Security (signed packages)

slim · December 17, 2024, 11:26am

Hi all,
Having been using Mabox for a number of years, I recently again came across this:

[SOLVED] Failed retrieving maboxlinux.db from repo.maboxlinux.org

Packages in Mabox repo do not use signatures. So there are no *.sig files on the server.
Looks like you altered your /etc/pacman.conf…
Mabox repo part should look like:
[maboxlinux]
SigLevel = Optional TrustAll
Server = http://repo.maboxlinux.org/stable/$arch/

Can you please explain why it is not a security issue to not sign the packages?

napcok · December 17, 2024, 12:25pm

Hi @slim and welcome to the forum

I don’t consider this a real security issue. (However, delivering signed packages is on my TODO list)
Two reasons:

There is currently only one person creating packages for the Mabox Linux repository - that person is me
There is only one server delivering packages from the Mabox Linux repo. That server is under my full control. There are no mirrors in the world that are controlled by someone outside.

I understand that this may raise some concerns for some users. You are the second person to bring this up in 8 years.

Mabox is a hobby project, developed after hours in my free time. That time is never enough to implement all the ideas, features and tasks - and there are a lot of them - I think it would be enough for a full-time job.
When I find time to develop Mabox, I always prefer to work on something more exciting and fun for me.

Does this answer satisfy you? Or should I focus on delivering signed packages quickly?

slim · December 17, 2024, 6:39pm

Thanks for the quick answer.
Unfortunately I am not so much a security expert as I would like, and I cannot assess the risks. I fully understand your considerations, and during those eight years (yes I followed you when you started the project) I didn’t mind much. But with the hysterically escalating hybrid warfare all over the planet I start to consider what could happen. You control the server is reassuring, I don’t know if a man-in-the-middle attack would be possible, say if someone targets a specific person of interest that uses Mabox?
So, right now I’m happy it’s on your todo-list, and I am staying for the moment as a quite happy user, thank you for the big effort.

napcok · January 13, 2025, 6:56pm

@slim, Packages are signed now.
Today iso refresh (250113) have SigLevel = PackageRequired option set by default.

slim · January 14, 2025, 11:22pm

Yeah, I noticed, congratulations you were so quick
However after a few updates now I get this for all the ca. seven new packages:

error: filesystem: signature from "Daniel Napora <danieln@maboxlinux.org>" is unknown trust
:: File /var/cache/pacman/pkg/filesystem-2025.01.12-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n]

Sorry I don’t get how to properly format the error

napcok · January 14, 2025, 11:36pm

You need to install mabox-keyring first.
And populate keyring:

sudo pacman-key --populate mabox

slim · January 15, 2025, 12:35am

Yes, I put
siglevel = Optional Trustall

while that first one installed, then it works, perfect, thank you

Noob · September 18, 2025, 9:15pm

I joined this forum solely to thank you for this post as it solved my updating problem which has caused me no end of issues as a newcomer to Linux. I had (prior to seeing this) tried numerous on line solutions by Arch users etc which didn’t work. So again many thanks.