[pacman-dev] [PATCH] pacman-key: Add --import and --import-trustdb
Pang Yan Han
pangyanhan at gmail.com
Sun Jul 10 00:10:16 EDT 2011
Hi Allan,
I'll send 2 small patches to be applied on top of your working branch, and
an edited version of the --import patch soon.
The issue I mentioned is with regards to pacman -U and pacman-key --import.
I edited the patch so that it'll work with the new pacman-key code, and the
same
thing happens.
Basically, I tried installing 2 packages signed by 2 different keys. They
are
"ack-1.94-2-any.pkg.tar.xz" and "archlinux-wallpaper-1.3-2-any.pkg.tar.xz"
Their respective .sig files (detached signatures) are in the same
directories.
So I did:
[root at localhost ~] # pacman-key --init
gpg: /usr/local/etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
[root at localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
error: 'ack-1.94-2-any.pkg.tar.xz': Invalid or corrupted package (PGP
signature)
[root at localhost ~] # pacman --import .gnupg/
gpg: inserting ownertrust of 6
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
[root at localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
Works now with pacman, but I didn't install anything.
Then, I proceeded to import the trustdb with the key for the archlinux
wallpaper package.
[root at localhost ~] # pacman-key --import /home/yh/.gnupg/
gpg: WARNING: unsafe ownership on homedir `/home/yh/.gnupg/'
gpg: inserting ownertrust of 6
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
[root at localhost ~] # pacman -U archlinux-wallpaper-1.3-2-any.pkg.tar.xz
Works now
But then the one for ack fails:
[root at localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
error: 'ack-1.94-2-any.pkg.tar.xz': invalid or corrupted package (PGP
signature)
And the previously successful pacman-key --verify for the ack package spurt
out some warning messages this time:
[root at localhost ~] # pacman-key --verify ack-1.94-2-any.pkg.tar.xz
gpg: Signature made Fri 10 Jun 2011 11:44:28 AM SGT using RSA key ID
CF7AE1C9
gpg: Good signature from "testing123 <test123 at hotmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: <omitted>
The verification for archlinux-wallpaper is ok:
[root at localhos ~] # pacman-key --verify
archlinux-wallpaper-1.3-2-any.pkg.tar.xz
gpg: Signature made Sun 10 Jul 2011 11:41:18 AM SGT using RSA key ID
1582A729
gpg: Good signature from "Pang Yan Han <pangyanhan at gmail.com>"
Then, I imported the 2 directories at one go:
[root at localhost ~] # pacman-key --import /home/yh/.gnupg/ .gnupg/
gpg: WARNING: unsafe ownership on homedir `/home/yh/.gnupg/'
gpg: setting ownertrust to 6
gpg: setting ownertrust to 6
gpg: WARNING: unsafe ownership on homedir `/home/yh/.gnupg/'
Subsequently, the pacman -U and pacman-key --verify worked for both
packages.
I can only suspect that it has something to do with importing from a
different user
since there are warnings with regards to "unsafe ownership".
It might be worth it to try the following:
1. As root, use "pacman-key --import" to import the trustdb
2. Create a new gpg key on another directory.
3. Use "pacman-key --import" to import the new trustdb
4. Sign 2 packages using the 2 different keys and try installing using
pacman -U
to see if the same problem exists.
On Sat, Jul 9, 2011 at 8:37 PM, Allan McRae <allan at archlinux.org> wrote:
> On 10/06/11 16:38, Pang Yan Han wrote:
>
>> Currently, pacman-key allows users to import their keys using the --add
>> option
>> but no similar functionality exists for importing ownertrust values.
>>
>> The --import-trustdb option takes in a list of directories and imports
>> ownertrust values if the directories have a trustdb.gpg database.
>>
>> The --import is a combination of --add and --import-trustdb. It takes in a
>> list
>> of directories and imports keys from pubring.gpg, ownertrust values from
>> trustdb.gpg if any of these files exist.
>>
>> Signed-off-by: Pang Yan Han<pangyanhan at gmail.com>
>> ---
>> NOTE: There is this very strange bug such that when new keys are added,
>> previously imported keys will fail for signature verification. This
>> happens with
>> both --add and --import.
>>
>> Eg. Say you want to import trustdb.gpg and pubring.gpg from directories
>> "first",
>> "second" and "third", you'd have to:
>>
>> # pacman-key --import first second third
>> # pacman-key --import first second third
>>
>
>
> I have not gone through your patch in detail yet, but I do not see this
> issue you report when using the --add option:
>
> allan at mugen /home/arch/code/pacman (working)
> > ./scripts/pacman-key --verify /home/allan/web/allanbrokeit/**
> i686/allanbrokeit.db.sig
> gpg: Signature made Tue 05 Jul 2011 15:22:42 EST using RSA key ID EAE999BD
> gpg: NOTE: trustdb not writable
> gpg: Good signature from "Allan McRae <me at allanmcrae.com>"
> gpg: aka "Allan McRae (Developer) <allan at archlinux.org>"
>
> allan at mugen /home/arch/code/pacman (working)
> > sudo ./scripts/pacman-key --add /home/allan/dan.gpg
> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
> gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
>
> allan at mugen /home/arch/code/pacman (working)
> > ./scripts/pacman-key --verify /home/allan/web/allanbrokeit/**
> i686/allanbrokeit.db.sig
> gpg: Signature made Tue 05 Jul 2011 15:22:42 EST using RSA key ID EAE999BD
> gpg: NOTE: trustdb not writable
> gpg: Good signature from "Allan McRae <me at allanmcrae.com>"
> gpg: aka "Allan McRae (Developer) <allan at archlinux.org>"
>
>
> So the signature verification still works after adding a key with --add.
> There are two possibilities here... 1) this is fixed due to the large
> number of changes on my working branch, or 2) there is something wrong with
> the --import stuff...
>
> Can you give more details on this issue so I can follow it up and get this
> patch merged.
>
> Cheers,
> Allan
>
More information about the pacman-dev
mailing list