Start by reading these pages to get a background notion of what we are going to do.
We want to sign our packages with our personal and unique key so that pacman knows that that particular package is without a doubt created by one particular person and that there can be no foul play.
https://wiki.archlinux.org/index.php/GnuPG
https://wiki.archlinux.org/index.php/Pacman/Package_signing
http://allanmcrae.com/2011/08/pacman-package-signing-2-pacman-key/
https://wiki.archlinux.org/index.php/DeveloperWiki:Package_Signing_Proposal_for_Pacman
Creating your key
Let us create your personal and unique key to sign the packages.
To keep track of packages being created when we launch our commands, we create the hidden folder (if not yet present) and open it up.
Create a folder ~/.gnupg and go inside the folder with the filemanager.
Open a terminal inside this folder. It avoids issues later.
gpg --full-generate-key
[erik@erik-systemproductname .gnupg]$ gpg –full-generate-key
gpg: WARNING: unsafe permissions on homedir ‘/home/erik/.gnupg’
gpg (GnuPG) 2.2.23; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keybox ‘/home/erik/.gnupg/pubring.kbx’ created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
1
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)
3072 or Enter
What keysize do you want? (3072)
Requested keysize is 3072 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
2y
Key is valid for? (0) 2y
Key expires at Thu 08 Sep 2022 05:04:52 PM CEST
Is this correct? (y/N)
y
Real name:
Real name: Carli ArcoLinuxIso
Email address:
Email address: carli.arcolinuxiso@gmail.com
Comment:
Comment: keep it empty
Comment:
You selected this USER-ID:
“Carli ArcoLinuxIso <carli.arcolinuxiso@gmail.com>”
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
O
POPUP
Time to create a good password. Let password generator create it for you 40+ characters? Keep it safe. Lastpass, Bitwarden, etc…
UNIQUE password
DIFFICULT password
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/erik/.gnupg/trustdb.gpg: trustdb created
gpg: key E13A47BF81B58F54 marked as ultimately trusted
gpg: directory ‘/home/erik/.gnupg/openpgp-revocs.d’ created
gpg: revocation certificate stored as ‘/home/erik/.gnupg/openpgp-revocs.d/829DF32D2248FED319A2E897644ADFD9A385A8A9.rev’
public and secret key created and signed.
pub rsa3072 2020-09-08 [SC] [expires: 2022-09-08]
3B85F0222B8469E2BF2C20EBE13A47BF81B58F54
uid Carli ArcoLinuxIso <carli.arcolinuxiso@gmail.com>
sub rsa3072 2020-09-08 [E] [expires: 2022-09-08]
Time to take a look at the content of your ~/.gnupg folder.
Let us check our work.
gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2022-09-08
/home/erik/.gnupg/pubring.kbx
—————————–
pub rsa3072 2020-09-08 [SC] [expires: 2022-09-08]
3B85F0222B8469E2BF2C20EBE13A47BF81B58F54
uid [ultimate] Carli ArcoLinuxIso <carli.arcolinuxiso@gmail.com>
sub rsa3072 2020-09-08 [E] [expires: 2022-09-08]
Let us create a revoking certificate
gpg –gen-revoke –armor –output=revocation_certificate.asc short or long key
gpg --gen-revoke --armor --output=revocation_certificate.asc 3B85F0222B8469E2BF2C20EBE13A47BF81B58F54
sec rsa3072/E13A47BF81B58F54 2020-09-08 Carli ArcoLinuxIso <carli.arcolinuxiso@gmail.com>
Create a revocation certificate for this key? (y/N)
y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision?
3
Enter an optional description; end it with an empty line:
>
empty
Reason for revocation: Key is no longer used
(No description given)
Is this okay? (y/N)
y
POPUP
Please enter the passphrase to unlock the openpgp secret keys.
That is the unique and difficult password you have stored away safely.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
If we want to share this key with others we have to create a public.key.
gpg –output public.key –armor –export email or first name and last name. You can also press TAB after –export.
gpg --output public.key --armor --export carli.arcolinuxiso@gmail.com
Let us send our key to the keyserver. So that others can find it too.
gpg –send-keys short key or long key
gpg --send-keys 3B85F0222B8469E2BF2C20EBE13A47BF81B58F54
[erik@erik-systemproductname .gnupg]$ gpg –send-keys 3B85F0222B8469E2BF2C20EBE13A47BF81B58F54
gpg: sending key E13A47BF81B58F54 to hkps://hkps.pool.sks-keyservers.net
gpg: keyserver send failed: Server indicated a failure
gpg: keyserver send failed: Server indicated a failure
This either works on your end or it does not. In my case my internet service provider gives me trouble and I need an other solution.
