[solved]gpg: listing keys in keyfile before import

Similar Messages

• [Solved] gpg --list-public-keys (removed duplicate - see my last post)

  I followed https://wiki.archlinux.org/index.php/GnuPG#Create_key and https://wiki.archlinux.org/index.php/Talk:Pacman-key, but I have ended up with my public key being listed twice. It's both first and last in the full list of public keys. Here is just mine:
  /home/colin% gpg --list-public-keys colin
  pub   4096R/0940E3F9 2014-11-18 [expires: 2015-11-18]
  uid       [ultimate] Colin Keenan <[email protected]>
  uid       [ultimate] [jpeg image of size 6283]
  sub   4096R/EDA19F9C 2014-11-18 [expires: 2015-11-18]
  pub   4096R/0940E3F9 2014-11-18 [expires: 2015-11-18]
  uid       [ultimate] Colin Keenan <[email protected]>
  uid       [ultimate] [jpeg image of size 6283]
  sub   4096R/EDA19F9C 2014-11-18 [expires: 2015-11-18]
  How do I remove just the 2nd entry so that my public key is only listed one time?
  I am afraid to start signing my packages (https://wiki.archlinux.org/index.php/De … ge_signing) before I fix this issue.
  Edit to add what I've tried so far:
  gpg -o colin.gpg --export colin            # to create a backup of my public key in a file called colin.gpg
  cp pubring.gpg pubring-backup.gpg   # in case I screw up pubring.gpg
  gpg --import colin.gpg                          # hoping it will magically merge the duplicate, but it left both unchanged
  gpg --delete-key colin                           # hoping it would delete both copies of the public key so I could import it again
  It refused to delete the public key until I delete the private key which I don't want to do.
  I also realized the export may have the duplicate as well. I tested that with:
  gpg colin.gpg
  And, sure enough, it listed my key twice.
  Another edit: I have tried a lot and exposed a bug that I will try to submit upstream. Here is what I have done:
  gpg --edit-key colin                              # this selected the first of the duplicate keys to be edited
  gpg> adduid
  Real name: Colin N Keenan
  Email address: [email protected]
  Comment:
  You selected this USER-ID:
      "Colin N Keenan <[email protected]>"
  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
  You need a passphrase to unlock the secret key for
  user: "Colin Keenan <[email protected]>"
  4096-bit RSA key, ID 0940E3F9, created 2014-11-18
  pub  4096R/0940E3F9  created: 2014-11-18  expires: 2015-11-18  usage: SC 
                       trust: ultimate      validity: ultimate
  sub  4096R/EDA19F9C  created: 2014-11-18  expires: 2015-11-18  usage: E   
  [ultimate] (1)  Colin Keenan <[email protected]>
  [ultimate] (2)  [jpeg image of size 6283]
  [ unknown] (3). Colin N Keenan <[email protected]>
  gpg> save
  gpg --edit-key "Colin N Keenan"
  Secret key is available.
  pub  4096R/0940E3F9  created: 2014-11-18  expires: 2015-11-18  usage: SC 
                       trust: ultimate      validity: ultimate
  sub  4096R/EDA19F9C  created: 2014-11-18  expires: 2015-11-18  usage: E   
  [ultimate] (1). Colin N Keenan <[email protected]>
  [ultimate] (2)  Colin Keenan <[email protected]>
  [ultimate] (3)  [jpeg image of size 6283]
  gpg> 2
  pub  4096R/0940E3F9  created: 2014-11-18  expires: 2015-11-18  usage: SC 
                       trust: ultimate      validity: ultimate
  sub  4096R/EDA19F9C  created: 2014-11-18  expires: 2015-11-18  usage: E   
  [ultimate] (1). Colin N Keenan <[email protected]>
  [ultimate] (2)* Colin Keenan <[email protected]>
  [ultimate] (3)  [jpeg image of size 6283]
  gpg> deluid
  Really remove this user ID? (y/N) y
  pub  4096R/0940E3F9  created: 2014-11-18  expires: 2015-11-18  usage: SC 
                       trust: ultimate      validity: ultimate
  sub  4096R/EDA19F9C  created: 2014-11-18  expires: 2015-11-18  usage: E   
  [ultimate] (1). Colin N Keenan <[email protected]>
  [ultimate] (2)  [jpeg image of size 6283]
  gpg> quit
  Save changes? (y/N) y
  And now the bug:
  /home/colin% gpg --delete-key "Colin Keenan"
  gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  gpg: there is a secret key for public key "Colin Keenan"!
  gpg: use option "--delete-secret-keys" to delete it first.
  /home/colin% gpg --delete-secret-key "Colin Keenan"
  gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  gpg: key "Colin Keenan" not found: Unknown system error
  gpg: Colin Keenan: delete key failed: Unknown system error
  So, --delete-key fails because there is a secret key, and --delete-secret-key fails because it can't find the secret key!
  Last edited by colinkeenan (2014-11-19 16:26:31)

  I have solved the issue. Since I had made a backup of .gnupg while there was a duplicate of the public key for "Colin Keenan", I realized the secret key in the backup was also for "Colin Keenan", so I didn't want to delete that one. I should delete "Colin N Keenan" by deleting the secret and public key matching it, then copy the resulting public key file to the backup, then restore the backup. That solved the issue, as follows:
  gpg --delete-secret-key "Colin N Keenan"
  gpg --delete-key "Colin N Keenan"
  cp .gnupg/pubring.gpg .gnupg-backup
  rm -r .gnupg
  cp -r .gnupg-backup .gnupg
  Here is a full outline of the commands I ran to eliminate the duplicate public key, in case anyone else runs into this very unusual problem:
  cd                                     # just making sure I'm in home directory so don't have to type dreaded ~
  cp -r .gnupg .gnupg-backup
  gpg --edit-key colin
  gpg> adduid (added Colin N Keenan, original was Colin Keenan)
  gpg> save
  gpg --edit-key "Colin N Keenan"
  gpg> 2 (because "Colin Keenan" was the 2nd uid)
  gpg> deluid
  gpg> save
  gpg --delete-secret-key "Colin N Keenan"
  gpg --delete-key "Colin N Keenan"
  cp .gnupg/pubring.gpg .gnupg-backup
  rm -r .gnupg
  cp -r .gnupg-backup .gnupg
  Last edited by colinkeenan (2014-11-19 16:41:03)

• System encryption using LUKS and GPG encrypted keys for arch linux

  Update: As of 2012-03-28, arch changed from gnupg 1.4 to 2.x which uses pinentry for the password dialog. The "etwo" hook described here doesn't work with gnupg 2. Either use the openssl hook below or use a statically compiled version of gnupg 1.4.
