[tex-live] tlmgr: Package verification

Norbert Preining norbert at preining.info
Mon Jan 22 01:11:29 CET 2018


Hi,

verify-downloads sets the stage for general verification by searching
for a valid gpg binary. If this is not available, no verification can
happen.
verify-downloads can be set in the user or global configuration file
(TEXMFSYSCONFIG/tlmgr/config or TEXMFCONFIG/tlmgr/config) using the
key
  verify-downloads = 0|1
If verify-downloads is set to 0 in the config file, or via
--no-verify-downloads then gpg is not searched and all gpg operations
will error.

require-verification defines the policy what to do if a repository is
either not signed, or it is signed but the public key has not been
imported into the TeX Live keyring:
- if require-verification is off (default), missing signatures or
  unavailable public keys are *NOT* errors
- if require-verification is on, missing signatures or unavailable
  public keys results in tlmgr terminating.
Note however that for the *main* repository (tlnet) this is turned 
on by default, that means that whatever setting you have for 
require-verification, the signature of the main repository will
be checked.

Explanation:
- we know that the main repository is always signed, because we do not
  push out from our server to CTAN if the signature creation failed.
- we *don't* know whether all other repositories are signed, and in
  particular whether the user has imported the respect keys for
  verification.
- the defaults are set up that if gpg is available, the main repository
  will be checked, and other repositories will be checked *if* they
  provide a signature *and* the user has imported the remote public key.
- if an additional repository is not signed, or signed and the remote
  public key is not imported, and require-verification is not set, then
  tlmgr will *not* error out.

> I installed from DVD, changed the repository afterwards to the CTAN
> mirror and then ran "tlmgr update --self --require-verification" and
> "tlmgr update --all --require-verification".
> Is this sufficient to ensure that all downloaded packages are actually verified?

For packages downloaded from the main TeX Live repository, that is one
of the CTAN tlnet mirrors, this is enough if you have a gpg available.

> According to the manual, "verify-downloads" seems to be set to true by
> default, so I guess one doesn't have to deal with that option unless
> one wants to disable it?

Correct.

> What would happen if one combines "--require-verification" with
> "--no-verify-downloads" or vice versa?

Consequence of the above:
- because --no-verify-downloads is set, no gpg is initialized.
- because we require verification, all repositories, including main
  are checked with gpg, which results in a failure,
thus tlmgr will error out, as trivial experiment shows:

[~] tlmgr update --list
tlmgr: package repositories
	main = /home/norbert/public_html/tlnet (verified)
	tlcontrib = /home/norbert/Domains/server/texlive.info/contrib/2017 (verified)
	tltexjp = /home/norbert/public_html/tltexjp (verified)
	tlcritical = /home/norbert/public_html/tlcritical (verified)
tlmgr: saving backups to /home/norbert/tl/2017/tlpkg/backups
tlmgr: no updates available

[~] tlmgr --no-verify-downloads update --list
tlmgr: package repositories
	main = /home/norbert/public_html/tlnet (not verified: gpg unavailable)
	tltexjp = /home/norbert/public_html/tltexjp (not verified: gpg unavailable)
	tlcontrib = /home/norbert/Domains/server/texlive.info/contrib/2017 (not verified: gpg unavailable)
	tlcritical = /home/norbert/public_html/tlcritical (not verified: gpg unavailable)
tlmgr: saving backups to /home/norbert/tl/2017/tlpkg/backups
tlmgr: no updates available

[~] tlmgr --require-verification update --list
tlmgr: package repositories
	main = /home/norbert/public_html/tlnet (verified)
	tlcritical = /home/norbert/public_html/tlcritical (verified)
	tlcontrib = /home/norbert/Domains/server/texlive.info/contrib/2017 (verified)
	tltexjp = /home/norbert/public_html/tltexjp (verified)
tlmgr: saving backups to /home/norbert/tl/2017/tlpkg/backups
tlmgr: no updates available

[~] tlmgr --no-verify-downloads --require-verification update --list
Remote TeX Live database (/home/norbert/public_html/tlnet) is not verified, exiting.


Now, let us remove the signature of an additional repository
(tlcontrib):
[~] tlmgr update --list
tlmgr: package repositories
	main = /home/norbert/public_html/tlnet (verified)
	tltexjp = /home/norbert/public_html/tltexjp (verified)
	tlcontrib = /home/norbert/Domains/server/texlive.info/contrib/2017 (not verified: unsigned)
	tlcritical = /home/norbert/public_html/tlcritical (verified)
tlmgr: saving backups to /home/norbert/tl/2017/tlpkg/backups
tlmgr: no updates available

[~] tlmgr --no-verify-downloads update --list
  remains the same as above

[~] tlmgr --require-verification update --list
Remote TeX Live database (/home/norbert/Domains/server/texlive.info/contrib/2017) is not verified, exiting.

[~] tlmgr --no-verify-downloads --require-verification update --list
Remote TeX Live database (/home/norbert/public_html/tlnet) is not verified, exiting.

More or less the same happens if the remote key is not installed, just
the message in the first case (not verified: unsigned) changes.

> I also wanted to have a look at the config files for tlmgr to have a
> look at the default values, but it seems that neither a system-wide
> nor a user-specific file exists. Is this correct? (kpsewhich

No, this is not correct, see the documentation
https://www.tug.org/texlive/doc/tlmgr.html#CONFIGURATION-FILE-FOR-TLMGR

Hope that helps

Norbert

--
PREINING Norbert                               http://www.preining.info
Accelia Inc.     +    JAIST     +    TeX Live     +    Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13


More information about the tex-live mailing list