Re: [arch-general] Package signing on soyuz

So my current workflow allows doing everything on soyuz. I tried it out for a couple of packages, it works well and FWICT it's secure. Writeup on the setup below as requested on IRC the other day. Local prerequisites: - Extra socket must be enabled. In arch, that seems to be the case by

Re: [arch-general] Package signing on soyuz

On Wed, Jan 18, 2017 at 8:21 PM Lukas Jirkovsky via arch-general < arch-general@archlinux.org> wrote: > I use only the ssh agent forwarding ("ForwardAgent yes" in > .ssh/config). On pkgbuild.com I build packages using the *-*-build as > always. When a package is built, I use a script [1] that

Re: [arch-general] Package signing on soyuz

On 17 January 2017 at 08:42, Jerome Leclanche wrote: > What is the current intended way to sign packages on the pkgbuild.com server? I don't think there's any. > I spent the past day setting up agent forwarding > (https://wiki.gnupg.org/AgentForwarding) for it. Had a lot of

Re: [arch-general] Package signing on soyuz

On 01/17/17 at 09:42am, Jerome Leclanche wrote: > What is the current intended way to sign packages on the pkgbuild.com server? > > I spent the past day setting up agent forwarding > (https://wiki.gnupg.org/AgentForwarding) for it. Had a lot of trouble > setting it up due to systemd being

[arch-general] Package signing on soyuz

What is the current intended way to sign packages on the pkgbuild.com server? I spent the past day setting up agent forwarding (https://wiki.gnupg.org/AgentForwarding) for it. Had a lot of trouble setting it up due to systemd being seemingly overzealous about the gpg-agent socket. I have it

Re: [arch-general] Package signing: database signatures?

On 03/10/2012 08:12 AM, Kevin Chadwick wrote: On Mon, 05 Mar 2012 10:42:15 +0100 Florian Pritz wrote: You should read pacman.conf(5) PACKAGE AND DATABASE SIGNATURE CHECKING and use Optional PackageRequired Quick question and I'm guessing the answer will be just to wait and that's fine.

Re: [arch-general] Package signing: database signatures?

On Mon, 05 Mar 2012 10:42:15 +0100 Florian Pritz wrote: You should read pacman.conf(5) PACKAGE AND DATABASE SIGNATURE CHECKING and use Optional PackageRequired Quick question and I'm guessing the answer will be just to wait and that's fine. There are just a few packages preventing me from

Re: [arch-general] Package signing: database signatures?

On 11/03/12 02:12, Kevin Chadwick wrote: On Mon, 05 Mar 2012 10:42:15 +0100 Florian Pritz wrote: You should read pacman.conf(5) PACKAGE AND DATABASE SIGNATURE CHECKING and use Optional PackageRequired Quick question and I'm guessing the answer will be just to wait and that's fine.

[arch-general] Package signing: database signatures?

Hello everybody, afaik, database files in official repositories are not signed yet. Are they? This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if anybody wants to provide an infected package he/she only needs to provide no signature at all and the package is happily

Re: [arch-general] Package signing: database signatures?

On 05/03/12 19:39, Christian Hesse wrote: And even more interesting: Does it make sense to add a new option 'PkgRequired'? This could force valid signatures for packages and make it optional for database files. You mean like the PackageRequired option that is already there? Or you could use

Re: [arch-general] Package signing: database signatures?

On 05.03.2012 10:39, Christian Hesse wrote: Hello everybody, afaik, database files in official repositories are not signed yet. Are they? This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if anybody wants to provide an infected package he/she only needs to provide no

Re: [arch-general] Package signing: database signatures?

