Disabling signature verification for Parabola packages

2 replies [Last post]
nadebula.1984
Offline
Joined: 05/01/2018

When I try to update my Parabola (or other Arch-based distributions), the downloaded packages can pass hash verification but never signature verification, since certain key server(s) be inaccessible from China (at least via my ISP) and the relevant public key(s) hosted on said key server(s) cannot be retrieved.

I understand that signature verification is a security feature. Yet I wonder is it required or optional (via pacman parameters).

liberpoolesque
Offline
Joined: 01/07/2020

I was tinkering with Parabola a while ago, and I think I've seen an option that disables signature checking. Unfortunately, I don't have Parabola installed right now.
I couldn't find it on the Parabola wiki, but the Arch wiki has an entry about pacman and how to disable signature checking:
https://wiki.archlinux.org/index.php/Pacman/Package_signing#Disabling_signature_checking
Basically, it should be possible to disable the check by setting "SigLevel = Never" in the global "[options]" section of /etc/pacman.conf, and all your repository entries. (But note that I did not have an opportunity to test this)
I would not recommend doing this outside of a test environment in a virtual machine though, because this will allow anyone to inject malware into your system when you update.

nadebula.1984
Offline
Joined: 05/01/2018

Thanks for reply. I'll test it in a protected environment first.