Historical bug tracker for the Pacman package manager.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
FS#35705 - "SigLevel = Required DatabaseOptional" does not actually require signatures
Attached to Project:
Pacman
Opened by A Web (aweb) - Saturday, 08 June 2013, 00:39 GMT
Last edited by Allan McRae (Allan) - Saturday, 08 June 2013, 03:31 GMT
Opened by A Web (aweb) - Saturday, 08 June 2013, 00:39 GMT
Last edited by Allan McRae (Allan) - Saturday, 08 June 2013, 03:31 GMT
|
DetailsSummary and Info:
I'm running a recent arch install with the default pacman.conf file (plus multilib uncommented). The documentation leads me to believe that when a repository contains: SigLevel = Required DatabaseOptional (which is the default for all repos), then packages must be signed, even if the database (which I presume means the .db file) is not signed. However, this is not the behavior I'm seeing, in which signatures are not required at all. I'm marking this bug high severity because at the very least the documentation can lead people to do dangerous things. For example, I have updated my laptop over insecure wireless networks, believing that that each package would be signed so that even a corrupt db file would only lead me to miss updates for certain packages. Steps to Reproduce: Set up an ftp or http server mirroring some arch packages. An easy way to do this is to combine the contents of /var/cache/pacman and /var/lib/pacman/sync somewhere on your ftp server. I do this as a convenient way of installing a whole cluster without downloading packages multiple times. However, since arch doesn't cache the .sig files (which I wish it would), there will be no signatures. Then set up an arch client whose /etc/pacman.d/mirror list contains your server (which has no signatures) and none of the standard servers. Now try installing packages. You will see pacman happily install the completely unsigned packages. |
This task depends upon
Post your pacman.conf and the --debug output for a package install.
<code>
mkdir /var/tmp/fakeserver
ln -f /var/lib/pacman/sync/*.db /var/tmp/fakeserver/
ln -f /var/cache/pacman/pkg/*.tar.xz /var/tmp/fakeserver/
rm -f /var/tmp/fakeserver/*.sig
darkhttpd /var/tmp/fakeserver --addr 127.0.0.1 --port 8765 &
mkarchroot testroot base
echo 'Server = http://127.0.0.1:8765/'; > testroot/etc/pacman
arch-chroot testroot pacman --noconfirm -Sy base-devel
</code>
Since this works on a brand new chroot, the pacman.conf file is the default, which contains the following in the [options] section:
<code>
# By default, pacman accepts packages signed by keys that its local keyring
# trusts (see pacman-key and its man page), as well as unsigned packages.
SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional
#RemoteFileSigLevel = Required
</code>
The database files contains the required package signatures. Which would have been clear with the --debug output.