LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Arch
User Name
Password
Arch This Forum is for the discussion of Arch Linux.

Notices

Reply
 
Search this Thread
Old 02-25-2012, 11:35 AM   #1
Mr. Alex
Senior Member
 
Registered: May 2010
Distribution: Arch + X.org + IceWM
Posts: 1,197

Rep: Reputation: Disabled
Why do we need pacman-key if pacman checks md5?


Isn't MD5 a guarantee?
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 02-26-2012, 04:36 AM   #2
Thor_2.0
Senior Member
 
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,203
Blog Entries: 23

Rep: Reputation: 279Reputation: 279Reputation: 279
According to the wiki around pacman-key, it's part of the package signing everyone's been on about so long (and so fiercly) - you run in once to generate the keys of the developers, that's what pacman will use to check the packages.

As far as I (still an apprentice Linuxean myself) understand.

MD5 relies on an extenal factor, pacman-key is arch-centric, hence internal...

Thor
 
Old 02-26-2012, 09:05 AM   #3
Mr. Alex
Senior Member
 
Registered: May 2010
Distribution: Arch + X.org + IceWM
Posts: 1,197

Original Poster
Rep: Reputation: Disabled
It still doesn't make me to understand why do I need it. What does it give me that I didn't have before?
 
Old 02-26-2012, 09:26 AM   #4
Thor_2.0
Senior Member
 
Registered: Nov 2007
Location: Somewhere on my hard drive...
Distribution: Manjaro
Posts: 2,203
Blog Entries: 23

Rep: Reputation: 279Reputation: 279Reputation: 279
Pacman (and Arch in general) did'nt have package signing - sniff around (dont ask, you'll just stir things up for the worse, believe me, just do a search for IgnorantGuru on the Arch forum...) the forum for the discussions.

Every developer has his/her key now. It may well be a good idea to check out Alan's blog on this.

Before signing, it was a risky bizz to do an update. There were packages, but...were they legit? What if the server was hacked? One tool was (and is) paccheck, you run it before updating to see if any of the tested servers was compromised or not. If it was safe, an update could be "attempted"...with signing, one more level of security is around.

Why the current (PGP I think) method was chosen and not MD5...may be a question for the developers...but be warned, they can be a grumpy lot

Thor
 
Old 03-09-2012, 01:51 PM   #5
SilentSam
Member
 
Registered: Aug 2007
Location: Ottawa
Distribution: Arch Linux/Kubuntu/OpenSUSE
Posts: 287

Rep: Reputation: 31
Personally I just disable PGP-checking...

in pacman.conf:
Code:
SigLevel = Never
As far as MD5 not being used, it was because the md5sums are d/l'd from the server you're retrieving the packages from, so if the server was compromised, you would never know. MD5 is more to check if the packages were corrupted via transfer as opposed to indicate legitimate packages.

Last edited by SilentSam; 03-09-2012 at 01:53 PM.
 
Old 03-09-2012, 05:05 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by Mr. Alex
Isn't MD5 a guarantee?
Just speaking to the practical usage (and not the politics):

An MD5 digest of a file allows you to confirm a file was not tampered with.

Thus:
  1. Alice provides a file for downloading
  2. Alice also provides an MD5 digest for viewing / verifying the file
  3. When Mallory replaces the file, the MD5 digest doesn't match, and you're not suckered into using a corrupted download

The problem is Mallory can defeat the whole system by replacing both the file and the MD5 digest of the file. That's where crypto signatures come into play. The developer is able to sign the MD5 digest with his private key, and you're able to verify the signature with the corresponding public key.

To revisit the above scenario:
  1. Alice provides a file for downloading
  2. Alice also provides a digitally signed MD5 digest for viewing / verifying the file
  3. When Mallory replaces the file, the MD5 digest doesn't match, and you're not suckered into using a corrupted download
  4. When Mallory replaces the file and the MD5 digest, the signature check using the public key fails, and you're not suckered into using a corrupted download
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Anyone else 'pacman -Sy' instead of simply 'pacman -S'-ing packages? Kenny_Strawn Arch 15 03-23-2011 01:09 PM
pacman, yaourt, md5 Mr. Alex Arch 1 10-30-2010 12:28 AM
Pacman carlosinfl Linux - Games 4 02-13-2006 02:46 PM
pacman alaios Linux - Games 1 08-20-2005 03:34 AM
What happened to Pacman? jenna_h Linux - Software 2 05-15-2003 10:04 PM


All times are GMT -5. The time now is 10:56 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration