[arch-releng] [RFC] gpg related commands fail if clock is off

Florian Pritz bluewind at xinu.at
Mon Jul 30 11:15:40 EDT 2012


gpg won't import any keys if they have been created "in the future" so
if you try to boot archiso on a system that has never been synced (new
board), the clock will most likely be off by a few years and pacman-key
during boot will (silently) fail to import the master keys.

Later pacman (during pacstrap) will tell you that importing any key
failed (still without giving you any good clue) and only when you run
`pacman-key -r <some id>` it will tell you that the key has been created
in the future and tells you to fix your clock.

I propose the following changes:

 - Let pacman-key display errors instead of redirecting everything to
/dev/null: `pacman-key --populate archlinux |& grep -v -e "<some regex
that matches non-interesting message>" -e "..."`

 - change inittab so that agetty doesn't clean the first tty so users
can see any errors output by pacman-key or others

 - check the system time against
/usr/share/pacman/keyrings/archlinux.gpg and either warn the user or run
`ntpd -qg` to sync the clock

I haven't yet looked at the code/git/mailinglist so if any of those have
already been brought up, fixed or rejected, sorry for the noise.

-- 
Florian Pritz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-releng/attachments/20120730/18bede0d/attachment-0001.asc>


More information about the arch-releng mailing list