Am 17.08.2013 17:27, schrieb Zbigniew Jędrzejewski-Szmek: > Hi, > > I was trying to get the arch installation example in systemd-spawn > to work on Fedora. My intent is to package pacman and pacstrap for > Fedora, to make it easy to play with distributions. Fedora already > has alien and dpkg/apt-get, so adding pacman seems kind of nice. > > The packaging process is going well, but the intallation is not > as easy, because of gpg key issues. It's possible that I made some > error, I tried both to add SigLevel=TrustAll in (host's) /etc/pacman.conf, > and to to import gpg keys with 'pacman-key --populate archlinux'. > The second solution didn't seem to work, and both have downsides: > - disabling checking is bad because of security issues, > and it also seems to mess up the trust database inside the container, > - importing the trust database in the host (assuming that I'd get it > to work), would require either also packaging the keys for Fedora, > or telling the user to trust keys blindly and download them from > the internet...
pacstrap assumes that you have a working key database on the host (which is the case for our live CD and bootstrap tarball). To work around that, you need to 1) set up a keyring in /instroot/etc/pacman.d/gnupg 2) call pacstrap with the -G option This will set up a keyring in /instroot without the need for one in the host. For 1), simply run pacman-key --gpgdir /instroot/etc/pacman.d/gnupg --init pacman-key --gpgdir /instroot/etc/pacman.d/gnupg --populate archlinux For that, you must have the keyring available in /usr/share/pacman/keyrings/. Get the keyring from https://projects.archlinux.org/archlinux-keyring.git/ - you need the archlinux.gpg, archlinux-revoked and archlinux-trusted files. The only thing that is critical for security is the archlinux-trusted file - the fingerprints in there must match the ones from https://www.archlinux.org/master-keys/. The rest of the files are just there for convenience.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
