FS#72329 - Add option to pacman-key to wipe existing keyring
Attached to Project:
Pacman
Opened by Clar Fon (lightdark) - Sunday, 03 October 2021, 04:26 GMT
Last edited by Allan McRae (Allan) - Thursday, 15 December 2022, 06:13 GMT
Opened by Clar Fon (lightdark) - Sunday, 03 October 2021, 04:26 GMT
Last edited by Allan McRae (Allan) - Thursday, 15 December 2022, 06:13 GMT
|
Details
The existing Arch Linux docker image already uses a custom
set of commands to remove the private keys from
`/etc/pacman.d/gnupg`, to ensure that containers can't be
exploited by containing the same common private key. This
command would be useful in general for people who want to
create their own rootfs distributions, or who have
potentially had their rootfs compromised and would like to
generate a new keyring.
Ideally, users would be able to run a `pacman-key --wipe` command to perform this operation, meaning that a `pacman-key --init` would have to be run before packages can be installed. There could potentially also be a `pacman-key --rotate` operation which would combine these two operations. A link to the relevant code in the docker repo (at the time of writing) be found here: https://gitlab.archlinux.org/archlinux/archlinux-docker/-/blob/e8d7daa7900a9e7d571d7b7e5e16ad1b5c67839b/Makefile#L22 Ideally, this would just wipe out the keys and not remove any `gpg.conf` or `gpg-agent.conf` files already existing in the directory, as the linked version does. |
This task depends upon
Closed by Allan McRae (Allan)
Thursday, 15 December 2022, 06:13 GMT
Reason for closing: Won't implement
Additional comments about closing: rm is just as effective.
Thursday, 15 December 2022, 06:13 GMT
Reason for closing: Won't implement
Additional comments about closing: rm is just as effective.