Miscellaneous ephemera…

Signing Your Own Key


Some time in the last couple of days, the last of the packages in the Community repository were signed and, thanks to the tremendous work of the Arch developers and Trusted Users, you can fully implement package signing in your /etc/pacman.conf.

You can check the state of the signed packages with this expac one-liner; it will return a list of any unsigned packages:

expac -S '%r %n %g' | awk '$3=="(null)" {print $1 "/" $2}'

Now that the packages are all signed, I updated my /etc/pacman.conf to take advantage of this. My overall SigLevel setting requires signed packages, and—as of yesterday—I was able to move the last repository entry over to do the same:

SigLevel = Required DatabaseOptional TrustedOnly

SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

The next step was to add my key to pacman’s keychain so that I could sign the packages that I build using ABS or from the AUR. Allan has an excellent post on setting this up.

First, import your key into pacman’s keyring:

pacman-key -r 0xB1BD4E40

Then follow the prompts as you edit the key to sign, set a trust level and save your key:

pacman-key --edit-key 0xB1BD4E40
gpg> lsign
gpg> trust
gpg> save

Then it is just a matter of changing the BUILDENV option in your /etc/makepkg.conf, which is set to !sign by default. Remove the bang and include the details of the key you wish to use:

#-- Packager: name/email of the person or organization building packages
PACKAGER="Jason Ryan <jasonwryan@gmail.com>"
#-- Specify a key to use for package signing

Now, when you build a package, you will be prompted for your key’s passphrase:

==> Signing package...

You need a passphrase to unlock the secret key for
user: "Jason W Ryan <jasonwryan@gmail.com>"
2048-bit RSA key, ID B1BD4E40, created 2010-08-21

Enter passphrase:

Enter the correct passphrase and your package is built and signed:

-> Created signature file /home/jason/Build/{pkg}.pkg.tar.xz.sig.

Creative Commons image by donovanbeeson on Flickr.