Pacman package signing

From ArchWiki

Jump to: navigation, search
Image:Tango-document-new.png This article is a stub.
This typically means the article is a placeholder for more content to come. Knowledgeable users are encouraged to help expand the article.

This page will act as a brain dump and collaborative design document for implementation of package signing in pacman.

Contents

Aim

Implement package signing in pacman.

Why sign packages?

Because it could lessen the possibility of installing malicious packages potentially dangerous for the system and data.

How signing is implemented in other distributions

Frugalware

Frugalware uses a fork of pacman which implements package signing (verify)

Gnuffy

Arch based distro gnuffy uses signed packages with their custom package manager Spaceman modeled on pacman.

Debian

Gentoo

Redhat/Fedora

Suse

Slackware

Ubuntu

Ideas

SSL key chain

GPG

Separate file

Every packager uses his own GPG key to sign the pkg.tar.gz file. Each Arch installation needs an initial database with the GPG keys. Pacman downloads the pkg.tar.gz and checks the signature.

Implementation details

Pros

Cons

Links

Git branches

  1. Dans newgpg branch

Bug reports

  1. Bugreport Signed packages

Blogs

  1. Geoffrey carriers blog
  2. Attack on package managers
  3. Attack faq

Mailing list discussions and patches

  1. Add Keyring option in alpm/pacman
  2. Package signing again
  3. PATCH (newgpg) Let pacman specify GnuPG's home directory.
  4. Dan's pacman tree build&test
  5. GPG work
  6. GPG signature option in makepkg patch
  7. GPG signature support for makepkg
  8. GPG signature option in makepkg, adapted to Dan McGee's suggestions patch
  9. GPG verification patch
  10. GPGSIG in repo-add patch
  11. Signing by default
  12. Package Database signing
  13. Pointless to use non-md5 for makepkg INTEGRITY_CHECK
  14. Can we trust our mirrors
  15. Multiple/Shared Architectures

Forum discussions

  1. Pacman vulnerable to MITM attacks?
  2. Arch approach to security
  3. Pacman Veanurability
  4. Package signing
  5. pacman vulnerabilities
Personal tools