ArchLinux and I aren’t the best of friends, its rolling release system just doesn’t jive with me. I only really installed it on a couple personal servers for experience with another distribution, so usually the boxes sit there doing their thing until I feel like setting up something new. When I run its first update in six months, something usually goes wrong, and I make my way over to their forums to figure out how to give pacman a kick in the butt to get things sorted.
This time around, I’m installing metasploit to test some equipment against the recent security flaws in UPnP that have been making some waves. A binary package isn’t available in the official repositories so in this case the Arch User Repository (AUR) picks up the slack to automate building from source. I’ve used this in the past with some success, but last year Arch finally implemented package signing. Turns out this complicates installing these personally built packages unless you temporarily disable it. Let’s not do that though, let’s stay consistent with package signing. In a larger environment with your own custom repo, you would definitely want to have this working, and there’s nothing wrong with learning more about your system.
|
1 2 3 |
$ sudo pacman -U metasploit-4.5.0-0-any.pkg.tar.xz loading packages... error: 'metasploit-4.5.0-0-any.pkg.tar.xz': invalid or corrupted package (PGP signature) |
First step in package signing is to have your own key to sign with. If you’re like me and don’t have one, you can create this key using gpg --gen-key. You’ll be prompted for information to identify the key with like your full name and email address, and a password to secure your private key with. Defaults for the key pair type and length (2048 bits) are fine.
|
1 2 3 4 5 6 7 8 |
$ gpg --gen-key ... $ gpg --list-keys /home/brent/.gnupg/pubring.gpg ------------------------------ pub 2048R/ABCD1234 2013-01-30 uid Brent <brent@xxxxx> sub 2048R/EFGH5678 2013-01-30 |
When that’s all done, you can export an ASCII copy of your public key with gpg, identified by the name you chose previously, and import that into your pacman trustdb using pacman-key. I feel this method is preferable to using a public key server unless you’re interested in using gpg for public activities. If you’re sharing your binary packages with other servers, using a public key server would save you the trouble of copying the ASCII public key around to each of them.
|
1 2 3 4 5 6 7 8 9 10 |
$ gpg --armor --output brent.asc --export "Brent" $ sudo pacman-key -a brent.asc ==> Updating trust database... gpg: next trustdb check due at 2014-01-22 $ pacman-key --list-sigs "Brent" pub 2048R/ABCD1234 2013-01-30 uid Brent <brent@xxxxx> sig 3 ABCD1234 2013-01-30 Brent <brent@xxxxx> sub 2048R/EFGH5678 2013-01-30 sig ABCD1234 2013-01-30 Brent <brent@xxxxx> |
After that, you sign the key with the local pacman master key and trust it. To do that you need the key ID shown in the previous steps as ABCD1234.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
$ sudo pacman-key --edit-key 0xABCD1234 ... gpg> lsign ... Are you sure that you want to sign this key with your key "Pacman Keychain Master Key <pacman@localhost>" (DCBA4321) The signature will be marked as non-exportable. Really sign? (y/N) y gpg> trust ... Your decision? 4 ... gpg> save ==> Updating trust database... |
With that done, it’s time to tell makepkg to start signing custom packages. You can edit the systemwide config at /etc/makepkg.conf, but as you’re defining a name and signing key it makes more sense to have a local config for your build user located in ~/.makepkg.conf.
|
1 2 3 4 5 6 7 8 9 |
# # ~/.makepkg.conf # BUILDENV=(fakeroot !distcc color !ccache check sign) #-- Packager: name/email of the person or organization building packages PACKAGER="Brent <brent@xxxxx>" #-- Specify a key to use for package signing GPGKEY="ABCD1234" |
In this local config, you enable sign (default is !sign in /etc/makepkg.conf), and specify the packager and your GPG key. With that done, you should be good to go to run makepkg again, this time being prompted for the password to your private key.
|
1 2 3 4 5 6 |
==> Signing package... You need a passphrase to unlock the secret key for user: "Brent <brent@xxxxx>" 2048-bit RSA key, ID ABCD1234, created 2013-01-30 -> Created signature file /tmp/build/metasploit/metasploit-4.5.0-0-any.pkg.tar.xz.sig. |
With the .xz and its .sig file created, pacman is happy to install your new, signed package!
|
1 2 3 4 5 6 7 8 9 10 |
$ sudo pacman -U metasploit-4.5.0-0-any.pkg.tar.xz loading packages... resolving dependencies... looking for inter-conflicts... Targets (1): metasploit-4.5.0-0 Total Installed Size: 215.69 MiB Proceed with installation? [Y/n] y |
Thanks a lot for this important info which I not found in this form on the Arch Linux own project site.