  Update: As of 2012-12-19, the mkinitcpio is not called during boot, unless the "install" file for the hook contains "add_runscript". This resulted in an unbootable system for me. Also, the method name was changed from install () to build ().
  Update: 2013-01-13: Updated the hook files using the corrections by Deth.
  Note: This guide is a bit dated now, in particular the arch installation might be different now. But essentially, the approach stays the same. Please also take a look at the posts further down, specifically the alternative hooks that use openssl.
  I always wanted to set up a fully encrypted arch linux server that uses gpg encrypted keyfiles on an external usb stick and luks for root filesystem encryption. I already did it once in gentoo using this guide. For arch, I had to play alot with initcpio hooks and after one day of experimentation, I finally got it working. I wrote a little guide for myself which I'm going to share here for anyone that might be interested. There might be better or easier ways, like I said this is just how I did it. I hope it might help someone else. Constructive feedback is always welcome
  Intro
  Using arch linux mkinitcpio's encrypt hook, one can easily use encrypted root partitions with LUKS. It's also possible to use key files stored on an external drive, like an usb stick. However, if someone steals your usb stick, he can just copy the key and potentially access the system. I wanted to have a little extra security by additionally encrypting the key file with gpg using a symmetric cipher and a passphrase.
  Since the encrypt hook doesn't support this scenario, I created a modifed hook called “etwo” (silly name I know, it was the first thing that came to my mind). It will simply look if the key file has the extension .gpg and, if yes, use gpg to decrypt it, then pipe the result into cryptsetup.
  Conventions
  In this short guide, I use the following disk/partition names:
  /dev/sda: is the hard disk that will contain an encrypted swap (/dev/sda1), /var (/dev/sda2) and root (/dev/sda3) partition.
  /dev/sdb is the usb stick that will contain the gpg encrypted luks keys, the kernel and grub. It will have one partition /dev/sdb1 formatted with ext2.
  /dev/mapper/root, /dev/mapper/swap and /dev/mapper/var will be the encrypted devices.
  Credits
  Thanks to the authors of SECURITY_System_Encryption_DM-Crypt_with_LUKS (gentoo wiki), System Encryption with LUKS (arch wiki), mkinitcpio (arch wiki) and Early Userspace in Arch Linux (/dev/brain0 blog)!
  Guide
  1. Boot the arch live cd
  I had to use a newer testing version, because the 2010.05 cd came with a broken gpg. You can download one here: http://releng.archlinux.org/isos/. I chose the “core“ version. Go ahead and boot the live cd, but don't start the setup yet.
  2. Set keymap
  Use km to set your keymap. This is important for non-qwerty keyboards to avoid suprises with passphrases...
  3. Wipe your discs
  ATTENTION: this will DELETE everything on /dev/sda and /dev/sdb forever! Do not blame me for any lost data!
  Before encrypting the hard disc, it has to be completely wiped and overwritten with random data. I used shred for this. Others use badblocks or dd with /dev/urandom. Either way, this will take a long time, depending on the size of your disc. I also wiped my usb stick just to be sure.
  shred -v /dev/sda
  shred -v /dev/sdb
  4. Partitioning
  Fire up fdisk and create the following partitions:
  /dev/sda1, type linux swap.
  /dev/sda2: type linux
  /dev/sda3: type linux
  /dev/sdb1, type linux
  Of course you can choose a different layout, this is just how I did it. Keep in mind that only the root filesystem will be decrypted by the initcpio. The rest will be decypted during normal init boot using /etc/crypttab, the keys being somewhere on the root filesystem.
  5. Format  and mount the usb stick
  Create an ext2 filesystem on /dev/sdb1:
  mkfs.ext2 /dev/sdb1
  mkdir /root/usb
  mount /dev/sdb1 /root/usb
  cd /root/usb # this will be our working directory for now.
  Do not mount anything to /mnt, because the arch installer will use that directory later to mount the encrypted root filesystem.
  6. Configure the network (if not already done automatically)
  ifconfig eth0 192.168.0.2 netmask 255.255.255.0
  route add default gw 192.168.0.1
  echo "nameserver 192.168.0.1" >> /etc/resolv.conf
  (this is just an example, your mileage may vary)
  7. Install gnupg
  pacman -Sy
  pacman -S gnupg
  Verify that gnupg works by launching gpg.
  8. Create the keys
  Just to be sure, make sure swap is off:
  cat /proc/swaps
  should return no entries.
  Create gpg encrypted keys (remember, we're still in our working dir /root/usb):
  dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > root.gpg
  dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > var.gpg
  Choose a strong password!!
  Don't do this in two steps, e.g don't do dd to a file and then gpg on that file. The key should never be stored in plain text on an unencrypted device, except if that device is wiped on system restart (ramfs)!
  Note that the default cipher for gpg is cast5, I just chose to use a different one.
  9. Create the encrypted devices with cryptsetup
  Create encrypted swap:
  cryptsetup -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -d /dev/urandom create swap /dev/sda1
  You should see /dev/mapper/swap now. Don't format nor turn it on for now. This will be done by the arch installer.
  Important: From the Cryptsetup 1.1.2 Release notes:
  Cryptsetup can accept passphrase on stdin (standard input). Handling of new line (\n) character is defined by input specification:
      if keyfile is specified as "-" (using --key-file=- or by positional argument in luksFormat and luksAddKey, like cat file | cryptsetup --key-file=- <action> ), input is processed
        as normal binary file and no new line is interpreted.
      if there is no key file specification (with default input from stdin pipe like echo passphrase | cryptsetup <action> ) input is processed as input from terminal, reading will
        stop after new line is detected.
