Arch Linux includes packet digital signature verification by default

    The developers of the Arch Linux distribution have notified users of the inclusion of the default function of checking the accuracy of the source of packages based on digital signatures since the release of the package manager pacman 4.0.3-2. Support for verifying packages by digital signature was added to the distribution half a year ago, but until now this function has not been enabled by default due to the fact that the process of creating digital signatures for all packages took time.

    This feature allows us to guarantee that the package installed from the repository has not been replaced and received in the form in which it was originally prepared by the developers, which is especially useful when installing packages from arbitrary mirrors. It is noteworthy that the patch with the implementation of verification of digital signatures of packages in pacman was introduced in 2008, it took four years to finalize and integrate this patch, as well as to prepare the infrastructure.

    After installing the update with pacman-4.0.3-2, the user will be prompted to run the commands:

    pacman-key --init
    pacman-key --populate archlinux
    

    after the execution of which a local keystore will be created and all necessary verification keys will be downloaded, including the five main public keys used to confirm the validity of Arch Linux packages. In the process of importing keys in order to prevent key substitution during the download process, the program will offer to verify the hashes of the key with the hashes published on the official website. Package verification is controlled through the SigLevel directive in the pacman.conf configuration file.

    via opennet

    Also popular now: