ArchThis Forum is for the discussion of Arch Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
According to the wiki around pacman-key, it's part of the package signing everyone's been on about so long (and so fiercly) - you run in once to generate the keys of the developers, that's what pacman will use to check the packages.
As far as I (still an apprentice Linuxean myself) understand.
MD5 relies on an extenal factor, pacman-key is arch-centric, hence internal...
Pacman (and Arch in general) did'nt have package signing - sniff around (dont ask, you'll just stir things up for the worse, believe me, just do a search for IgnorantGuru on the Arch forum...) the forum for the discussions.
Every developer has his/her key now. It may well be a good idea to check out Alan's blog on this.
Before signing, it was a risky bizz to do an update. There were packages, but...were they legit? What if the server was hacked? One tool was (and is) paccheck, you run it before updating to see if any of the tested servers was compromised or not. If it was safe, an update could be "attempted"...with signing, one more level of security is around.
Why the current (PGP I think) method was chosen and not MD5...may be a question for the developers...but be warned, they can be a grumpy lot
As far as MD5 not being used, it was because the md5sums are d/l'd from the server you're retrieving the packages from, so if the server was compromised, you would never know. MD5 is more to check if the packages were corrupted via transfer as opposed to indicate legitimate packages.
Just speaking to the practical usage (and not the politics):
An MD5 digest of a file allows you to confirm a file was not tampered with.
Thus:
Alice provides a file for downloading
Alice also provides an MD5 digest for viewing / verifying the file
When Mallory replaces the file, the MD5 digest doesn't match, and you're not suckered into using a corrupted download
The problem is Mallory can defeat the whole system by replacing both the file and the MD5 digest of the file. That's where crypto signatures come into play. The developer is able to sign the MD5 digest with his private key, and you're able to verify the signature with the corresponding public key.
To revisit the above scenario:
Alice provides a file for downloading
Alice also provides a digitally signed MD5 digest for viewing / verifying the file
When Mallory replaces the file, the MD5 digest doesn't match, and you're not suckered into using a corrupted download
When Mallory replaces the file and the MD5 digest, the signature check using the public key fails, and you're not suckered into using a corrupted download
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.