  If I understand this correctly, since the randomly generated key can contain a newline early on, piping the key into cryptsetup without specifying --key-file=- could result in a big part of the key to be ignored by cryptsetup. Example: if the random key was "foo\nandsomemorebaratheendofthekey", piping it directly into cryptsetup without --key-file=- would result in cryptsetup using only "foo" as key which would have big security implications. We should therefor ALWAYS pipe the key into cryptsetup using --key-file=- which ignores newlines.
  gpg -q -d root.gpg 2>/dev/null | cryptsetup -v -–key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda3
  gpg -q -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -v luksFormat /dev/sda2
  Check for any errors.
  10. Open the luks devices
  gpg -d root.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda3 root
  gpg -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda2 var
  If you see /dev/mapper/root and /dev/mapper/var now, everything is ok.
  11. Start the installer /arch/setup
  Follow steps 1 to 3.
  At step 4 (Prepare hard drive(s), select “3 – Manually Configure block devices, filesystems and mountpoints. Choose /dev/sdb1 (the usb stick) as /boot, /dev/mapper/swap for swap, /dev/mapper/root for / and /dev/mapper/var for /var.
  Format all drives (choose “yes” when asked “do you want to have this filesystem (re)created”) EXCEPT for /dev/sdb1, choose “no”. Choose the correct filesystem for /dev/sdb1, ext2 in my case. Use swap for /dev/mapper/swap. For the rest, I chose ext4.
  Select DONE to start formatting.
  At step 5 (Select packages), select grub as boot loader. Select the base group. Add mkinitcpio.
  Start step 6 (Install packages).
  Go to step 7 (Configure System).
  By sure to set the correct KEYMAP, LOCALE and TIMEZONE in /etc/rc.conf.
  Edit /etc/fstab:
  /dev/mapper/root / ext4 defaults 0 1
  /dev/mapper/swap swap swap defaults 0 0
  /dev/mapper/var /var ext4 defaults 0 1
  # /dev/sdb1 /boot ext2 defaults 0 1
  Configure the rest normally. When you're done, setup will launch mkinitcpio. We'll manually launch this again later.
  Go to step 8 (install boot loader).
  Be sure to change the kernel line in menu.lst:
  kernel /vmlinuz26 root=/dev/mapper/root cryptdevice=/dev/sda3:root cryptkey=/dev/sdb1:ext2:/root.gpg
  Don't forget the :root suffix in cryptdevice!
  Also, my root line was set to (hd1,0). Had to change that to
  root (hd0,0)
  Install grub to /dev/sdb (the usb stick).
  Now, we can exit the installer.
  12. Install mkinitcpio with the etwo hook.
  Create /mnt/lib/initcpio/hooks/etwo:
  #!/usr/bin/ash
  run_hook() {
  /sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
  if [ -e "/sys/class/misc/device-mapper" ]; then
  if [ ! -e "/dev/mapper/control" ]; then
  /bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
  fi
  [ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
  # Get keyfile if specified
  ckeyfile="/crypto_keyfile"
  usegpg="n"
  if [ "x${cryptkey}" != "x" ]; then
  ckdev="$(echo "${cryptkey}" | cut -d: -f1)"
  ckarg1="$(echo "${cryptkey}" | cut -d: -f2)"
  ckarg2="$(echo "${cryptkey}" | cut -d: -f3)"
  if poll_device "${ckdev}" ${rootdelay}; then
  case ${ckarg1} in
  *[!0-9]*)
  # Use a file on the device
  # ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
  if [ "${ckarg2#*.}" = "gpg" ]; then
  ckeyfile="${ckeyfile}.gpg"
  usegpg="y"
  fi
  mkdir /ckey
  mount -r -t ${ckarg1} ${ckdev} /ckey
  dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
  umount /ckey
  # Read raw data from the block device
  # ckarg1 is numeric: ckarg1=offset, ckarg2=length
  dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
  esac
  fi
  [ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
  fi
  if [ -n "${cryptdevice}" ]; then
  DEPRECATED_CRYPT=0
  cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)"
  cryptname="$(echo "${cryptdevice}" | cut -d: -f2)"
  else
  DEPRECATED_CRYPT=1
  cryptdev="${root}"
  cryptname="root"
  fi
  warn_deprecated() {
  echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
  echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
  if poll_device "${cryptdev}" ${rootdelay}; then
  if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
  [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
  dopassphrase=1
  # If keyfile exists, try to use that
  if [ -f ${ckeyfile} ]; then
  if [ "${usegpg}" = "y" ]; then
  # gpg tty fixup
  if [ -e /dev/tty ]; then mv /dev/tty /dev/tty.backup; fi
  cp -a /dev/console /dev/tty
  while [ ! -e /dev/mapper/${cryptname} ];
  do
  sleep 2
  /usr/bin/gpg -d "${ckeyfile}" 2>/dev/null | cryptsetup --key-file=- luksOpen ${cryptdev} ${cryptname} ${CSQUIET}
  dopassphrase=0
  done
  rm /dev/tty
  if [ -e /dev/tty.backup ]; then mv /dev/tty.backup /dev/tty; fi
  else
  if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
  dopassphrase=0
  else
  echo "Invalid keyfile. Reverting to passphrase."
  fi
  fi
  fi
  # Ask for a passphrase
  if [ ${dopassphrase} -gt 0 ]; then
  echo ""
  echo "A password is required to access the ${cryptname} volume:"
  #loop until we get a real password
  while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
  sleep 2;
  done
  fi
  if [ -e "/dev/mapper/${cryptname}" ]; then
  if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
  export root="/dev/mapper/root"
  fi
  else
  err "Password succeeded, but ${cryptname} creation failed, aborting..."
  exit 1
  fi
  elif [ -n "${crypto}" ]; then
  [ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
  msg "Non-LUKS encrypted device found..."
  if [ $# -ne 5 ]; then
  err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
  err "Non-LUKS decryption not attempted..."
