Talk:Pacman/Package signing

From ArchWiki
Latest comment: 28 October 2023 by Lahwaacz in topic keys/pgp/

Custom Built Packages Using ABS

Can someone add info on how to sign AND trust custom built packages, e.g. a package I've built using ABS? --sjnims 06:05, 12 April 2012 (EST)

Note: This should actually be placed in Package signing instead of current useless redirect to outdated developers' article
  1. Create personal key with gnupg (it will be located in user's default keychain independantly from stuff in pacman's /etc/pacman.d/gnupg/):
    gpg --gen-key
  2. Import generated key into pacman's keychain (pacman-key --import) from your ~/.gnupg.
  3. Add your signing key to trusted ones, like you did with developers' keys (again pacman-key).
  4. Optional: configure gpg-agent and other such stuff (see ~/.gnupg/gpg.conf).
For exact instructions and explanations see man pacman-key, man gpg and GnuPG.
--AlexanderR 10:07, 12 April 2012 (EDT)

Verifying the five Master Keys

When using chroot on both an unsquashed fs image and a LiveCD rescue environment, the "pacman-key --populate archlinux" command would not work without manually installing the archlinux-keyring package. That package could not be installed without disabling signature checking in pacman.conf. A real "gotcha" for a newbie.

—This unsigned comment is by Myshkin (talk) 11:15, 10 October 2012‎. Please sign your posts with ~~~~!

Web of Trust

[Moved from Talk:PacmanWoT -- Alad (talk) 15:21, 2 October 2015 (UTC)]Reply[reply]

Now we have three articles describing the "Web of trust": the (outdated) DeveloperWiki:Package_signing, pacman-key, and PacmanWoT. As Developer is a separate namespace (which seems largely abandoned), I've added a merge request with pacman-key. -- Alad (talk) 03:39, 1 September 2014 (UTC)Reply[reply]

I didn't want to pollute more "stable" pages with what I got from the board discussion until people had a chance to make sure I wasn't entirely off-base. I agree it can be merged, as long as some of the "higher-level" (why?) discussion doesn't completely get mixed up with the command-level discussion. Jernst (talk) 17:02, 1 September 2014 (UTC)Reply[reply]
Yes, pacman-key and PacmanWoT must be unconditionally merged soon, before more work is done on this page: if there are specific ideas to improve the structure of pacman-key, they are very welcome in Talk:pacman-key.
We may also take the chance to use a better title, like pacman web of trust, Arch web of trust, Arch Linux web of trust... (share more ideas if you have some): "pacman-key" doesn't represent well the intended scope of the article, while "PacmanWoT" is a compressed/abbreviated form which is not appropriate at all on the wiki; we may also discuss the capitalization of "web of trust", which is found also as "Web of Trust" (and with the "WOT" and "WoT" acronyms).
-- Kynikos (talk) 15:06, 2 September 2014 (UTC)Reply[reply]
I have removed some content which is already described in pacman-key. To complete the merge:
  1. PacmanWoT#Outline of implementation is already covered by pacman-key, but it mentions that the initialization should be done also after installation, which is not mentioned in neither Installation guide, Beginners' guide and General recommendations.
  2. Is it necessary to transfer PacmanWoT#FAQ at all? It is all about understanding the web of trust (linked from pacman-key#Introduction) and forums are here exactly for the purpose of asking questions...
I take it that pacman-key should be moved to the better, yet-unknown title? What about pacman/Package signing?
-- Lahwaacz (talk) 15:28, 10 September 2014 (UTC)Reply[reply]
+1 to a subpage. PacmanWoT#Outline of implementation, this is not needed: it is run on pacstrap, see [1]. Re FAQ, I've moved the section and this discussion to Talk:pacman-key#FAQ. -- Alad (talk) 15:19, 2 October 2015 (UTC)Reply[reply]
Moved to pacman/Package signing. -- Alad (talk) 15:29, 15 October 2015 (UTC)Reply[reply]

