Some time in the last couple of days, the last of the packages in the Community repository were signed and, thanks to the tremendous work of the Arch developers and Trusted Users, you can fully implement package signing in your /etc/pacman.conf.
You can check the state of the signed packages with this expac
one-liner; it will return a list of any unsigned packages:
1
| |
Now that the packages are all signed, I updated my /etc/pacman.conf to
take advantage of this. My overall SigLevel setting requires signed
packages, and—as of yesterday—I was able to move the last repository
entry over to do the same:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | |
The next step was to add my key to pacman’s keychain so that I could sign the packages that I build using ABS or from the AUR. Allan has an excellent post on setting this up.
First, import your key into pacman’s keyring:
1
| |
Then follow the prompts as you edit the key to sign, set a trust level and save your key:
1 2 3 4 5 6 | |
Then it is just a matter of changing the BUILDENV option in your
/etc/makepkg.conf, which is set to !sign
by default. Remove the bang and include the details of the key you wish to use:
1 2 3 4 | |
Now, when you build a package, you will be prompted for your key’s passphrase:
1 2 3 4 5 6 7 | |
Enter the correct passphrase and your package is built and signed:
1
| |
Creative Commons image by donovanbeeson on Flickr.