  return 1
  fi
  exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}"
  tmp=$(echo "${crypto}" | cut -d: -f1)
  [ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f2)
  [ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f3)
  [ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f4)
  [ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\""
  tmp=$(echo "${crypto}" | cut -d: -f5)
  [ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\""
  if [ -f ${ckeyfile} ]; then
  exe="${exe} --key-file ${ckeyfile}"
  else
  exe="${exe} --verify-passphrase"
  echo ""
  echo "A password is required to access the ${cryptname} volume:"
  fi
  eval "${exe} ${CSQUIET}"
  if [ $? -ne 0 ]; then
  err "Non-LUKS device decryption failed. verify format: "
  err " crypto=hash:cipher:keysize:offset:skip"
  exit 1
  fi
  if [ -e "/dev/mapper/${cryptname}" ]; then
  if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
  export root="/dev/mapper/root"
  fi
  else
  err "Password succeeded, but ${cryptname} creation failed, aborting..."
  exit 1
  fi
  else
  err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
  fi
  fi
  rm -f ${ckeyfile}
  fi
  Create /mnt/lib/initcpio/install/etwo:
  #!/bin/bash
  build() {
  local mod
  add_module dm-crypt
  if [[ $CRYPTO_MODULES ]]; then
  for mod in $CRYPTO_MODULES; do
  add_module "$mod"
  done
  else
  add_all_modules '/crypto/'
  fi
  add_dir "/dev/mapper"
  add_binary "cryptsetup"
  add_binary "dmsetup"
  add_binary "/usr/bin/gpg"
  add_file "/usr/lib/udev/rules.d/10-dm.rules"
  add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
  add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
  add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
  add_runscript
  help ()
  cat<<HELPEOF
  This hook allows for an encrypted root device with support for gpg encrypted key files.
  To use gpg, the key file must have the extension .gpg and you have to install gpg and add /usr/bin/gpg
  to your BINARIES var in /etc/mkinitcpio.conf.
  HELPEOF
  Edit /mnt/etc/mkinitcpio.conf (only relevant sections displayed):
  MODULES=”ext2 ext4” # not sure if this is really nessecary.
  BINARIES=”/usr/bin/gpg” # this could probably be done in install/etwo...
  HOOKS=”base udev usbinput keymap autodetect pata scsi sata usb etwo filesystems” # (usbinput is only needed if you have an usb keyboard)
  Copy the initcpio stuff over to the live cd:
  cp /mnt/lib/initcpio/hooks/etwo /lib/initcpio/hooks/
  cp /mnt/lib/initcpio/install/etwo /lib/initcpio/install/
  cp /mnt/etc/mkinitcpio.conf /etc/
  Verify your LOCALE, KEYMAP and TIMEZONE in /etc/rc.conf!
  Now reinstall the initcpio:
  mkinitcpio -g /mnt/boot/kernel26.img
  Make sure there were no errors and that all hooks were included.
  13. Decrypt the "var" key to the encrypted root
  mkdir /mnt/keys
  chmod 500 /mnt/keys
  gpg –output /mnt/keys/var -d /mnt/boot/var.gpg
  chmod 400 /mnt/keys/var
  14. Setup crypttab
  Edit /mnt/etc/crypttab:
  swap /dev/sda1 SWAP -c aes-cbc-essiv:sha256 -s 256 -h whirlpool
  var /dev/sda2 /keys/var
  15. Reboot
  We're done, you may reboot. Make sure you select the usb stick as the boot device in your bios and hope for the best. . If it didn't work, play with grub's settings or boot from the live cd, mount your encrypted devices and check all settings. You might also have less trouble by using uuid's instead of device names.  I chose device names to keep things as simple as possible, even though it's not the optimal way to do it.
  Make backups of your data and your usb stick and do not forget your password(s)! Or you can say goodbye to your data forever...
  Last edited by fabriceb (2013-01-15 22:36:23)

  I'm trying to run my install script that is based on https://bbs.archlinux.org/viewtopic.php?id=129885
  Decrypting the gpg key after grub works, but then "Devce root already exists." appears every second.
  any idea ?
  #!/bin/bash
  # This script is designed to be run in conjunction with a UEFI boot using Archboot intall media.
  # prereqs:
  # EFI "BIOS" set to boot *only* from EFI
  # successful EFI boot of Archboot USB
  # mount /dev/sdb1 /src
  set -o nounset
  #set -o errexit
  # Host specific configuration
  # this whole script needs to be customized, particularly disk partitions
  # and configuration, but this section contains global variables that
  # are used during the system configuration phase for convenience
  HOSTNAME=daniel
  USERNAME=user
  # Globals
  # We don't need to set these here but they are used repeatedly throughout
  # so it makes sense to reuse them and allow an easy, one-time change if we
  # need to alter values such as the install target mount point.
  INSTALL_TARGET="/install"
  HR="--------------------------------------------------------------------------------"
  PACMAN="pacman --noconfirm --config /tmp/pacman.conf"
  TARGET_PACMAN="pacman --noconfirm --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
  CHROOT_PACMAN="pacman --noconfirm --cachedir /var/cache/pacman/pkg --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
  FILE_URL="file:///packages/core-$(uname -m)/pkg"
  FTP_URL='ftp://mirrors.kernel.org/archlinux/$repo/os/$arch'
  HTTP_URL='http://mirrors.kernel.org/archlinux/$repo/os/$arch'
