PacmanWoT

Tango-two-arrows.png

Tango-two-arrows.png

This article or section is a candidate for merging with pacman-key.

Notes: (Discuss in Talk:PacmanWoT#)

The Pacman Web of Trust (WoT) exists to prevent an attacker from getting you to install malicious code on your machine. In a nutshell, you express whom you trust to provide you with trustworthy code, and pacman will make sure that only code from those people (and people they trust) will be installed on your machine.

Outline of implementation

When first run boot a brand-new Arch installation, the Pacman WoT has not been initialized. To initialize, you perform the following two commands:

pacman-key --init
pacman-key --populate archlinux

The first command will create a GPG key pair (pacman@localhost) that is the root of the Pacman WoT on your machine.

The second command will import, into your WoT, the public keys of the core Arch developers and maintainers.

After that, when you run pacman to install new code, pacman will check the digital signatures of the packages you are about to install against your WoT. If they are known and trusted, pacman will install the packages; otherwise pacman will refuse.

FAQ

Couldn't the initial WoT be pre-generated as part of some package, so the pacman-key commands (which include the relatively expensive generation of a gpg key pair) won't have to be executed when the system boots?
No. To pre-generate them, all Arch installations would have to end up with the same gpg key pair. That would enable malicious Arch user Alice (who has access to the same private key as victim Bob does) to sign a malicious package that Bob's pacman would accept because the Bob necessarily must trust his root key pair. (See also discussion on this post.)
Why do we need a root key pair at all? Can't Arch just simply install the public keys of the maintainers in some directory?
Actually, Arch does have the public keys of the maintainers in a gpg keyring in /usr/share/pacman/keyrings (part of package archlinux-keyring). If pacman uses gpg's Web of Trust mechanism, that means those public keys must be signed; otherwise some other WoT implementation would have to be used.

See also