Difference between revisions of "Talk:Pacman/Package signing"

From ArchWiki
Jump to: navigation, search
(Created page with "Could some key developers sign /developers and /trustedusers or create something like ''debian-keyring'' package? That would allow a transition from implicit trust to [core]+[...")
 
(Verifying the five Master Keys: new section)
(13 intermediate revisions by 6 users not shown)
Line 1: Line 1:
Could some key developers sign /developers and /trustedusers or create something like ''debian-keyring'' package? That would allow a transition from implicit trust to [core]+[extra] to gpg-based trust model.
+
== Custom Built Pacakges Using ABS ==
  
Currently there is no way to verify if /developers and /trustedusers are correct, and to build a trusted initial keyring...
+
Can someone add info on how to sign AND trust custom built packages, e.g. a package I've built using ABS? --[[User:sjnims|sjnims]] 06:05, 12 April 2012 (EST)
 +
: {{Note|This should actually be placed in [[Package signing]] instead of current useless redirect to outdated developers' article}}
 +
# Create personal key with gnupg (it will be located in user's default keychain independantly from stuff in pacman's {{Ic|/etc/pacman.d/gnupg/}}): {{bc|gpg --gen-key}}.
 +
# Import generated key into pacman's keychain ({{Ic|pacman-key --import}}) from your {{Ic|~/.gnupg}}.
 +
# Add your signing key to trusted ones, like you did with developers' keys (again {Ic|pacman-key}}).
 +
# '''Optional''': configure {{Ic|gpg-agent}} and other such stuff (see {{Ic|~/.gnupg/gpg.conf}}).
 +
: For exact instructions and explanations see {{Ic|man pacman-key}}, {{Ic|man gpg}} and [[GnuPG]].
 +
: --[[User:AlexanderR|AlexanderR]] 10:07, 12 April 2012 (EDT)
  
[[User:Srg|Srg]] 07:08, 17 January 2012 (EST)
+
== Verifying the five Master Keys ==
 +
 
 +
When using chroot on both an unsquashed fs image and a LiveCD rescue environment, the "pacman-key --populate archlinux" command would not work without manually installing the archlinux-keyring package.  That package could not be installed without disabling signature checking in pacman.conf.  A real "gotcha" for a newbie.

Revision as of 11:15, 10 October 2012

Custom Built Pacakges Using ABS

Can someone add info on how to sign AND trust custom built packages, e.g. a package I've built using ABS? --sjnims 06:05, 12 April 2012 (EST)

Note: This should actually be placed in Package signing instead of current useless redirect to outdated developers' article
  1. Create personal key with gnupg (it will be located in user's default keychain independantly from stuff in pacman's /etc/pacman.d/gnupg/):
    gpg --gen-key
    .
  2. Import generated key into pacman's keychain (pacman-key --import) from your ~/.gnupg.
  3. Add your signing key to trusted ones, like you did with developers' keys (again {Ic|pacman-key}}).
  4. Optional: configure gpg-agent and other such stuff (see ~/.gnupg/gpg.conf).
For exact instructions and explanations see man pacman-key, man gpg and GnuPG.
--AlexanderR 10:07, 12 April 2012 (EDT)

Verifying the five Master Keys

When using chroot on both an unsquashed fs image and a LiveCD rescue environment, the "pacman-key --populate archlinux" command would not work without manually installing the archlinux-keyring package. That package could not be installed without disabling signature checking in pacman.conf. A real "gotcha" for a newbie.