Package Signing

Arch Linux ARM implements package signing following the model created by Arch Linux. All packages in all repositories for all architectures are signed by our build system; however, the repository database files are not signed in order to limit the exposure of private keys and because it is technically unnecessary.

Since all of the packages in our repositories originate from our build system — not from individual developers and maintainers — the packages are signed by the single build system key before leaving the secure build environment. Additionally, Arch Linux ARM mirrors are synchronized via rsync push from our master server, furthering the integrity of packages available for installation.

Enabling Signature Checking

  1. To help pacman-key work, ensure the haveged daemon is running. This daemon keeps the system's entropy pool full.
    systemctl status haveged
  2. If that command reports it active and running, go to the next step. Otherwise, install, start, and optionally enable haveged to run at boot:
    pacman -Syu haveged
    systemctl start haveged
    systemctl enable haveged
  3. Initialize the pacman keyring:
    pacman-key --init
  4. Install the Arch Linux ARM keyring:
    pacman -S archlinuxarm-keyring
    pacman-key --populate archlinuxarm
  5. Edit /etc/pacman.conf and uncomment or add the following lines:
    SigLevel = Required DatabaseOptional
    LocalFileSigLevel = Optional

Keys

Master Signing Keys
Key ID Owner
02922214DE8981D14DC2ACABBC704E86B823CD25 Kevin Mihelich
9D22B7BB678DC056B1F7723CB55C5315DCD9EE1A Jason Plum
69DD6C8FD314223E14362848BF7EEF7A9C6B5765 Mike Brown
Package Signing Keys
Key ID Owner
68B3537F39A313B3E574D06777193F152BDBE6A6 Arch Linux ARM Build System

Copyright ©2009-2022 Arch Linux ARM
The registered trademark Linux® is used pursuant to a sublicense from LMI, the exclusive licensee of Linus Torvalds, owner of the mark on a world-wide basis.
The Arch Linux™ name and logo are used under permission of the Arch Linux Project Lead.