  # Functions
  # I've avoided using functions in this script as they aren't required and
  # I think it's more of a learning tool if you see the step-by-step
  # procedures even with minor duplciations along the way, but I feel that
  # these functions clarify the particular steps of setting values in config
  # files.
  SetValue () {
  # EXAMPLE: SetValue VARIABLENAME '\"Quoted Value\"' /file/path
  VALUENAME="$1" NEWVALUE="$2" FILEPATH="$3"
  sed -i "s+^#\?\(${VALUENAME}\)=.*$+\1=${NEWVALUE}+" "${FILEPATH}"
  CommentOutValue () {
  VALUENAME="$1" FILEPATH="$2"
  sed -i "s/^\(${VALUENAME}.*\)$/#\1/" "${FILEPATH}"
  UncommentValue () {
  VALUENAME="$1" FILEPATH="$2"
  sed -i "s/^#\(${VALUENAME}.*\)$/\1/" "${FILEPATH}"
  # Initialize
  # Warn the user about impending doom, set up the network on eth0, mount
  # the squashfs images (Archboot does this normally, we're just filling in
  # the gaps resulting from the fact that we're doing a simple scripted
  # install). We also create a temporary pacman.conf that looks for packages
  # locally first before sourcing them from the network. It would be better
  # to do either *all* local or *all* network but we can't for two reasons.
  # 1. The Archboot installation image might have an out of date kernel
  # (currently the case) which results in problems when chrooting
  # into the install mount point to modprobe efivars. So we use the
  # package snapshot on the Archboot media to ensure our kernel is
  # the same as the one we booted with.
  # 2. Ideally we'd source all local then, but some critical items,
  # notably grub2-efi variants, aren't yet on the Archboot media.
  # Warn
  timer=9
  echo -e "\n\nMAC WARNING: This script is not designed for APPLE MAC installs and will potentially misconfigure boot to your existing OS X installation. STOP NOW IF YOU ARE ON A MAC.\n\n"
  echo -n "GENERAL WARNING: This procedure will completely format /dev/sda. Please cancel with ctrl-c to cancel within $timer seconds..."
  while [[ $timer -gt 0 ]]
  do
  sleep 1
  let timer-=1
  echo -en "$timer seconds..."
  done
  echo "STARTING"
  # Get Network
  echo -n "Waiting for network address.."
  #dhclient eth0
  dhcpcd -p eth0
  echo -n "Network address acquired."
  # Mount packages squashfs images
  umount "/packages/core-$(uname -m)"
  umount "/packages/core-any"
  rm -rf "/packages/core-$(uname -m)"
  rm -rf "/packages/core-any"
  mkdir -p "/packages/core-$(uname -m)"
  mkdir -p "/packages/core-any"
  modprobe -q loop
  modprobe -q squashfs
  mount -o ro,loop -t squashfs "/src/packages/archboot_packages_$(uname -m).squashfs" "/packages/core-$(uname -m)"
  mount -o ro,loop -t squashfs "/src/packages/archboot_packages_any.squashfs" "/packages/core-any"
  # Create temporary pacman.conf file
  cat << PACMANEOF > /tmp/pacman.conf
  [options]
  Architecture = auto
  CacheDir = ${INSTALL_TARGET}/var/cache/pacman/pkg
  CacheDir = /packages/core-$(uname -m)/pkg
  CacheDir = /packages/core-any/pkg
  [core]
  Server = ${FILE_URL}
  Server = ${FTP_URL}
  Server = ${HTTP_URL}
  [extra]
  Server = ${FILE_URL}
  Server = ${FTP_URL}
  Server = ${HTTP_URL}
  #Uncomment to enable pacman -Sy yaourt
  [archlinuxfr]
  Server = http://repo.archlinux.fr/\$arch
  PACMANEOF
  # Prepare pacman
  [[ ! -d "${INSTALL_TARGET}/var/cache/pacman/pkg" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/cache/pacman/pkg"
  [[ ! -d "${INSTALL_TARGET}/var/lib/pacman" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/lib/pacman"
  ${PACMAN} -Sy
  ${TARGET_PACMAN} -Sy
  # Install prereqs from network (not on archboot media)
  echo -e "\nInstalling prereqs...\n$HR"
  #sed -i "s/^#S/S/" /etc/pacman.d/mirrorlist # Uncomment all Server lines
  UncommentValue S /etc/pacman.d/mirrorlist # Uncomment all Server lines
  ${PACMAN} --noconfirm -Sy gptfdisk btrfs-progs-unstable libusb-compat gnupg
  # Configure Host
  # Here we create three partitions:
  # 1. efi and /boot (one partition does double duty)
  # 2. swap
  # 3. our encrypted root
  # Note that all of these are on a GUID partition table scheme. This proves
  # to be quite clean and simple since we're not doing anything with MBR
  # boot partitions and the like.
  echo -e "format\n"
  # shred -v /dev/sda
  # disk prep
  sgdisk -Z /dev/sda # zap all on disk
  #sgdisk -Z /dev/mmcb1k0 # zap all on sdcard
  sgdisk -a 2048 -o /dev/sda # new gpt disk 2048 alignment
  #sgdisk -a 2048 -o /dev/mmcb1k0
  # create partitions
  sgdisk -n 1:0:+200M /dev/sda # partition 1 (UEFI BOOT), default start block, 200MB
  sgdisk -n 2:0:+4G /dev/sda # partition 2 (SWAP), default start block, 200MB
  sgdisk -n 3:0:0 /dev/sda # partition 3, (LUKS), default start, remaining space
  #sgdisk -n 1:0:1800M /dev/mmcb1k0 # root.gpg
  # set partition types
  sgdisk -t 1:ef00 /dev/sda
  sgdisk -t 2:8200 /dev/sda
  sgdisk -t 3:8300 /dev/sda
  #sgdisk -t 1:0700 /dev/mmcb1k0
  # label partitions
  sgdisk -c 1:"UEFI Boot" /dev/sda
  sgdisk -c 2:"Swap" /dev/sda
  sgdisk -c 3:"LUKS" /dev/sda
  #sgdisk -c 1:"Key" /dev/mmcb1k0
  echo -e "create gpg file\n"
  # create gpg file
  dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > /root/root.gpg
  echo -e "format LUKS on root\n"
  # format LUKS on root
  gpg -q -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- -c aes-xts-plain -s 512 --hash sha512 luksFormat /dev/sda3
