Talk:Pacman/Package signing

From ArchWiki
< Talk:Pacman(Redirected from Talk:Pacman-key)
Jump to: navigation, search

Custom Built Pacakges Using ABS

Can someone add info on how to sign AND trust custom built packages, e.g. a package I've built using ABS? --sjnims 06:05, 12 April 2012 (EST)

Note: This should actually be placed in Package signing instead of current useless redirect to outdated developers' article
  1. Create personal key with gnupg (it will be located in user's default keychain independantly from stuff in pacman's /etc/pacman.d/gnupg/):
    gpg --gen-key
  2. Import generated key into pacman's keychain (pacman-key --import) from your ~/.gnupg.
  3. Add your signing key to trusted ones, like you did with developers' keys (again {Ic|pacman-key}}).
  4. Optional: configure gpg-agent and other such stuff (see ~/.gnupg/gpg.conf).
For exact instructions and explanations see man pacman-key, man gpg and GnuPG.
--AlexanderR 10:07, 12 April 2012 (EDT)

Verifying the five Master Keys

When using chroot on both an unsquashed fs image and a LiveCD rescue environment, the "pacman-key --populate archlinux" command would not work without manually installing the archlinux-keyring package. That package could not be installed without disabling signature checking in pacman.conf. A real "gotcha" for a newbie.

—This unsigned comment is by Myshkin (talk) 11:15, 10 October 2012‎. Please sign your posts with ~~~~!

Web of Trust

[Moved from Talk:PacmanWoT -- Alad (talk) 15:21, 2 October 2015 (UTC)]

Now we have three articles describing the "Web of trust": the (outdated) DeveloperWiki:Package_signing, pacman-key, and PacmanWoT. As Developer is a separate namespace (which seems largely abandoned), I've added a merge request with pacman-key. -- Alad (talk) 03:39, 1 September 2014 (UTC)

I didn't want to pollute more "stable" pages with what I got from the board discussion until people had a chance to make sure I wasn't entirely off-base. I agree it can be merged, as long as some of the "higher-level" (why?) discussion doesn't completely get mixed up with the command-level discussion. Jernst (talk) 17:02, 1 September 2014 (UTC)
Yes, pacman-key and PacmanWoT must be unconditionally merged soon, before more work is done on this page: if there are specific ideas to improve the structure of pacman-key, they are very welcome in Talk:pacman-key.
We may also take the chance to use a better title, like pacman web of trust, Arch web of trust, Arch Linux web of trust... (share more ideas if you have some): "pacman-key" doesn't represent well the intended scope of the article, while "PacmanWoT" is a compressed/abbreviated form which is not appropriate at all on the wiki; we may also discuss the capitalization of "web of trust", which is found also as "Web of Trust" (and with the "WOT" and "WoT" acronyms).
-- Kynikos (talk) 15:06, 2 September 2014 (UTC)
I have removed some content which is already described in pacman-key. To complete the merge:
  1. PacmanWoT#Outline of implementation is already covered by pacman-key, but it mentions that the initialization should be done also after installation, which is not mentioned in neither Installation guide, Beginners' guide and General recommendations.
  2. Is it necessary to transfer PacmanWoT#FAQ at all? It is all about understanding the web of trust (linked from pacman-key#Introduction) and forums are here exactly for the purpose of asking questions...
I take it that pacman-key should be moved to the better, yet-unknown title? What about pacman/Package signing?
-- Lahwaacz (talk) 15:28, 10 September 2014 (UTC)
+1 to a subpage. PacmanWoT#Outline of implementation, this is not needed: it is run on pacstrap, see [1]. Re FAQ, I've moved the section and this discussion to Talk:pacman-key#FAQ. -- Alad (talk) 15:19, 2 October 2015 (UTC)
Moved to pacman/Package signing. -- Alad (talk) 15:29, 15 October 2015 (UTC)


[Moved from PacmanWoT -- Alad (talk) 15:18, 2 October 2015 (UTC)]
Couldn't the initial WoT be pre-generated as part of some package, so the pacman-key commands (which include the relatively expensive generation of a gpg key pair) won't have to be executed when the system boots?
No. To pre-generate them, all Arch installations would have to end up with the same gpg key pair. That would enable malicious Arch user Alice (who has access to the same private key as victim Bob does) to sign a malicious package that Bob's pacman would accept because the Bob necessarily must trust his root key pair. (See also discussion on this post.)
Why do we need a root key pair at all? Can't Arch just simply install the public keys of the maintainers in some directory?
Actually, Arch does have the public keys of the maintainers in a gpg keyring in /usr/share/pacman/keyrings (part of package archlinux-keyring). If pacman uses gpg's Web of Trust mechanism, that means those public keys must be signed; otherwise some other WoT implementation would have to be used.