Florian Pritz bluew...@xinu.at on Mon, 05 Mar 2012 10:42:15 +0100: On 05.03.2012 10:39, Christian Hesse wrote: Hello everybody, afaik, database files in official repositories are not signed yet. Are they? This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 17 June 2010 01:34, Allan McRae al...@archlinux.org wrote: On 17/06/10 00:48, Guillaume ALAUX wrote: Are the python scripts in the pacbuild package (apple, strawberry, queuepackage, waka and uploadpackage) used any more as described in this pagehttp://wiki.archlinux.org/index.php/Pacbuild

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, 13 Jun 2010 12:46:09 +0200 Xavier Chantry chantry.xav...@gmail.com wrote: It's all there : http://projects.archlinux.org/users/allan/pacman.git/log/?h=gpg and there : http://wiki.archlinux.org/index.php/Package_Signing_Proposal_for_Pacman Come back to us when everything is

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 16 June 2010 02:23, Allan McRae al...@archlinux.org wrote: Just to clarify the build process that goes on here: 1) make a clean chroot (mkarchroot - only needs done once) 2) build package in chroot (makechrootpkg) 3) upload package to staging area and commit to svn (e.g. testingpkg) 4)

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote: The proposed model is based on the web of trust. We would trust on some keys to sign other keys. The main keys would be kept by some high trusty developers. They would sign the public keys of the other developers (and their personal keys too)

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, 15 Jun 2010, Ionuț Bîru wrote: i found this annoying since, debugging is more harder, i have to download the resulted package to test it, send it, wait for the pool to come. is a mess :D even if my system is compromised, we build our packages in clean chroots. The workflow won't be

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

Hey, what do you think about this way of verifying packages? On Tue, 15 Jun 2010, Dimitrios Apostolou wrote: On another note, an easy but maybe a bit costly way to avoid any MITM tampering to packages, is serve *.md5 files for every package through a trusted HTTPS host. Then everyone can query

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou ji...@gmx.net wrote: Hey, what do you think about this way of verifying packages? On Tue, 15 Jun 2010, Dimitrios Apostolou wrote: On another note, an easy but maybe a bit costly way to avoid any MITM tampering to packages, is serve *.md5

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 17/06/10 00:48, Guillaume ALAUX wrote: Are the python scripts in the pacbuild package (apple, strawberry, queuepackage, waka and uploadpackage) used any more as described in this pagehttp://wiki.archlinux.org/index.php/Pacbuild ? Because some of these scripts point to the old current

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Wed, 16 Jun 2010, Dan McGee wrote: On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou ji...@gmx.net wrote: Hey, what do you think about this way of verifying packages? On Tue, 15 Jun 2010, Dimitrios Apostolou wrote: On another note, an easy but maybe a bit costly way to avoid any MITM

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Wed, Jun 16, 2010 at 6:35 PM, Dimitrios Apostolou ji...@gmx.net wrote: On Wed, 16 Jun 2010, Dan McGee wrote: On Wed, Jun 16, 2010 at 6:08 PM, Dimitrios Apostolou ji...@gmx.net wrote: Hey, what do you think about this way of verifying packages? On Tue, 15 Jun 2010, Dimitrios Apostolou

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote: And keep in mind that package signing per se will not solve this kind of problems. Repository database signing is more important for that solution, but is a problem in the current workflow of Arch developers. How exactly is core and extra

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou ji...@gmx.net wrote: On Mon, 14 Jun 2010, Denis A. Altoé Falqueto wrote: And keep in mind that package signing per se will not solve this kind of problems. Repository database signing is more important for that solution, but is a problem

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

How exactly is core and extra database populated? Moreover, instead of building all packages in the private PCs of developers Packages are not build on developers computers but on build machines as explained here http://wiki.archlinux.org/index.php/Pacbuild

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, Jun 15, 2010 at 8:58 AM, Guillaume ALAUX guilla...@alaux.net wrote: How exactly is core and extra database populated? Moreover, instead of building all packages in the private PCs of developers Packages are not build on developers computers but on build machines as explained here

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 15 June 2010 16:46, Dan McGee dpmc...@gmail.com wrote: On Tue, Jun 15, 2010 at 8:58 AM, Guillaume ALAUX guilla...@alaux.net wrote: How exactly is core and extra database populated? Moreover, instead of building all packages in the private PCs of developers Packages are not build on

