Set default pacman SigLevel as "Required"

We should set the secure option as the default and require a user or distribution to explicitly reduce the level of checking required in their configuration file. Implements #260 Signed-off-by: Allan McRae <allan@archlinux.org>
2025-07-30 17:19:54 +10:00
4 changed files with 7 additions and 5 deletions
--- a/doc/pacman.conf.5.asciidoc
+++ b/doc/pacman.conf.5.asciidoc
@ -318,12 +318,12 @@ When to Check::
 	*Never*;;
 		All signature checking is suppressed, even if signatures are present.

-	*Optional* (default);;
+	*Optional*;;
 		Signatures are checked if present; absence of a signature is not an
 		error. An invalid signature is a fatal error, as is a signature from a
 		key not in the keyring.

-	*Required*;;
+	*Required* (default);;
 		Signatures are required; absence of a signature or an invalid signature
 		is a fatal error, as is a signature from a key not in the keyring.

@ -349,7 +349,7 @@ level signatures for packages.
 The built-in default is the following:

 --------
-SigLevel = Optional TrustedOnly
+SigLevel = Required TrustedOnly
 --------


--- a/src/pacman/conf.c
+++ b/src/pacman/conf.c
@ -109,8 +109,7 @@ config_t *config_new(void)
 	newconfig->logmask = ALPM_LOG_ERROR | ALPM_LOG_WARNING;
 	newconfig->configfile = strdup(CONFFILE);
 	if(alpm_capabilities() & ALPM_CAPABILITY_SIGNATURES) {
-		newconfig->siglevel = ALPM_SIG_PACKAGE | ALPM_SIG_PACKAGE_OPTIONAL |
-			ALPM_SIG_DATABASE | ALPM_SIG_DATABASE_OPTIONAL;
+		newconfig->siglevel = ALPM_SIG_PACKAGE | ALPM_SIG_DATABASE;
 		newconfig->localfilesiglevel = ALPM_SIG_USE_DEFAULT;
 		newconfig->remotefilesiglevel = ALPM_SIG_USE_DEFAULT;
 	}
--- a/test/pacman/tests/upgrade-download-pkg-and-sig-with-filename.py
+++ b/test/pacman/tests/upgrade-download-pkg-and-sig-with-filename.py
@ -1,6 +1,7 @@
 self.description = 'download remote packages with -U with a URL filename'
 self.require_capability("gpg")
 self.require_capability("curl")
+self.option['SigLevel'] = ['Required']

 url = self.add_simple_http_server({
    # simple
--- a/test/pacman/util.py
+++ b/test/pacman/util.py
@ -115,6 +115,8 @@ def mkcfgfile(filename, root, option, db):
    data = ["[options]"]
    for key, value in option.items():
        data.extend(["%s = %s" % (key, j) for j in value])
+    if "SigLevel" not in option:
+        data.append("SigLevel = Never\n")

    # Repositories
    # sort by repo name so tests can predict repo order, rather than be