  echo -e "open LUKS on root\n"
  gpg -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- luksOpen /dev/sda3 root
  # NOTE: make sure to add dm_crypt and aes_i586 to MODULES in rc.conf
  # NOTE2: actually this isn't required since we're mounting an encrypted root and grub2/initramfs handles this before we even get to rc.conf
  # make filesystems
  # following swap related commands not used now that we're encrypting our swap partition
  #mkswap /dev/sda2
  #swapon /dev/sda2
  #mkfs.ext4 /dev/sda3 # this is where we'd create an unencrypted root partition, but we're using luks instead
  echo -e "\nCreating Filesystems...\n$HR"
  # make filesystems
  mkfs.ext4 /dev/mapper/root
  mkfs.vfat -F32 /dev/sda1
  #mkfs.vfat -F32 /dev/mmcb1k0p1
  echo -e "mount targets\n"
  # mount target
  #mount /dev/sda3 ${INSTALL_TARGET} # this is where we'd mount the unencrypted root partition
  mount /dev/mapper/root ${INSTALL_TARGET}
  # mount target
  mkdir ${INSTALL_TARGET}
  # mkdir ${INSTALL_TARGET}/key
  # mount -t vfat /dev/mmcb1k0p1 ${INSTALL_TARGET}/key
  mkdir ${INSTALL_TARGET}/boot
  mount -t vfat /dev/sda1 ${INSTALL_TARGET}/boot
  # Install base, necessary utilities
  mkdir -p ${INSTALL_TARGET}/var/lib/pacman
  ${TARGET_PACMAN} -Sy
  ${TARGET_PACMAN} -Su base
  # curl could be installed later but we want it ready for rankmirrors
  ${TARGET_PACMAN} -S curl
  ${TARGET_PACMAN} -S libusb-compat gnupg
  ${TARGET_PACMAN} -R grub
  rm -rf ${INSTALL_TARGET}/boot/grub
  ${TARGET_PACMAN} -S grub2-efi-x86_64
  # Configure new system
  SetValue HOSTNAME ${HOSTNAME} ${INSTALL_TARGET}/etc/rc.conf
  sed -i "s/^\(127\.0\.0\.1.*\)$/\1 ${HOSTNAME}/" ${INSTALL_TARGET}/etc/hosts
  SetValue CONSOLEFONT Lat2-Terminus16 ${INSTALL_TARGET}/etc/rc.conf
  #following replaced due to netcfg
  #SetValue interface eth0 ${INSTALL_TARGET}/etc/rc.conf
  # write fstab
  # You can use UUID's or whatever you want here, of course. This is just
  # the simplest approach and as long as your drives aren't changing values
  # randomly it should work fine.
  cat > ${INSTALL_TARGET}/etc/fstab <<FSTAB_EOF
  # /etc/fstab: static file system information
  # <file system> <dir> <type> <options> <dump> <pass>
  tmpfs /tmp tmpfs nodev,nosuid 0 0
  /dev/sda1 /boot vfat defaults 0 0
  /dev/mapper/cryptswap none swap defaults 0 0
  /dev/mapper/root / ext4 defaults,noatime 0 1
  FSTAB_EOF
  # write etwo
  mkdir -p /lib/initcpio/hooks/
  mkdir -p /lib/initcpio/install/
  cp /src/etwo_hooks /lib/initcpio/hooks/etwo
  cp /src/etwo_install /lib/initcpio/install/etwo
  mkdir -p ${INSTALL_TARGET}/lib/initcpio/hooks/
  mkdir -p ${INSTALL_TARGET}/lib/initcpio/install/
  cp /src/etwo_hooks ${INSTALL_TARGET}/lib/initcpio/hooks/etwo
  cp /src/etwo_install ${INSTALL_TARGET}/lib/initcpio/install/etwo
  # write crypttab
  # encrypted swap (random passphrase on boot)
  echo cryptswap /dev/sda2 SWAP "-c aes-xts-plain -h whirlpool -s 512" >> ${INSTALL_TARGET}/etc/crypttab
  # copy configs we want to carry over to target from install environment
  mv ${INSTALL_TARGET}/etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf.orig
  cp /etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf
  mkdir -p ${INSTALL_TARGET}/tmp
  cp /tmp/pacman.conf ${INSTALL_TARGET}/tmp/pacman.conf
  # mount proc, sys, dev in install root
  mount -t proc proc ${INSTALL_TARGET}/proc
  mount -t sysfs sys ${INSTALL_TARGET}/sys
  mount -o bind /dev ${INSTALL_TARGET}/dev
  echo -e "umount boot\n"
  # we have to remount /boot from inside the chroot
  umount ${INSTALL_TARGET}/boot
  # Create install_efi script (to be run *after* chroot /install)
  touch ${INSTALL_TARGET}/install_efi
  chmod a+x ${INSTALL_TARGET}/install_efi
  cat > ${INSTALL_TARGET}/install_efi <<EFI_EOF
  # functions (these could be a library, but why overcomplicate things
  SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?\(\${VALUENAME}\)=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
  CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^\(\${VALUENAME}.*\)\$/#\1/" "\${FILEPATH}"; }
  UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#\(\${VALUENAME}.*\)\$/\1/" "\${FILEPATH}"; }
  echo -e "mount boot\n"
  # remount here or grub et al gets confused
  mount -t vfat /dev/sda1 /boot
  # mkinitcpio
  # NOTE: intel_agp drm and i915 for intel graphics
  SetValue MODULES '\\"dm_mod dm_crypt aes_x86_64 ext2 ext4 vfat intel_agp drm i915\\"' /etc/mkinitcpio.conf
  SetValue HOOKS '\\"base udev pata scsi sata usb usbinput keymap consolefont etwo encrypt filesystems\\"' /etc/mkinitcpio.conf
  SetValue BINARIES '\\"/usr/bin/gpg\\"' /etc/mkinitcpio.conf
  mkinitcpio -p linux
  # kernel modules for EFI install
  modprobe efivars
  modprobe dm-mod
  # locale-gen
  UncommentValue de_AT /etc/locale.gen
  locale-gen
  # install and configure grub2
  # did this above
  #${CHROOT_PACMAN} -Sy
  #${CHROOT_PACMAN} -R grub
  #rm -rf /boot/grub
  #${CHROOT_PACMAN} -S grub2-efi-x86_64
  # you can be surprisingly sloppy with the root value you give grub2 as a kernel option and
  # even omit the cryptdevice altogether, though it will wag a finger at you for using
  # a deprecated syntax, so we're using the correct form here
  # NOTE: take out i915.modeset=1 unless you are on intel graphics
  SetValue GRUB_CMDLINE_LINUX '\\"cryptdevice=/dev/sda3:root cryptkey=/dev/sda1:vfat:/root.gpg add_efi_memmap i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1 pcie_aspm=force quiet\\"' /etc/default/grub
