Once you have verified the finger prints of the five master keys you might want to actually configure pacman to verify packages. While this was already possible in the past, it is now way easier to get started thanks to pacman 4.0.3 and the keyring package.
If you already have played around with signature verification you could start from scratch by (re)moving the
/etc/pacman.d/gnupg directory. I also assume that you have disabled signature checking by setting
SigLevel = Never in
All you need to do now is to install the
archlinux-keyring package, initialize your local pacman keyring, finally import all the packager keys and set the trust level for the master keys. This is achieved by the following commands:
# pacman -Syu archlinux-keyring # pacman-key --init # pacman-key --populate archlinux
The last command will ask you to confirm each of the master keys. Now you can set
PackageRequired for all official repositories in
/etc/pacman.conf. For example:
[core] SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [extra] SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist [community] SigLevel = PackageRequired Include = /etc/pacman.d/mirrorlist
From now on pacman will check the signatures of all packages before installation and the keys are automatically managed by the keyring package.
Note: You can also set the
SigLevel globally in the
[options] section. The downside is that you wont be able to install your own packages using
pacman -U anymore if they are not signed by a trusted key. Future versions of pacman will have a separate
SigLevel option for packages that are installed from you local hard drive.