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On 15 June 2010 16:55, Dimitrios Apostolou ji...@gmx.net wrote: On Tue, 15 Jun 2010, Denis A. Altoé Falqueto wrote: On Tue, Jun 15, 2010 at 10:57 AM, Dimitrios Apostolou ji...@gmx.net wrote: Moreover, instead of building all packages in the private PCs of developers, I think it is

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Tue, Jun 15, 2010 at 11:43 AM, Aleksis Jauntēvs aleksis.jaunt...@gmail.com wrote: On Tuesday 15 June 2010 19:37:00 Pierre Schmitz wrote: On Tue, 15 Jun 2010 19:23:14 +0300, Aleksis Jauntēvs aleksis.jaunt...@gmail.com wrote: I dont think that repo.db should be signed and it is enough to

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

Just to clarify the build process that goes on here: 1) make a clean chroot (mkarchroot - only needs done once) 2) build package in chroot (makechrootpkg) 3) upload package to staging area and commit to svn (e.g. testingpkg) 4) release package on master server adding it to repo (e.g. db-testing)

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, Jun 13, 2010 at 7:46 AM, Xavier Chantry chantry.xav...@gmail.com wrote: On Sun, Jun 13, 2010 at 11:38 AM, Ananda Samaddar ana...@samaddar.co.uk wrote: This is the reason why we need package signing for Pacman.  I'm aware that some progress has been made and it's being worked on.  Are

[arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, 13 Jun 2010 09:58:38 +0200 Thomas Bächler tho...@archlinux.org wrote: Am 13.06.2010 02:33, schrieb Alexander Duscheleit: OTOH the original mail was meant more to alert *users* of unrealircd, the maintainer should actually already have been noticed via the bug. In that case, it

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, 13 Jun 2010 19:48:53 +1000 Allan McRae al...@archlinux.org wrote: This is the reason why we need package signing for Pacman. I'm aware that some progress has been made and it's being worked on. Are there any updates? Yes... because package signing magically fixes all

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, Jun 13, 2010 at 11:38 AM, Ananda Samaddar ana...@samaddar.co.uk wrote: This is the reason why we need package signing for Pacman.  I'm aware that some progress has been made and it's being worked on.  Are there any updates? It's all there :

Re: [arch-general] Package signing for the umpteenth time (was Re: unrealircd 3.2.8.1-2 contains backdoor)

On Sun, 2010-06-13 at 10:48 +0100, Ananda Samaddar wrote: On Sun, 13 Jun 2010 19:48:53 +1000 Allan McRae al...@archlinux.org wrote: This is the reason why we need package signing for Pacman. I'm aware that some progress has been made and it's being worked on. Are there any

Re: [arch-general] Package signing

On Wednesday 28 April 2010 16:39:53 Allan McRae wrote: On 28/04/10 23:32, Aleksis Jauntēvs wrote: Hello, The idea is to implement package signing for Arch similar to rpm GPG package signing. Good to see someone interested in this. I suggest you join the pacman-dev list where all

Re: [arch-general] Package signing

Am 29.04.2010 00:36, schrieb Linas: Thomas Bächler wrote: We must have a system that allows pacman to automatically verify new developer keys and revoke old ones ... even more important, revoke them in a way that signatures made before a certain date are still accepted, but newer ones aren't.

Re: [arch-general] Package signing

On 30/04/10 01:29, Thomas Bächler wrote: Am 29.04.2010 00:36, schrieb Linas: Thomas Bächler wrote: We must have a system that allows pacman to automatically verify new developer keys and revoke old ones ... even more important, revoke them in a way that signatures made before a certain date

Re: [arch-general] Package signing

On Thu, Apr 29, 2010 at 10:40 AM, Allan McRae al...@archlinux.org wrote: On 30/04/10 01:29, Thomas Bächler wrote: Am 29.04.2010 00:36, schrieb Linas: Thomas Bächler wrote: We must have a system that allows pacman to automatically verify new developer keys and revoke old ones ... even more