  # set output to graphical
  SetValue GRUB_TERMINAL_OUTPUT gfxterm /etc/default/grub
  SetValue GRUB_GFXMODE 960x600x32,auto /etc/default/grub
  SetValue GRUB_GFXPAYLOAD_LINUX keep /etc/default/grub # comment out this value if text only mode
  # install the actual grub2. Note that despite our --boot-directory option we will still need to move
  # the grub directory to /boot/grub during grub-mkconfig operations until grub2 gets patched (see below)
  grub_efi_x86_64-install --bootloader-id=grub --no-floppy --recheck
  # create our EFI boot entry
  # bug in the HP bios firmware (F.08)
  efibootmgr --create --gpt --disk /dev/sda --part 1 --write-signature --label "ARCH LINUX" --loader "\\\\grub\\\\grub.efi"
  # copy font for grub2
  cp /usr/share/grub/unicode.pf2 /boot/grub
  # generate config file
  grub-mkconfig -o /boot/grub/grub.cfg
  exit
  EFI_EOF
  # Install EFI using script inside chroot
  chroot ${INSTALL_TARGET} /install_efi
  rm ${INSTALL_TARGET}/install_efi
  # Post install steps
  # anything you want to do post install. run the script automatically or
  # manually
  touch ${INSTALL_TARGET}/post_install
  chmod a+x ${INSTALL_TARGET}/post_install
  cat > ${INSTALL_TARGET}/post_install <<POST_EOF
  set -o errexit
  set -o nounset
  # functions (these could be a library, but why overcomplicate things
  SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?\(\${VALUENAME}\)=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
  CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^\(\${VALUENAME}.*\)\$/#\1/" "\${FILEPATH}"; }
  UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#\(\${VALUENAME}.*\)\$/\1/" "\${FILEPATH}"; }
  # root password
  echo -e "${HR}\\nNew root user password\\n${HR}"
  passwd
  # add user
  echo -e "${HR}\\nNew non-root user password (username:${USERNAME})\\n${HR}"
  groupadd sudo
  useradd -m -g users -G audio,lp,optical,storage,video,games,power,scanner,network,sudo,wheel -s /bin/bash ${USERNAME}
  passwd ${USERNAME}
  # mirror ranking
  echo -e "${HR}\\nRanking Mirrors (this will take a while)\\n${HR}"
  cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.orig
  mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.all
  sed -i "s/#S/S/" /etc/pacman.d/mirrorlist.all
  rankmirrors -n 5 /etc/pacman.d/mirrorlist.all > /etc/pacman.d/mirrorlist
  # temporary fix for locale.sh update conflict
  mv /etc/profile.d/locale.sh /etc/profile.d/locale.sh.preupdate || true
  # yaourt repo (add to target pacman, not tmp pacman.conf, for ongoing use)
  echo -e "\\n[archlinuxfr]\\nServer = http://repo.archlinux.fr/\\\$arch" >> /etc/pacman.conf
  echo -e "\\n[haskell]\\nServer = http://www.kiwilight.com/\\\$repo/\\\$arch" >> /etc/pacman.conf
  # additional groups and utilities
  pacman --noconfirm -Syu
  pacman --noconfirm -S base-devel
  pacman --noconfirm -S yaourt
  # sudo
  pacman --noconfirm -S sudo
  cp /etc/sudoers /tmp/sudoers.edit
  sed -i "s/#\s*\(%wheel\s*ALL=(ALL)\s*ALL.*$\)/\1/" /tmp/sudoers.edit
  sed -i "s/#\s*\(%sudo\s*ALL=(ALL)\s*ALL.*$\)/\1/" /tmp/sudoers.edit
  visudo -qcsf /tmp/sudoers.edit && cat /tmp/sudoers.edit > /etc/sudoers
  # power
  pacman --noconfirm -S acpi acpid acpitool cpufrequtils
  yaourt --noconfirm -S powertop2
  sed -i "/^DAEMONS/ s/)/ @acpid)/" /etc/rc.conf
  sed -i "/^MODULES/ s/)/ acpi-cpufreq cpufreq_ondemand cpufreq_powersave coretemp)/" /etc/rc.conf
  # following requires my acpi handler script
  echo "/etc/acpi/handler.sh boot" > /etc/rc.local
  # time
  pacman --noconfirm -S ntp
  sed -i "/^DAEMONS/ s/hwclock /!hwclock @ntpd /" /etc/rc.conf
  # wireless (wpa supplicant should already be installed)
  pacman --noconfirm -S iw wpa_supplicant rfkill
  pacman --noconfirm -S netcfg wpa_actiond ifplugd
  mv /etc/wpa_supplicant.conf /etc/wpa_supplicant.conf.orig
  echo -e "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=network\nupdate_config=1" > /etc/wpa_supplicant.conf
  # make sure to copy /etc/network.d/examples/wireless-wpa-config to /etc/network.d/home and edit
  sed -i "/^DAEMONS/ s/)/ @net-auto-wireless @net-auto-wired)/" /etc/rc.conf
  sed -i "/^DAEMONS/ s/ network / /" /etc/rc.conf
  echo -e "\nWIRELESS_INTERFACE=wlan0" >> /etc/rc.conf
  echo -e "WIRED_INTERFACE=eth0" >> /etc/rc.conf
  echo "options iwlagn led_mode=2" > /etc/modprobe.d/iwlagn.conf
  # sound
  pacman --noconfirm -S alsa-utils alsa-plugins
  sed -i "/^DAEMONS/ s/)/ @alsa)/" /etc/rc.conf
  mv /etc/asound.conf /etc/asound.conf.orig || true
  #if alsamixer isn't working, try alsamixer -Dhw and speaker-test -Dhw -c 2
  # video
  pacman --noconfirm -S base-devel mesa mesa-demos
  # x
  #pacman --noconfirm -S xorg xorg-xinit xorg-utils xorg-server-utils xdotool xorg-xlsfonts
  #yaourt --noconfirm -S xf86-input-wacom-git # NOT NEEDED? input-wacom-git
  #TODO: cut down the install size
  #pacman --noconfirm -S xorg-server xorg-xinit xorg-utils xorg-server-utils
  # TODO: wacom
  # environment/wm/etc.
  #pacman --noconfirm -S xfce4 compiz ccsm
  #pacman --noconfirm -S xcompmgr
  #yaourt --noconfirm -S physlock unclutter
  #pacman --noconfirm -S rxvt-unicode urxvt-url-select hsetroot
  #pacman --noconfirm -S gtk2 #gtk3 # for taffybar?
