pacman/Package signing

From ArchWiki
< Pacman
Revision as of 19:35, 28 February 2012 by Karol (Talk | contribs) (Troubleshooting: moved from the pacman article)

Jump to: navigation, search

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.

Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어

External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

pacman-key is a new tool available with pacman 4. It allows the user to manage pacman's list of trusted keys in the new package signing implementation. For some background on this issue, see these blog entries [1][2][3][4] and the package signing proposal wiki page.

How it works

Package signing in pacman uses the "web of trust" model to ensure that packages come from the developers and not from someone impersonating them. Package developers and TUs have individual PGP keys which they use to sign their packages. This signature means they vouch for the contents of the package. You also have a unique PGP key which is generated when you set up pacman-key.

Keys can also be used to sign other keys, which means the owner of the signing key vouches for the authenticity of the signed key. In order to trust a package, you need to have a chain of signatures from your own PGP key to the package itself. With the Arch key structure, this can happen in three ways:

  • Custom packages: You made the package yourself and signed it with your own key.
  • Unofficial packages: A developer made the package and signed it. You used your key to sign that developer's key.
  • Official packages: A developer made the package and signed it. The developer's key was signed by the Arch Linux master keys. You used your key to sign the master keys, and you trust them to vouch for developers.


Configuring pacman

First, you need to decide what level of checking you want. This is configured using the SigLevel option in /etc/pacman.conf. Several possibilities are mentioned in the comments in that file, and you can read the pacman.conf man page for full details.

Warning: The TrustAll option exists for debugging purposes and makes it very easy to trust keys that have not been verified. You should use TrustedOnly for all official repositories.

As of December 2011, database signing has not been implemented yet, so you will need to add the DatabaseOptional option if you use Required, for example:

SigLevel = Required DatabaseOptional TrustedOnly

Initializing keyring

To set up the pacman keyring use:

# pacman-key --init

This will set up a new keyring in /etc/pacman.d/gnupg and generate a unique master key for your system.

Managing the keyring

The keys which are needed to verify package signatures are stored in a "keyring" managed by pacman-key. When a key is needed which is not in the keyring, pacman and pacman-key can retrieve it from a keyserver. The keyserver to use is configured in /etc/pacman.d/gnupg/gpg.conf, and you can override it by using the --keyserver option on the command line. (If you are looking for different keyservers, you can find a short list on the Wikipedia article.)

PGP keys are usually too large (2048 bits or more) for humans to work with, so they are usually hashed to create a 40-hex-digit fingerprint. The last eight digits are known as the key ID, and are used as a "name" for the key. The longer fingerprint is used when you want to check by hand that two keys are the same.

Master keys

There are five Arch Linux master keys which are used to sign the keys of developers and TUs. These keys should be in your keyring. You can get the key IDs (the string in "Master Key" column) from the Master Signing Keys page. To install them, run:

# pacman-key -r <keyid> <keyid> <keyid> <keyid> <keyid>

You will need to locally sign these keys and set their trust level to at least "marginal":

# pacman-key --edit-key <keyid> <keyid> <keyid> <keyid> <keyid>

Before you sign or trust any key, you should verify its fingerprint. The most secure way to do this is by not using a computer, for example, buying Allan a beer and asking him for his public key fingerprint in person. It is reasonably secure to check the fingerprint against several different listings, such as the Master Signing Keys page and Allan's blog.

gpg> lsign
 Primary key fingerprint: ...
Really sign? (y/N)

If the fingerprint matches, go ahead and sign it. You also need to assign at least a "marginal" trust level to each of the master keys.

Really sign? (y/N) y
gpg> trust
Your decision? 3
gpg> save
gpg: checking the trustdb

This process will repeat for each master key.

Official developer keys

The official developer and TU keys are signed by the master keys, so you do not need to use pacman-key to sign them yourself. Whenever pacman encounters a key it does not recognize, it will ask you if you want to download it from a keyserver. Once you have downloaded a developer key, you will not have to download it again, and it can be used to verify any other packages signed by that developer.

If the developer's and TU's keys were added some time ago, their signatures by the master keys might not be present in the local keyring database. To have uptodate keys run as root :

# pacman-key --refresh-keys

Presently that is not automatically done or checked by pacman. When the package containing all the keys is released, that will probably not be required anymore, as this package would be updated regularly.

Unofficial keys

If you want to add an unofficial key to your keyring, you will need to do it manually using pacman-key. First, get the ID from the owner of the key. Run:

# pacman-key -r <keyid>

to download it from a keyserver. Be sure to verify the fingerprint, as you would with a master key, or any other key which you are going to sign. After verifying the fingerprint, you need to locally sign this key:

# pacman-key --lsign-key <keyid>

You now trust this key to sign packages.

Adding keys automatically

This section provides scripts which can be used to download keys automatically. To avoid trusting a malicious key, these should be used with care.

Master keys

Warning: Use with caution. This script will automatically trust any key you download, so please verify the fingerprints BEFORE using pacman!

This has to be run as root to add keys.

for key in <keyid> <keyid> <keyid> <keyid> <keyid>; do
    pacman-key --recv-keys $key
    pacman-key --lsign-key $key
    printf 'trust\n3\nquit\n' | gpg --homedir /etc/pacman.d/gnupg/ \
        --no-permission-warning --command-fd 0 --edit-key $key

Developer and TU keys

Warning: This script should only be used to download keys if you are using TrustedOnly!

This script uses curl to download the Developer page, extract the PGP key fingerprints and uses pacman --recv-keys with as the keyserver, to add them to the pacman key store.

This has to be run as root to add keys, or add a sudo before the pacman-key command.

curl{developers,trustedusers}/ |
awk -F\" '(/ {sub(/.*search=0x/,"");print $1}' |
xargs pacman-key --recv-keys


How can I collect entropy?

Moving your mouse around, pressing random characters at the keyboard or running some disk-based activity e.g. updatedb can solve it. It may take a while so be patient. Using a second console via Alt+F2-6 will not work.

If you need to run pacman-key --init over ssh, build and install the rng-toolsAUR package from the AUR on the target machine. Connect via ssh and do the following:

# sed -i 's/0/10/' /etc/conf.d/rngd
# rngd -f -r /dev/urandom &
# pacman-key --init

After pacman-key successfully runs simply stop rngd and remove the package.

# killall rngd
# pacman -Rns rng-tools

Cannot import keys

Some ISPs block the port used to import PGP keys. One solution is to use the MIT keyserver, which provides an alternate port. To do this, edit /etc/pacman.d/gnupg/gpg.conf and change the keyserver line to:

keyserver hkp://

Disabling signature checking

Warning: Use with caution. Disabling package signing will allow pacman to install untrusted packages automatically.

If you are not concerned about package signing, you can disable PGP signature checking completely. Edit /etc/pacman.conf and uncomment the following line under [options]:

SigLevel = Never

This will result in no signature checking, which was the behavior before pacman 4. If you decide to do this, you do not need to set up a keyring with pacman-key. You can change this option later if you decide to enable package verification.

Resetting all the keys

If you want to remove or reset all the keys installed in your system, you can remove /etc/pacman.d/gnupg folder as root and rerun pacman-key --init and following that add the keys as preferred.