Re: [arch-general] Package signing

On Thu, Apr 29, 2010 at 12:40 PM, Allan McRae al...@archlinux.org wrote: Has anyone had a good look at the other implementations of package signing (Debian, Fedora, ...) and made a summary of how they handle it? (Long email ahead, sorry...) Good idea, indeed. This is what I've found about

Re: [arch-general] Package signing

Ng Oon-Ee wrote: Under which circunstances would you envision the need to trust an old, compromised signature? New install, dev for a coupl of [extra] packages has already left the team. Having to recompile everytime a dev leaves the team is additional (unnecessary) hassle IMO,

[arch-general] Package signing

Hello, The idea is to implement package signing for Arch similar to rpm GPG package signing. Short description follows. Use case for developers: 1. Dev bulds package with f.e. -sign switch. 2. Dev enters passphrase. 3. makepkg builds the package and creates detached signature (now we have 2

Re: [arch-general] Package signing

On 28/04/10 23:32, Aleksis Jauntēvs wrote: Hello, The idea is to implement package signing for Arch similar to rpm GPG package signing. Good to see someone interested in this. I suggest you join the pacman-dev list where all discussion about pacman development occurs. There is also some

Re: [arch-general] Package signing

On Wed, 2010-04-28 at 23:39 +1000, Allan McRae wrote: On 28/04/10 23:32, Aleksis Jauntēvs wrote: Hello, The idea is to implement package signing for Arch similar to rpm GPG package signing. Good to see someone interested in this. Yes, the monthly forum threads were a bit tiring. I

Re: [arch-general] Package signing

On 28/04/10 23:52, Ng Oon-Ee wrote: On Wed, 2010-04-28 at 23:39 +1000, Allan McRae wrote: On 28/04/10 23:32, Aleksis Jauntēvs wrote: Hello, The idea is to implement package signing for Arch similar to rpm GPG package signing. Good to see someone interested in this. Yes, the monthly forum

Re: [arch-general] Package signing

On Wed, 2010-04-28 at 23:56 +1000, Allan McRae wrote: On 28/04/10 23:52, Ng Oon-Ee wrote: On Wed, 2010-04-28 at 23:39 +1000, Allan McRae wrote: On 28/04/10 23:32, Aleksis Jauntēvs wrote: Hello, The idea is to implement package signing for Arch similar to rpm GPG package signing.

Re: [arch-general] Package signing

On Wed, 2010-04-28 at 22:03 +0800, Ng Oon-Ee wrote: On Wed, 2010-04-28 at 23:56 +1000, Allan McRae wrote: On 28/04/10 23:52, Ng Oon-Ee wrote: On Wed, 2010-04-28 at 23:39 +1000, Allan McRae wrote: On 28/04/10 23:32, Aleksis Jauntēvs wrote: Hello, The idea is to implement package

Re: [arch-general] Package signing

On Wed, Apr 28, 2010 at 10:39 AM, Allan McRae al...@archlinux.org wrote: On 28/04/10 23:32, Aleksis Jauntēvs wrote: Hello, The idea is to implement package signing for Arch similar to rpm GPG package signing. Good to see someone interested in this.  I suggest you join the pacman-dev list

Re: [arch-general] Package signing

On Wed, 28 Apr 2010 14:18:02 -0300, Denis A. Altoé Falqueto denisfalqu...@gmail.com wrote: Hi, Allan and Aleksis. I was thinking about this problem for sometime and the more complex part is the key distribution and trusting. Now I maybe came to something usefull. I'm thinking about a two

Re: [arch-general] Package signing

On Wed, Apr 28, 2010 at 13:18, Denis A. Altoé Falqueto denisfalqu...@gmail.com wrote: I'm thinking about a two way signing process. The dev signs the package and send it to the server. The server would have a script or a cron job to verify if the signature is valid and is from someone trusted

Re: [arch-general] Package signing

On 28.04.2010 19:18, Denis A. Altoé Falqueto wrote: I'm thinking about a two way signing process. The dev signs the package and send it to the server. The server would have a script or a cron job to verify if the signature is valid and is from someone trusted [1]. If so, the original signature

