Release Engineering

This project is intented for all release related issues (isos, installer, etc), under the umbrella of the ArchLinux Release Engineers

FS#27583 - aif should setup pacman keys stuff

Attached to Project: Release Engineering
Opened by Dieter Plaetinck (Dieter_be) - Thursday, 15 December 2011, 10:20 GMT
Last edited by Gerardo Exequiel Pozzi (djgera) - Monday, 26 November 2012, 04:51 GMT
Task Type Feature Request
Category AIF
Status Closed
Assigned To Dieter Plaetinck (Dieter_be)
Architecture All
Severity Medium
Priority Normal
Reported Version testbuild (specify!)
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No


as soon as we have the masterkeys and keyring package...

* the live system should have everything set up correctly by archiso
so that means aif can install packages to the target system, after checking the integrity of said packages by using the keyring in the live system, setup by archiso
12:54 < brain0> Dieterbe: the CD should ship the master public keys and the trust file (trust file is just the key IDs and a number for each of them)
the dev keys will be imported by the keyring package

* aif should do the following into the target system (after package installation)
(i.e. as a new step called "set up target system keyring" or something)
(existing users will need to do this manually, for new installs aif can do it)
pacman-key --init
pacman-key -a $masterkeys
pacman-key --lsign $masterkeys
pacman-key --import-trustdb $masterkeytrustfile

12:45 < brain0> then populate the keyring with the dev keys (how??)

pacman.conf default is SigLevel = Optional TrustedOnly
"Optional" should be changed to "Required" at some point (by aif or pacman?)
This task depends upon

Closed by  Gerardo Exequiel Pozzi (djgera)
Monday, 26 November 2012, 04:51 GMT
Reason for closing:  Deferred
Comment by Gerardo Exequiel Pozzi (djgera) - Thursday, 15 December 2011, 13:48 GMT
Actually we are customizing [core], removing some packages, that implies writing own "core.db.tar.gz". This database need to be signed?
Comment by Jelle van der Waa (jelly) - Friday, 27 January 2012, 17:04 GMT
Isn't there going to be a package with all the keys, so just install that?
Comment by Ionut Biru (wonder) - Tuesday, 31 January 2012, 17:38 GMT
right now nobody can use the releng isos because AIF creates on the fly /tmp/pacman.conf that is used to install packages into /mnt.

we either have to add SigLevel = Never or try to use /etc/pacman.conf
Comment by Dieter Plaetinck (Dieter_be) - Wednesday, 01 February 2012, 11:28 GMT
@wonder, so what happens? does pacman give an error about the missing siglevel and aborts?
Comment by Ionut Biru (wonder) - Wednesday, 01 February 2012, 11:45 GMT
it uses the default SigLevel, being Optional TrustAll, and bails out from installing any packages.
Comment by Ionut Biru (wonder) - Wednesday, 29 February 2012, 14:19 GMT
We have 3 options for fixing this issue.
1) archiso should setup a keyring for iso
2) fix aif to add SigLevel = Never in /tmp/pacman.conf
3) wait for a keyring package and hope it works.

Tell me what's the best solution before starting to fix it. I tend to agree that 1) will be the best.
Comment by Gerardo Exequiel Pozzi (djgera) - Wednesday, 29 February 2012, 14:35 GMT
As you said originally, option 3.
Comment by Ionut Biru (wonder) - Wednesday, 29 February 2012, 14:39 GMT
option 3 still requires archiso to generate initial Pacman Keychain Master Key and sign the master keys with it.
Comment by Gerardo Exequiel Pozzi (djgera) - Wednesday, 29 February 2012, 17:18 GMT
So basically we need to do:

If there any plans to do new ISO in fews days, (before pacman pkg change to siglevel to (O+TA), point 2 should be made in AIF

When pacman pkg sets siglevel to default (O+TA):
* archiso
++ mkarchiso will work fine when mkarchroot[devtools] works with sig pkgs.
* aif
++ should setup sig stuff in target.

Comment by Ionut Biru (wonder) - Thursday, 08 March 2012, 10:12 GMT
pacman-key requires some work for using archlinux-keyring. no ETA when will be fixed and i decided that the best thing now is to disable.
Comment by Dieter Plaetinck (Dieter_be) - Sunday, 01 April 2012, 22:26 GMT
applied Ioni's patch for now. is in develop branch, will be on next testbuild