In Arch Linux, digital signature verification is enabled by default.
The developers of the Arch Linux distribution kit notified users about the inclusion of a default package source validation function based on digital signatures starting with the release of the pacman 4.0.3-2 package manager. Support for checking packages using a digital signature was added to the distribution kit six months ago, but until now this feature was not enabled by default because the process of creating digital signatures for all packages took a while.
This feature allows you to ensure that the package installed from the repository has not been replaced and is received in the form in which it was originally prepared by the developers, which is especially useful when installing packages from arbitrary mirrors. It is noteworthy that the patch with the implementation of verification of digital signatures of packages in pacman was submitted in 2008, it took four years to complete and integrate this patch, as well as to prepare the infrastructure.
After installing the update from pacman-4.0.3-2, the user will be prompted to run the commands:
after which, the local keystore will be created and all the necessary verification keys will be loaded, including the five main public keys used to confirm the validity of Arch Linux packages. In the process of importing keys in order to prevent the substitution of keys during the download process, the program will offer to verify key hashes with hashes published on the official website. Packet verification is managed through the SigLevel directive in the pacman.conf configuration file.
')
via opennet
This feature allows you to ensure that the package installed from the repository has not been replaced and is received in the form in which it was originally prepared by the developers, which is especially useful when installing packages from arbitrary mirrors. It is noteworthy that the patch with the implementation of verification of digital signatures of packages in pacman was submitted in 2008, it took four years to complete and integrate this patch, as well as to prepare the infrastructure.
After installing the update from pacman-4.0.3-2, the user will be prompted to run the commands:
pacman-key --init pacman-key --populate archlinux after which, the local keystore will be created and all the necessary verification keys will be loaded, including the five main public keys used to confirm the validity of Arch Linux packages. In the process of importing keys in order to prevent the substitution of keys during the download process, the program will offer to verify key hashes with hashes published on the official website. Packet verification is managed through the SigLevel directive in the pacman.conf configuration file.
')
via opennet
Source: https://habr.com/ru/post/145230/
All Articles