How are arch linux repositories secured?

E

elisey4742016-10-09 10:34:17

linux

elisey474, 2016-10-09 10:34:17

For example, I went online from an unknown access point and launched a package update. And there the admin changed the package and pacman grabs, for example, a virus and not the firefox browser. How are archa repositories protected from such? They don't even have https.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexey, 2016-10-09
@elisey474

Protection is implemented by verifying the digital signatures of the Linux repository and the client.
Trusted Linux repositories are those that are digitally signed and the user's computer contains the public key for that repository.
When connecting a Linux repository protected by a digital signature, you need to download the public key and add it to the system. Sometimes a package available for installation is provided for download, which, when installed, itself prescribes the repository key. If you download the key from the Linux repository site, then you will get a regular file with a .key, .gpg or other extension.
Thus, if a repository is changed, and you have already used it and the system has its key, it will not match and you will notice it. Like so. If in all Linux such a mechanism.