On 31/07/11 11:15, Allan McRae wrote:
I was thinking of how we currently check package validity and had
planned to do something like:
1) signature check
2) md5sum check _only_ if no signature to check
with the intention of adding an sha256sum check in the middle in the
future (perhaps only if pacman is built using openssl to save us having
to provide the routines...).
But as far as I can tell, _alpm_check_pgp_helper does not allow you to
distinguish between a successful signature check and the case where no
signature is available and signature checking is not required. Is that
correct or am I missing something?
It appears that this is an area that needs work anyway...
> pacman -Sw libcups
resolving dependencies...
Targets (1): libcups-1.4.7-3
Total Download Size: 0.00 MiB
Proceed with download? [Y/n]
(1/1) checking package integrity
[######################] 100%
error: failed to commit transaction (invalid or corrupted package
(checksum))
libcups-1.4.7-3-i686.pkg.tar.xz is invalid or corrupted
Errors occurred, no packages were upgraded.
This happened with a lot of packages so it definitely was not a checksum
error...
[12:11:35] debug: using cachedir: /home/arch/pkgcache/i686/
checking package integrity...
[12:11:35] debug: found cached pkg:
/home/arch/pkgcache/i686/libcups-1.4.7-3-i686.pkg.tar.xz
[12:11:35] debug: replacing pkgcache entry with package file for target
libcups
[12:11:35] debug: md5sum: 772cf71cb8abb5afce923ae870130a51
[12:11:35] debug: checking md5sum for
/home/arch/pkgcache/i686/libcups-1.4.7-3-i686.pkg.tar.xz
[12:11:35] debug: base64_sig: (null)
[12:11:35] debug: checking signatures for
/home/arch/pkgcache/i686/libcups-1.4.7-3-i686.pkg.tar.xz
[12:11:35] debug: checking signature for
/home/arch/pkgcache/i686/libcups-1.4.7-3-i686.pkg.tar.xz
[12:11:35] debug: 1 signatures returned
[12:11:35] debug: fingerprint: 976AC6FA3B94FA10
[12:11:35] debug: summary: key missing
[12:11:35] debug: status: No public key
[12:11:35] debug: timestamp: 1311845034
[12:11:35] debug: exp_timestamp: 0
[12:11:35] debug: validity: unknown; reason: Success
[12:11:35] debug: key lookup failed, unknown key
[12:11:35] debug: signature is not valid
[12:11:35] debug: returning error 33 from _alpm_sync_commit : invalid or
corrupted package (checksum)
error: failed to commit transaction (invalid or corrupted package
(checksum))
My cache is essentially a mirror of the repo so has a bunch of signature
files in it. So when I "download" a package from the repos and pacman
finds its signature in the cache, that gets checked. So, that was quite
unexpected for me (but I suppose it is a good thing?). We just need to
fix that error message.
Allan
