[systemd-devel] arch bootstrapping
William Giokas
1007380 at gmail.com
Sat Aug 17 12:50:01 PDT 2013
On Sat, Aug 17, 2013 at 05:44:27PM +0200, Daniel Buch wrote:
> I run with SigLevel = Required DatabaseOptional. And i guess that's
> recommended. Have you tried pacman-key --init before you --populate
> archlinux?
Pacman has it's own `pacman-key` command that interfaces with gpg to
manipulate its keys. What you're probably going to want to do is what
Daniel said, initialize the keyring. This just takes a bunch of entropy
but things will (by default) be put in /etc/pacman.d/gnupg/. Having this
all set up will let you populate it. Here's an example workflow:
# yum install pacman
# $EDITOR /etc/pacman.conf #[1]
# pacman-key --init # you may need to do things while this happens
[1]: The SigLevel should be fine at `Required DatabaseOptional`. You may
want to set GPGDir to something else, though the default shouldn't
conflict with anything.
Now to do the --populate archlinux, you need to have an archlinux
keyring in /usr/share/pacman/keyrings/. If you look at the
`archlinux-keyring` package in arch, that should give you some ideas.
Then, finally, you can run:
# pacman-key --populate archlinux
And this last step isn't really needed, but I usually do it anyway:
# pacman-key --refresh-keys
Doing that just makes sure that the keys are all fully up to date.
This should be enough to run 'pacman' to create containers.
> 2013/8/17 Zbigniew Jędrzejewski-Szmek <zbyszek at in.waw.pl>
>
> > Hi,
> >
> > I was trying to get the arch installation example in systemd-spawn
> > to work on Fedora. My intent is to package pacman and pacstrap for
> > Fedora, to make it easy to play with distributions. Fedora already
> > has alien and dpkg/apt-get, so adding pacman seems kind of nice.
> >
> > The packaging process is going well, but the intallation is not
> > as easy, because of gpg key issues. It's possible that I made some
> > error, I tried both to add SigLevel=TrustAll in (host's) /etc/pacman.conf,
> > and to to import gpg keys with 'pacman-key --populate archlinux'.
> > The second solution didn't seem to work, and both have downsides:
> > - disabling checking is bad because of security issues,
> > and it also seems to mess up the trust database inside the container,
> > - importing the trust database in the host (assuming that I'd get it
> > to work), would require either also packaging the keys for Fedora,
> > or telling the user to trust keys blindly and download them from
> > the internet...
> >
> > So before I go further, I'd like your opinion on what is the best
> > approach to using the Arch trust mechanism on a non-Arch system.
> >
> > Zbyszek
> >
> > Packaging tickets:
> > https://bugzilla.redhat.com/show_bug.cgi?id=998125,
> > https://bugzilla.redhat.com/show_bug.cgi?id=998127.
Thanks,
--
William Giokas | KaiSforza | http://kaictl.net/
GnuPG Key: 0x73CD09CF
Fingerprint: F73F 50EF BBE2 9846 8306 E6B8 6902 06D8 73CD 09CF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20130817/3b115c13/attachment.pgp>
More information about the systemd-devel
mailing list