Invalid signature on custom repo fear question

RVOtakuMike · 16 July 2022 11:46

I ran pacman -Syyuu earlier to fix some issues i was having, and I didn’t notice the “invalid signature” until after i told it yes. Now I’m worried maybe I installed a unsigned (maybe malicious?) package. The log file follows.

log:

sudo pacman -Syyuu

[sudo] password for RVOtakuMike:
error: home_ungoogled_chromium_Arch: signature from "home:ungoogled_chromium OBS Project <home:ungoogled_chromium@build.opensuse.org>" is invalid
:: Synchronizing package databases...
 core                                                                                                     168.2 KiB   240 KiB/s 00:01 [#################################################################################] 100%
 extra                                                                                                   1867.1 KiB  2.26 MiB/s 00:01 [#################################################################################] 100%
 community                                                                                                  7.1 MiB  4.18 MiB/s 00:02 [#################################################################################] 100%
 multilib                                                                                                 177.5 KiB  1972 KiB/s 00:00 [#################################################################################] 100%
 home_ungoogled_chromium_Arch                                                                            1900.0   B  3.64 KiB/s 00:01 [#################################################################################] 100%
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...

Packages (2) onlyoffice-desktopeditors-7.1.1-1  ungoogled-chromium-103.0.5060.114-2

Total Download Size:    570.78 MiB
Total Installed Size:  1306.42 MiB
Net Upgrade Size:        89.13 MiB

:: Proceed with installation? [Y/n]
:: Retrieving packages...
 onlyoffice-desktopeditors-7.1.1-1-x86_64                                                                 471.3 MiB  12.0 MiB/s 00:39 [#################################################################################] 100%
 ungoogled-chromium-103.0.5060.114-2-x86_64                                                                99.5 MiB  11.9 MiB/s 00:08 [#################################################################################] 100%
 Total (2/2)                                                                                              570.8 MiB  11.9 MiB/s 00:48 [#################################################################################] 100%
(2/2) checking keys in keyring                                                                                                        [#################################################################################] 100%
(2/2) checking package integrity                                                                                                      [#################################################################################] 100%
(2/2) loading package files                                                                                                           [#################################################################################] 100%
(2/2) checking for file conflicts                                                                                                     [#################################################################################] 100%
(2/2) checking available disk space                                                                                                   [#################################################################################] 100%
:: Running pre-transaction hooks...
(1/1) Creating Timeshift snapshot before upgrade...
==> skipping timeshift-autosnap due skipRsyncAutosnap in /etc/timeshift-autosnap.conf set to TRUE.
:: Processing package changes...
(1/2) upgrading onlyoffice-desktopeditors                                                                                             [#################################################################################] 100%
(2/2) upgrading ungoogled-chromium                                                                                                    [#################################################################################] 100%
:: Running post-transaction hooks...
(1/4) Arming ConditionNeedsUpdate...
(2/4) Refreshing PackageKit...
(3/4) Updating icon theme caches...
(4/4) Updating the desktop file MIME type cache...

I know I’m probably paranoid over nothing, but I need reassurance, please.

Thanks for your time.

linux-aarhus · 16 July 2022 11:50

When you are adding custom repo to your system you are putting your trust into the provider of the repo.

Manjaro do not support the use of custom repos and does not provide guidance in resolving any issues relating to 3rd party repos.

RVOtakuMike · 16 July 2022 12:02

I am simply looking for a second opinion. Is this not allowed?

linux-aarhus · 16 July 2022 12:04

It is your system - you can do whatever you like.

Yes - possibly - but necessarily

RVOtakuMike · 16 July 2022 12:04

Alright, thanks.

Nachlese · 16 July 2022 12:04

It is - and you got not only an opinion, but the “rule of the game” here, so to speak.

If you are using custom repos, they come with their own signatures and you might need to import those.

It’s still a matter of trust …

RVOtakuMike · 16 July 2022 12:05

I trust the repo, the signature error only happened that one time. Thats what spooked me.

Jim.B · 16 July 2022 12:47

I run a repository for the Spins by Kilz project, so I have a little experience with third party repos. As linux-aarhus says, your trust in the person running the repo.
That being said I did look into this, and I think you are referring to the repository and its instructions for this project.
Everything looks good until I noticed this in the instructions

SigLevel = Required TrustAll

TrustAll means exactly what it sounds like in a SigLevel (Signature line) line. TrustAll means that the key can be trusted, or not trusted as shown here. The key is the signature that is compared to make sure the file you are downloading and installing is is the file the developer added. A big security risk, especially on a site that the developer doesnt have complete control over the storage. That doesnt mean that there is a problem now, but there is always the possibility of a problem.

Your choice to use the software, but at least now you have more info.

RVOtakuMike · 16 July 2022 13:02

The software definitely installed that package despite the sig error, so should I consider this a system compromise? If so, what do you recommend?

EDIT: This was an update, so its not the first install of said program.

Jim.B · 16 July 2022 15:36

I wouldnt necessarily consider it compromised, but there is a risk it could be. There is also a risk that any future files you get from the repo could be compromised. Consider what you will ues the system for. Are you going to do online shopping, pay bills, store sensitive documents, use it for a business? It all depends on your risk tolerance.

RVOtakuMike · 16 July 2022 15:53

Yeah, I’m gonna format + reinstall. Luckily I haven’t customized the system in question too much yet.

Thank you all for your input!

Jim.B · 16 July 2022 17:16

Not a problem. Just dont be scared of third party repos, there are a lot of good people creating things. Make sure that the security is there and you should be ok for a popular project. A SigLevel of Required or PackageRequired with nothing else should be good to go.

linux-aarhus · 17 July 2022 05:32

You may benefit from educating yourself on concept of package signatures

https://wiki.archlinux.org/title/Pacman/Package_signing