Unverified Commit a2b20495 authored by Christian Rebischke's avatar Christian Rebischke
Browse files

Make sure to re-initialize the pacman keyring



We need to re-initialize the pacman keyring for every machine,
otherwise every machine would have the same pacman master key. The same
pacman master key opens the possibility for Mitm-attacks.
Signed-off-by: default avatarChristian Rebischke <Chris.Rebischke@posteo.de>
parent c42fd65b
......@@ -47,10 +47,31 @@ Name=eth0
DHCP=ipv4
EOF
# Setup pacman-init.service for clean pacman keyring initialization
cat <<EOF > /etc/systemd/system/pacman-init.service
[Unit]
Description=Initializes Pacman keyring
Wants=haveged.service
After=haveged.service
ConditionFirstBoot=yes
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/pacman-key --init
ExecStart=/usr/bin/pacman-key --populate archlinux
[Install]
WantedBy=multi-user.target
EOF
# enabling important services
systemctl daemon-reload
systemctl enable sshd
systemctl enable haveged
systemctl enable systemd-networkd
systemctl enable systemd-resolved
systemctl enable pacman-init.service
grub-install "$device"
sed -i -e 's/^GRUB_TIMEOUT=.*$/GRUB_TIMEOUT=1/' /etc/default/grub
......
......@@ -25,7 +25,7 @@ mkswap "${device}1"
mkfs.btrfs -L "rootfs" "${device}2"
mount "${device}2" /mnt
pacstrap /mnt base grub openssh sudo polkit btrfs-progs
pacstrap /mnt base grub openssh sudo polkit btrfs-progs haveged
swapon "${device}1"
genfstab -p /mnt >> /mnt/etc/fstab
swapoff "${device}1"
......
......@@ -7,3 +7,5 @@ set -x
yes | sudo pacman -Scc
# Remove machine-id: see https://github.com/archlinux/arch-boxes/issues/25
rm /etc/machine-id
# Remove pacman key ring for re-initialization
rm -rf /etc/pacman.d/gnupg/
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment