Verify all the packages

Once you have verified the finger prints of the five master keys you might want to actually configure pacman to verify packages. While this was already possible in the past, it is now way easier to get started thanks to pacman 4.0.3 and the keyring package.

If you already have played around with signature verification you could start from scratch by (re)moving the /etc/pacman.d/gnupg directory. I also assume that you have disabled signature checking by setting SigLevel = Never in /etc/pacman.conf.

All you need to do now is to install the archlinux-keyring package, initialize your local pacman keyring, finally import all the packager keys and set the trust level for the master keys. This is achieved by the following commands:

# pacman -Syu archlinux-keyring
# pacman-key --init
# pacman-key --populate archlinux

The last command will ask you to confirm each of the master keys. Now you can set SigLevel to PackageRequired for all official repositories in /etc/pacman.conf. For example:

SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

From now on pacman will check the signatures of all packages before installation and the keys are automatically managed by the keyring package.

Note: You can also set the SigLevel globally in the [options] section. The downside is that you wont be able to install your own packages using pacman -U anymore if they are not signed by a trusted key. Future versions of pacman will have a separate SigLevel option for packages that are installed from you local hard drive.

12 Replies to “Verify all the packages”

  1. Special thanks for the ‘archlinux-keyring’-package. Since now, I could finally solve the problems I was having with the signature checks. :-)

  2. Hi,
    Is it possible to check all already installed packages ?
    And by check I mean verify its integrity and its provenance.

    1. Allan is currently working on a feature that will include checksums for all files of a certain package. Pacman would then be able to verify their integrity.

      But this is not really meant for switching from an untrusted system. Although with some effort you could for example boot a trusted file system and then verify all your files from there.

  3. Great job on getting pacman’s key signing simplified and increasing the security and reliability of package in arch.

  4. Could you please adjust your css style. I can’t read this damn page without disabling styes.

    I don’t know what’s wronbg with the world: putting lite-colored text against a lite colored background

    I hate this planet

  5. I really like the concept of Arch and tried it every 1-3 months. Everytime there is a showstopper. Right now its pacman-key. –init wont finish so i cant install a single package after a fresh netinstall. and after –populate its not a bit better.
    The Documentation isnt helping so i have to reboot everytime with a live cd to check for a solution.
    I found a thread in the German forum that got no working solution (the last post there is a month old).
    I really could cry about the time i wasted everytime looking through manpages without finding a Solution. ;”(

    1. You need to produce some entropy to create your gpg key. Best via moving your mouse in X or a lot I/O. Alternatively you can install haveged and start it’s daemon.

  6. “…You can also set the SigLevel globally in the [options] section.”
    This means if I leave the optionsarray alone (#SigLevel = Optional TrustedOnly) and only change the repositories I use to “PackageRequired” everything is fine and I am on the save side, right? I certainly did pacman -key –init and pacman-key –populate archlinux.

    1. Yes, if that means you add “PackageRequired” to all enabled repositories. This way you will still be able to install unsigned packages via pacman -U which is handy when you compile your own packages.

Comments are closed.