Tag Archives: linux

Verification in AUR Land Is Security Theater

Makepkg says to verify the key 449190F3235ABD3B. I decide today is the day I stop relying on –skippgpcheck. Wonderful.

From $HOME/.makepkg.conf, I set $GNUPGHOME to a freshly created gpg directory (as there are different kinds of “trust” in the world, and mixing personal keys with makepkg keys confuses two, separate kinds). This feature is not documented in makepkg’s man pages, but a contributor to makepkg mentions it here. I then run gpg –search-keys using my original $GNUPGHOME because hey, all it does is search, and something may very well be missing from the new $GNUPGHOME. Gpg, however, gives an error about dirmngr not running. I check dirmngr.conf. I try $( gpg-connect-agent –dirmngr ). “IPC connect call failed.” Fine, that’s another problem. There are still options, though, and I step over that rabbit hole.

I decide to verify the key manually, searching the PGP public key server at MIT. That’s a pretty big one, right? Sorry, the key is not there… All right, let’s try SKS. After all, that one is recommended in the GnuPG FAQ! That counts for something, right? “No results found.” Okay… I’ll just search for the key ID using a regular, Internet search engine.

DDG returns one result, and this link isn’t even it. Fine… perhaps DDG is small-time. Perhaps their web crawlers run on bread-powered ducks. Whatever. I seek the help of a multi-billion dollar corporation, which provides five results! The first is the same result from DDG! The remaining four are two copies each of the very signature error I foolishly thought, earlier this morning, that I could resolve through mere perseverance and rational protocol. These results were posted not by humans but by logging utilities.

The package that started this whole mess has 70 votes. It has a git repo with absolutely no references to signatures or pgp keys… Well, what would you do at this point? Do you trust the single entry from the CS department at Utrecht University? Did you even know that Utrecht had a university? … Had you even heard the word “Utrecht” once in your life before today?

Most importantly, do you honestly care at this point? The listed user has “debian” in his name. I can trust that, right?

Verification in AUR Land is security theater. It is not real security, because it is not feasible. Knowledgeable users may respond by pointing out PKGBUILD’s validpgpkeys, but aksr (the uploader) is just a regular user. Why should I trust him? Because I want to view PDF files with vi-like controls, that’s why. Such baseless trust is tantamount to –skippgpcheck, the very option that will earn your relay-chatting buttocks a paddling in #archlinux.

But seriously, you should trust him. I mean, look at all these.

I pity the people who spend as much free time as I do, wrestling imaginary monsters, and I apologize to the fine citizens of the Netherlands for implying their municipalities deserve anything less than international renown.

AUR verification is security theater.

ALSA Configuration of Loopback Device

# NoSuck.org
# 2017年02月13日、05時13分
# This file demonstrates ALSA configuration for a loopback device that simultaneously saves both input and output. Thanks go to debianuser from #alsa on the Freenode network for providing guidance.

■ aplay -L | grep ‘^sysdefault’

■ aplay -l | grep PCH
card 0: PCH [HDA Intel PCH], device 0: ALC898 Analog [ALC898 Analog]
card 0: PCH [HDA Intel PCH], device 1: ALC898 Digital [ALC898 Digital]
card 0: PCH [HDA Intel PCH], device 3: HDMI 0 [HDMI 0]

■ cat /etc/modules-load.d/snd-aloop.conf

■ cat /etc/modprobe.d/alsa.conf
options snd_hda_intel index=0
options snd_aloop index=1

■ cat ~/.asoundrc
defaults.pcm.dmix.!rate 48000
defaults.pcm.dmix.!format S16_LE
pcm.multi {
type multi
slaves.a.pcm “dmix:PCH”
slaves.a.channels 2
slaves.b.pcm “dmix:Loopback”
slaves.b.channels 2
bindings.0 { slave a; channel 0; }
bindings.1 { slave a; channel 1; }
bindings.2 { slave b; channel 0; }
bindings.3 { slave b; channel 1; }
pcm.both {
type route
slave.pcm “multi”
ttable.0.0 1
ttable.1.1 1
ttable.0.2 1
ttable.1.3 1
pcm.!default {
type asym
playback.pcm “plug:both”
capture.pcm “plug:dsnoop:PCH”

# Record.
■ ffmpeg -y -f alsa -ac 1 -i sysdefault -f alsa -i plughw:Loopback,1 -filter_complex [0:a][1:a]amerge=inputs=2 output.flac

# Record input only.
■ ffmpeg -y -f alsa -ac 1 -i sysdefault:CARD=PCH output.flac

# Official example.
■ cat /usr/share/alsa/cards/Loopback.conf