Security in computer programs is often based on some kind of secret. It might be a key, passphrase or the popular password. It is also equally important that this key is not only secret but also random and cannot be easily guessed.
The same concept applies to our package signing method. The security model which is used to ensure validity of our packages is directly based on PGP. In this trust model you mark a certain key as trusted by signing it with your very own private key.
On Arch Linux we ship the archlinux-keyring package to set up and maintain a set of packager keys and their web of trust. On install a new key pair is generated and the five master keys are locally signed. Any package that is signed by a key that itself is signed by at least three of the master keys is considered valid. This also implies that anything signed directly by that private key is automatically valid as well.
The keyring pacman uses is stored in
/etc/pacman.d/gnupg. There is no magic involved here and you can even directly use it with the
gpg command by appending the
--homedir /etc/pacman.d/gnupg parameter.
It is important to underline that the PGP key pair stored there is unique to your machine. It is not part of any package but generated on install and random. An attacker who is able to obtain or guess that key can sign packages that pacman will happily accept as valid. Be aware of this when you create backups, clone your machines or setup virtual machines. It might be a bad idea to share the same private key on different machines.
For our live system image we ship a service that initializes a new random key on every boot. It is stored in RAM using tmpfs and therefor not persistent. We make use of the haveged service to create enough random data to not slow down the boot process.
Sadly the problem does not seem to be a theoretical one and it seems people are not aware of the dangers a shared
/etc/pacman.d/gnupg directory implies. This especially affects system images, virtual machines and installer images you can download.
For example the Arch Linux fork Manjaro ships a static private key on their installer image which also gets copied to the target system. The result is that all Manjaro users have the same "private" key and anybody can easily use this to sign any package that the package manager will accept. It might be even worse as users expect package verification is set up correctly and care less about the source they install packages from.
If you just realized you made a terrible mistake, you can reinitialize your keyring with a new random and secret key using these commands:
$ rm -rf /etc/pacman.d/gnupg $ pacman-key --init $ pacman-key --populate archlinux
Keep in mind that package verification was essentially unavailable to this point and it’s up to you what consequences you draw from this. They only real solution is to re-install everything from a trusted source.
tl;dr: Make sure pacman’s PGP keys in
/etc/pacman.d/gnupg are random and remain secret.