In this last Tuesday (January 17) pacman 4 was moved into Arch Linux’s core repository. This new version brings several new features for this great package manager, but what stands out most is the GPG (GNU Privacy Guard) package signing, which ensures the integrity and reliability of the packages and/or repositories for that distribution. It is a fact that this functionality already existed for some time on other GNU/Linux distributions, like Debian and derivatives. However, in Arch Linux this feature was still in the testing phase and could only be obtained by activating the testing repository or compiling it through AUR (or, for the faint of heart, using the tool yaourt).

The Arch Linux team, unlike other distributions teams, are always striving to make the migration process any smoother. And no big change is "threaded down the users throat". Thus, this feature is disabled by default in this update. But even with all the care in the world, a significant change may require some level of manual intervention, and this update is no exception. When I tried to update the pacman today, I received the following message:

$ sudo pacman -Suy
resolving dependencies...
looking for inter-conflicts...
error: failed to prepare transaction (could not satisfy dependencies)
:: package-query: requires pacman<3.6
:: pacman-color: requires pacman<3.6

In order to solve this little problem, the user need to remove some previously installed packages (package-query, pacman-color e yoaurt) and then, force the pacman update:

$ pacman -R package-query pacman-color yaourt
$ sudo pacman -S pacman
resolving dependencies...
looking for inter-conflicts...

Targets (2): libarchive-3.0.3-2  pacman-4.0.1-4

Net Upgrade Size:   2,17 MB
Total Installed Size:   5,97 MB

Proceed with installation? [Y/n] y
:: Retrieving packages from core...
 libarchive-3.0.3-2-i686    1215,4K  212,2K/s 00:00:06 [###########] 100%
 pacman-4.0.1-4-i686        1005,0K  159,0K/s 00:00:06 [###########] 100%

(2/2) checking package integrity                       [###########] 100%
(2/2) checking for file conflicts                      [###########] 100%
(1/2) upgrading libarchive                             [###########] 100%
(2/2) upgrading pacman                                 [###########] 100%
warning: /etc/pacman.conf installed as /etc/pacman.conf.pacnew
 >>> Run `pacman-key --init` to set up your pacman keyring.

A Little Tip: After this update, even if the use of GPG keys isn’t useful in your work environment, it is interesting that you (at least) start the pacman’s keyring. The reason for this activation is to already prepare the user environment to use the GPG key, as will soon be standard on all Linux distributions. For this use the following command:

$ sudo pacman-key --init
gpg: /etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found
gpg: Generating pacman keychain master key...

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy!
(Need 281 more bytes)
...
gpg: key XXXXXXXX marked as ultimately trusted
gpg: Done
==> Updating trust database...
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

After initializing the pacman keyring, rename them configuration file which was installed during the pacman update:

$ sudo mv /etc/pacman.conf /etc/pacman.conf.old
$ sudo mv /etc/pacman.conf.pacnew /etc/pacman.conf

This new configuration file for pacman has a new (and improved) syntax for the package repositories. And one of the novelties is the use of a key called SigLevel, created to control the signature checking for each active repository. This key can have the following values:

• Required: Which forces signature checking to be performed;
• Optional (default): Which will check signatures if present but unsigned packages and databases will be accepted;
• Never: which sets no signature checking to be preformed.

Remember that the use of Never is not advisable in a production environment. However, if you do not want to use signatures, just set the Never value to the SigLevel key in the /etc/pacman.conf.

If you require verification of GPG keys (as advised) you will see a display like the one below:

$ sudo pacman -S gvim
resolving dependencies…
looking for inter-conflicts…

Targets (2): vim-runtime-7.3.401-1  gvim-7.3.401-1

Net Upgrade Size:     5,27 MiB
Total Installed Size:   27,99 MiB

Proceed with installation? [Y/n] y
:: Retrieving packages from extra…
 vim-runtime-7.3.401-1-i686             4,2 MiB   227K/s 00:19 [#########] 100%
 gvim-7.3.401-1-i686                 1048,6 KiB   211K/s 00:05 [#########] 100%
(2/2) checking package integrity                               [#########] 100%
erro: vim-runtime: key "FCF2CB179205AC90" is unknown
:: Import PGP key 9205AC90, [...], 2011-04-19? [Y/n] y
(1/1) checking package integrity                      [##################] 100%
error: vim-runtime: signature from "*****" is unknown trust
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.

As you can see, pacman itself asks we want to import these keys but then fails. This happens because the key needs to be signed manually with the following command:

$ sudo pacman-key --lsign-key FCF2CB179205AC90
==> Updating trust database...
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
$
$ sudo pacman -S gvim
[...]

At first, the GPG keys can be quite annoying. This is due to the constant questioning during the stages of keys activation in your work environment (for all packages and programs involved). However, after inclusion of all the keys necessary to secure your system, these messages will no longer appear on your screen.

For the future, is highly recommended to all Arch Linux users to always perform GPG key checks on their systems. This will guarantee that the package used in your production environment is really being distributed by a trusted source.

But today, a good (and temporary) practice would be to maintain the level of key checks as Optional, since there are many packages within the Arch Linux repositories that are not signed yet.

Thus, over time — when the practice of singing packages spread through the distribution, covering all their repositories (official and others) — you can make change permanently the level check level from Optional to Required, ensuring a higher level of security for your desktop.