PACMAN-KEY

To determine if packages are authentic, pacman uses GnuPG keys in a web of trust model. The current Master Signing Keys are found To Be added later. At least three of these Master Signing Keys are used to sign each of the Developer's and Trusted User's own keys which then in turn are used to sign their packages. The user also has a unique PGP key which is generated when you set up pacman-key. So the web of trust links the user's key to the Master Keys.

Examples of webs of trust:

• Custom packages : You made the package yourself and signed it with your own key.
• Unofficial packages : A developer made the package and signed it. You used your key to sign that developer's key.
• Official packages : A developer made the package and signed it. The developer's key was signed by the Arch Linux master keys. You used your key to sign the master keys, and you trust them to vouch for developers.

Initializing the keyring

To set up the pacman keyring use:

# pacman-key --init

For this initialization, entropy is required. Moving your mouse around, pressing random characters at the keyboard or running some disk-based activity (for example in another console running ls -R / or find / -name foo or dd if=/dev/sda8 of=/dev/tty7) should generate entropy. If your system does not already have sufficient entropy, this step may take hours; if you actively generate entropy, it will complete much more quickly.

The randomness created is used to set up a keyring (/etc/pacman.d/gnupg) and the GPG signing key of your system.

Managing the keyring

Verifying the master keys

The initial setup of keys is achieved using:

# pacman-key --populate archlinux

Take time to verify the Master Signing Keys when prompted as these are used to co-sign (and therefore trust) all other packager's keys.

PGP keys are too large (2048 bits or more) for humans to work with, so they are usually hashed to create a 40-hex-digit fingerprint which can be used to check by hand that two keys are the same. The last eight digits of the fingerprint serve as a name for the key known as the '(short) key ID' (the last sixteen digits of the fingerprint would be the 'long key ID').

Adding developer keys

The official developer and Trusted Users(TU) keys are signed by the master keys, so you do not need to use pacman-key to sign them yourself. Whenever pacman encounters a key it does not recognize, it will prompt to download it from a keyserver configured in /etc/pacman.d/gnupg/gpg.conf (or by using the --keyserver option on the command line). Wikipedia maintains a list of keyservers.

Once you have downloaded a developer key, you will not have to download it again, and it can be used to verify any other packages signed by that developer.

Note:

The archlabs-keyring package, which is a dependency of pacman, contains the latest keys. However keys can also be updated manually using pacman-key --refresh-keys(as root). While doing --refresh-keys, your local key will also be looked up on the remote keyserver, and you will receive a message about it being not found. This is nothing to be concerned about.

Adding unofficial keys

This method can be used, for example, to add your own key to the pacman keyring, or to enable signed unofficial user repositories.

First, get the key ID (keyid) from its owner. Then add it to the keyring using one of the two methods:

1. If the key is found on a keyserver, import it with:

   # pacman-key --recv-keys 
   keyid
   

2. If otherwise a link to a keyfile is provided, download it and then run:

   # pacman-key --add 
   /path/to/downloaded/keyfile
   

It is recommended to verify the fingerprint, as with any master key or any other key you are going to sign:

$ pacman-key --finger 
keyid

Finally, you must locally sign the imported key:

# pacman-key --lsign-key 
keyid

You now trust this key to sign packages.

• Information provided by: Arch Linux wiki¹

¹. Content is provided under the GNU Free Documentation License 1.3 or later unless otherwise noted. ↩