PacmanWoT
The Pacman Web of Trust (WoT) exists to prevent an attacker from getting you to install malicious code on your machine. In a nutshell, you express whom you trust to provide you with trustworthy code, and pacman will make sure that only code from those people (and people they trust) will be installed on your machine.
Outline of implementation
When first run boot a brand-new Arch installation, the Pacman WoT has not been initialized. To initialize, you perform the following two commands:
pacman-key --init pacman-key --populate archlinux
The first command will create a GPG key pair (pacman@localhost
) that is the root of the Pacman WoT on your machine.
The second command will import, into your WoT, the public keys of the core Arch developers and maintainers.
After that, when you run pacman
to install new code, pacman will check the digital signatures of the packages you are about to install against your WoT. If they are known and trusted, pacman will install the packages; otherwise pacman will refuse.
FAQ
- Couldn't the initial WoT be pre-generated as part of some package, so the
pacman-key
commands (which include the relatively expensive generation of a gpg key pair) won't have to be executed when the system boots? - No. To pre-generate them, all Arch installations would have to end up with the same gpg key pair. That would enable malicious Arch user Alice (who has access to the same private key as victim Bob does) to sign a malicious package that Bob's pacman would accept because the Bob necessarily must trust his root key pair. (See also discussion on this post.)
- Why do we need a root key pair at all? Can't Arch just simply install the public keys of the maintainers in some directory?
- Actually, Arch does have the public keys of the maintainers in a gpg keyring in
/usr/share/pacman/keyrings
(part of packagearchlinux-keyring
). If pacman uses gpg's Web of Trust mechanism, that means those public keys must be signed; otherwise some other WoT implementation would have to be used.