Solution for me
Create a file in ~/.gnupg called gpg.conf with content
no-greeting
no-permission-warning
lock-never
keyserver-options timeout=10
keyserver-options import-clean
keyserver-options no-self-sigs-only
keyserver hkp://pool.sks-keyservers.net:80
keyserver hkps://hkps.pool.sks-keyservers.net:443
keyserver hkp://ipv4.pool.sks-keyservers.net:11371
Now we try our command again.
gpg --send-keys 3B85F0222B8469E2BF2C20EBE13A47BF81B58F54
[erik@erik-systemproductname .gnupg]$ gpg –send-keys 3B85F0222B8469E2BF2C20EBE13A47BF81B58F54
gpg: sending key E13A47BF81B58F54 to hkp://ipv4.pool.sks-keyservers.net:11371
or
gpg --keyserver hkp://ipv4.pool.sks-keyservers.net:11371 --send-keys 3B85F0222B8469E2BF2C20EBE13A47BF81B58F54
no error
Other option
Put your public.key on the website manually by copy/pasting the content of the public.key into the browser.
http://ipv4.pool.sks-keyservers.net/
Click on SUBMIT KEY.
Then copy/paste the content of your public.key in there and submit your key.
In all likelyhood you will have to wait a few hours or even days before your key can be found again via the search.
After some time anyone can receive your key from the servers.
It might be a good idea to continue the next day with this project.
Until the keys are propagated to all keyservers.
gpg --recv-keys short key or long key
gpg --recv-keys E13A47BF81B58F54
[erik@erik-systemproductname .gnupg]$ gpg –recv-keys E13A47BF81B58F54
gpg: key E13A47BF81B58F54: “Carli ArcoLinuxIso <carli.arcolinuxiso@gmail.com>” not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Building packages
That was just a key.
If you want to build packages and sign it with this key more steps are needed.
Now edit /etc/makepkg.conf and add your key after GPGKEY=“E13A47BF81B58F54”
Do change the PACKAGER too. You are not John Doe.
Use your real name and real mail.
When you start building packages this key will be used. The process will ask you the difficult and unique password when you do your first build.
Store it on your system for convenience sake.
Pacman needs to know your key
If the key is present on the keyserver this command or something similar will get the key from the server. Time is here an issue. When will the key you put on the keyserver be readable.
sudo pacman-key --recv-keys E13A47BF81B58F54 --keyserver hkp://ipv4.pool.sks-keyservers.net:11371
It did not work during the tutorial. Probably too soon.
We let pacman know what key it can trust with this command.
sudo pacman-key –lsign-key short key or long key
sudo pacman-key --lsign-key E13A47BF81B58F54
[erik@erik-systemproductname ~]$ sudo pacman-key –lsign-key E13A47BF81B58F54
-> Locally signing key E13A47BF81B58F54…
==> Updating trust database…
gpg: key 1EB2638FF56C0C53: no user ID for key signature packet of class 10
gpg: key 1EB2638FF56C0C53: no user ID for key signature packet of class 10
…
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: key 786C63F330D7CB92: no user ID for key signature packet of class 10
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 8 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 8 signed: 80 trust: 2-, 0q, 0n, 6m, 0f, 0u
gpg: depth: 2 valid: 77 signed: 25 trust: 77-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2021-01-01
You can also add these lines to your /etc/pacman.d/gnupg/gpg.conf if you have issues with the servers.
no-greeting
no-permission-warning
lock-never
keyserver-options timeout=10
keyserver-options import-clean
keyserver-options no-self-sigs-only
keyserver hkp://pool.sks-keyservers.net:80
keyserver hkps://hkps.pool.sks-keyservers.net:443
keyserver hkp://ipv4.pool.sks-keyservers.net:11371
Create your own keyring for pacman.
We can add our public key to your-keyring packages.
So you can update it with ease. That is more a packaging tutorial.
That is for a separate tutorial.