for me? Everything is working fine, though.

Did you copy the new /etc/pacman.conf.pacnew  to /etc/pacman.conf?
Posted ImagePosted Image Posted Image
Comhack.com/CNI Radio/G+ Profile/Configs/PGP Key π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#19 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 17,084 posts

Posted 23 January 2012 - 05:53 PM

Yup. smile.gif
Posted ImagePosted ImagePosted Image

#20 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 14,370 posts

Posted 23 January 2012 - 06:13 PM

QUOTE (V.T. Eric Layton @ Jan 23 2012, 03:53 PM) <{POST_SNAPBACK}>
Yup. smile.gif

I have no idea then  unsure.gif
Posted ImagePosted Image Posted Image
Comhack.com/CNI Radio/G+ Profile/Configs/PGP Key π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#21 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 17,084 posts

Posted 23 January 2012 - 07:52 PM

It's working, though. smile.gif So... I guess I did something right, huh? smile.gif
Posted ImagePosted ImagePosted Image

#22 OFFLINE   securitybreach

securitybreach

    CLI Phreak

  • Forum Admins
  • 14,370 posts

Posted 23 March 2012 - 02:13 PM

Looks like all of the packages in the Core/Community/Extra repos have been signed now:
QUOTE
Some time in the last couple of days, the last of the packages in the Community repository were signed and, thanks to the tremendous work of the Arch developers and Trusted Users, you can fully implement package signing in your /etc/pacman.conf.

You can check the state of the signed packages with this expac one-liner; it will return a list of any unsigned packages:

expac -S '%r %n %g'|awk '$3=="(null)" {print $1 "/" $2}'
Now that the packages are all signed, I updated my /etc/pacman.conf to take advantage of this. My overall SigLevel setting requires signed packages, and—as of yesterday—I was able to move the last repository entry over to do the same.

http://jasonwryan.com/post/19751467083/keysigning

CODE
[root@Cerberus comhack]# expac -S '%r %n %g'|awk '$3=="(null)" {print $1 "/" $2}'

[root@Cerberus comhack]#

Posted ImagePosted Image Posted Image
Comhack.com/CNI Radio/G+ Profile/Configs/PGP Key π

"Do you begin to see, then, what kind of world we are creating? It is the exact opposite of the stupid hedonistic Utopias that the old reformers imagined. A world of fear and treachery and torment, a world of trampling and being trampled upon, a world which will grow not less but more merciless as it refines itself. Progress in our world will be progress toward more pain." -George Orwell, 1984

#23 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 17,084 posts

Posted 23 March 2012 - 06:19 PM

Yippee! smile.gif
Posted ImagePosted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users