Re: [arch-general] Package signing

On Wed, Apr 28, 2010 at 2:25 PM, Pierre Schmitz pie...@archlinux.de wrote: On Wed, 28 Apr 2010 14:18:02 -0300, Denis A. Altoé Falqueto denisfalqu...@gmail.com wrote: Hi, Allan and Aleksis. I was thinking about this problem for sometime and the more complex part is the key distribution and

Re: [arch-general] Package signing

On Wed, Apr 28, 2010 at 14:32, Denis A. Altoé Falqueto denisfalqu...@gmail.com wrote: This could also cause problems when downloading some package that depends on a public key that was not downloaded yet. Adding the keyring to the same rule that prompts you to upgrade pacman before anything

Re: [arch-general] Package signing

On Wed, Apr 28, 2010 at 3:30 PM, Florian Pritz bluew...@server-speed.net wrote: On 28.04.2010 19:18, Denis A. Altoé Falqueto wrote: I'm thinking about a two way signing process. The dev signs the package and send it to the server. The server would have a script or a cron job to verify if the

Re: [arch-general] Package signing

Am 28.04.2010 19:18, schrieb Denis A. Altoé Falqueto: I was thinking about this problem for sometime and the more complex part is the key distribution and trusting. Now I maybe came to something usefull. Finally, someone realizes that. The distrubution and trusting of keys is in fact the most

Re: [arch-general] Package signing

On Thu, 2010-04-29 at 00:36 +0200, Linas wrote: Thomas Bächler wrote: We must have a system that allows pacman to automatically verify new developer keys and revoke old ones ... even more important, revoke them in a way that signatures made before a certain date are still accepted, but

Re: [arch-general] Package signing

On Wed, Apr 28, 2010 at 6:37 PM, Linas linas...@ymail.com wrote: I wrote about this topic ~1 month ago. You don't need PKCis or distribute the keyrings themselves. GPG supports transitive trust. The pacman keyring would be installed by default trusting on whatever keys a pacman root signature

Re: [arch-general] Package signing

On 28 April 2010 15:37, Linas linas...@ymail.com wrote: [snip] Packages built by you - Add your own key. [/snip] Please no, it's way too convenient to be able to do makepkg su -c pacman -U whatever and not bother with keys or signing. You should be able to install unsigned packages, maybe with

Re: [arch-general] Package signing (was: Arch Linux security is still poor)

Am 17.03.2010 01:06, schrieb Linas: There are several ways to close the gap: *Always download the package list from ftp.archlinux.org It's the easier solution, but it only protects against the mirror operator. Moreover, it increases load on that server and makes it a single point of failure.

Re: [arch-general] Package signing (was: Arch Linux security is still poor)

On Tue, Mar 16, 2010 at 19:06, Linas linas...@ymail.com wrote: I had already this email draft in my head, but Ananda 'Arch Linux security is still poor' thread, on which the point was also brought up, moved me to really write it. First off, there's an implicit level of trust on the package

[arch-general] Package signing (was: Arch Linux security is still poor)

I had already this email draft in my head, but Ananda 'Arch Linux security is still poor' thread, on which the point was also brought up, moved me to really write it. First off, there's an implicit level of trust on the package software, no matter which OS you use. When using Windows, you

Re: [arch-general] Package signing (was: Arch Linux security is still poor)

On Tue, Mar 16, 2010 at 20:06, Linas linas...@ymail.com wrote: I had already this email draft in my head, but Ananda 'Arch Linux security is still poor' thread, on which the point was also brought up, moved me to really write it. There's a bug on the tracker about this, please contribute

Re: [arch-general] Package signing (was: Arch Linux security is still poor)

On 17/03/10 10:06, Linas wrote: Do you think this is a good idea? Which solution do you prefer? And most important, what would be needed to reach there? There has been discussions on the pacman-dev mailing list and is even partial implementation for package signing available. You should