FAQ

[Moved from PacmanWoT -- Alad (talk) 15:18, 2 October 2015 (UTC)]Reply[reply]
Couldn't the initial WoT be pre-generated as part of some package, so the pacman-key commands (which include the relatively expensive generation of a gpg key pair) won't have to be executed when the system boots?
No. To pre-generate them, all Arch installations would have to end up with the same gpg key pair. That would enable malicious Arch user Alice (who has access to the same private key as victim Bob does) to sign a malicious package that Bob's pacman would accept because the Bob necessarily must trust his root key pair. (See also discussion on this post.)
Why do we need a root key pair at all? Can't Arch just simply install the public keys of the maintainers in some directory?
Actually, Arch does have the public keys of the maintainers in a gpg keyring in /usr/share/pacman/keyrings (part of package archlinux-keyring). If pacman uses gpg's Web of Trust mechanism, that means those public keys must be signed; otherwise some other WoT implementation would have to be used.

FAQ (continued)

Is it good practice to store the gpg keyfiles of unofficial repos in /usr/share/pacman/keyrings together with the archlinux keyfiles (or is there a risk associated) ? -- Kewl (talk) 21:29, 17 December 2017 (UTC)Reply[reply]

Cannot import keys section - Style comments

Instructions could be clearer. Not clear how this section is different from the preceding one. Redundant information.

Existing section here: Pacman/Package signing#Managing_the_keyring

Also, much of the language applies to previous troubleshooting section: Pacman/Package signing#Invalid signature errors not a failure to import keys.

Perhaps the possible sources of this problem do still include:

  • Your ISP blocked the port used to import PGP keys.
  • dirmngr is not correctly configured

Why not remove this section entirely and address any "importing keys" issues under GnuPG?

Stuthtle (talk) 16:01, 27 September 2021 (UTC)Reply[reply]

Addition of guide to create unofficial keyrings

Hello,

I saw the merge flag about creating a guide on archlinux-keyring to create your own for unofficial repositories.

I have created this discussion to discuss the addition.

Looking into it, it seems the TUs use keyringctl script, to make this process easier.

This will have to differ from the official repository, as the official archlinux-keyring uses web of trust, thus has other TUs signing other TUs signatures to validate they are trusted keys. For unofficial repositories this may not be required, especially if the repository is ran by a single individual.

PolarianDev (talk) 10:06, 7 March 2023 (UTC)Reply[reply]

pacman-key(8) § PROVIDING A KEYRING FOR IMPORT provides some guidance that can be relied on for the local WOT (and revocation). I think a useful expansion would be to describe how the unofficial key created in the section can be trusted and rolled out to a second machine (imagining it's a most regular usecase a user has a PC and notebook and wants to keep keyrings for packages in sync). --Indigo (talk) 12:12, 8 March 2023 (UTC)Reply[reply]
Thanks for the link, this is a step further but would require a lot of trail and error before I would be able to write an article on how to do this properly, no point writing something I got no clue how to do, right?
If anyone has any additional links, please leave them here :)
Thanks for the help, PolarianDev (talk) 12:21, 8 March 2023 (UTC)Reply[reply]

Pacman uses the legacy format for GnuPG key store

The public key ring in archlinux-keyring seems to be the file /usr/share/pacman/keyrings/archlinux.gpg, which is the pre-GnuPG-2.1 format. GnuPG 2.1 introduced the Keybox format (pubring.kbx). Is there any reason to stay in the legacy format? Or do maintainers simply don’t bother doing that? --Franklin Yu (talk) 05:36, 23 March 2023 (UTC)Reply[reply]

keys/pgp/

This note looks confusing:

Within official packages you will find the gpg keys which need to be imported under keys/pgp/ within the root of the repository.
  • It says about official packages in the section called "Adding unofficial keys" (the original edit mentioned AUR, but it was removed)
  • What exactly is "the repository"? If I understand correctly, it means "The directory structure containing files needed to build packages" and not the repository used by pacman, but this is not obvious because this section is about unofficial repositories, not about building packages
  • Are the keys/pgp/ files used only by makepkg? If yes, why do I even need to import these keys if I don't plan to use makepkg?

Maybe this note needs some wording or moving to a more appropriate place? andreymal (talk) 18:24, 25 October 2023 (UTC)Reply[reply]

Note removed. Pacman and makepkg use separate keyrings, sources and resulting packages are signed with different keys. — Lahwaacz (talk) 06:54, 28 October 2023 (UTC)Reply[reply]