  #pacman --noconfirm -S ghc
  # note: try installing alex and happy from cabal instead
  #pacman --noconfirm -S haskell-platform haskell-hscolour
  #yaourt --noconfirm -S xmonad-darcs xmonad-contrib-darcs xcompmgr
  #yaourt --noconfirm -S xmobar-git
  # TODO: edit xfce to use compiz
  # TODO: xmonad, but deal with video tearing
  # TODO: xmonad-darcs fails to install from AUR. haskell dependency hell.
  # switching to cabal
  # fonts
  pacman --noconfirm -S terminus-font
  yaourt --noconfirm -S webcore-fonts
  yaourt --noconfirm -S fontforge libspiro
  yaourt --noconfirm -S freetype2-git-infinality
  # TODO: sed infinality and change to OSX or OSX2 mode
  # and create the sym link from /etc/fonts/conf.avail to conf.d
  # misc apps
  #pacman --noconfirm -S htop openssh keychain bash-completion git vim
  #pacman --noconfirm -S chromium flashplugin
  #pacman --noconfirm -S scrot mypaint bc
  #yaourt --noconfirm -S task-git stellarium googlecl
  # TODO: argyll
  POST_EOF
  # Post install in chroot
  #echo "chroot and run /post_install"
  chroot /install /post_install
  rm /install/post_install
  # copy grub.efi file to the default HP EFI boot manager path
  mkdir -p ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/
  mkdir -p ${INSTALL_TARGET}/boot/EFI/BOOT/
  cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/bootmgfw.efi
  cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/BOOT/BOOTX64.EFI
  cp /root/root.gpg ${INSTALL_TARGET}/boot/
  # NOTES/TODO

• [Solved] errors with keys after pacman update?

  Hi,
  I installed pacman 4.0.1-4, but now this is what happens when I try and update.
  Proceed with installation? [Y/n] Y
  (28/28) checking package integrity [######################] 100%
  error: binutils-multilib: signature from "Jan Alexander Steffens (heftig) <[email protected]>" is unknown trust
  error: libcap-ng: signature from "Ionut Biru <[email protected]>" is unknown trust
  error: cifs-utils: signature from "Tobias Powalowski <[email protected]>" is unknown trust
  error: cmake: signature from "Dave Reisner <[email protected]>" is unknown trust
  error: colord: signature from "Ionut Biru <[email protected]>" is unknown trust
  error: lib32-glibc: signature from "Jan Alexander Steffens (heftig) <[email protected]>" is unknown trust
  error: lib32-gcc-libs: signature from "Jan Alexander Steffens (heftig) <[email protected]>" is unknown trust
  error: gcc-libs-multilib: signature from "Jan Alexander Steffens (heftig) <[email protected]>" is unknown trust
  error: gcc-multilib: signature from "Jan Alexander Steffens (heftig) <[email protected]>" is unknown trust
  error: perl: key "6D1655C14CE1C13E" is unknown
  error: key "6D1655C14CE1C13E" could not be looked up remotely
  error: openssl: signature from "Pierre Schmitz <[email protected]>" is unknown trust
  error: git: signature from "Dan McGee <[email protected]>" is unknown trust
  error: gpgme: signature from "Dave Reisner <[email protected]>" is unknown trust
  error: gvfs: signature from "Dave Reisner <[email protected]>" is unknown trust
  error: inetutils: key "FCF2CB179205AC90" is unknown
  :: Import PGP key 9205AC90, "Eric Belanger <[email protected]>", created 2011-04-19? [Y/n] Y
  error: key "Eric Belanger <[email protected]>" could not be imported
  error: intltool: key "FCF2CB179205AC90" is unknown
  :: Import PGP key 9205AC90, "Eric Belanger <[email protected]>", created 2011-04-19? [Y/n] ^C
  Interrupt signal received
  When pacman updated it suggested that I run this command,
  sudo pacman-key --init
  I know that usually I would say yes to a key and pacman should remember it, but what are all the errors?
  Last edited by mich04 (2012-01-20 17:19:26)

  # /etc/pacman.conf
  # See the pacman.conf(5) manpage for option and repository directives
  # GENERAL OPTIONS
  [options]
  # The following paths are commented out with their default values listed.
  # If you wish to use different paths, uncomment and update the paths.
  #RootDir = /
  #DBPath = /var/lib/pacman/
  #CacheDir = /var/cache/pacman/pkg/
  #LogFile = /var/log/pacman.log
  HoldPkg = pacman glibc
  # If upgrades are available for these packages they will be asked for first
  SyncFirst = pacman
  #XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
  #XferCommand = /usr/bin/curl -C - -f %u > %o
  #CleanMethod = KeepInstalled
  Architecture = auto
  # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
  #IgnorePkg =
  #IgnoreGroup =
  #NoUpgrade =
  #NoExtract =
  # Misc options (all disabled by default)
  #UseSyslog
  #ShowSize
  #UseDelta
  #TotalDownload
  #CheckSpace
  # REPOSITORIES
  # - can be defined here or included from another file
  # - pacman will search repositories in the order defined here
  # - local/custom mirrors can be added here or in separate files
  # - repositories listed first will take precedence when packages
  # have identical names, regardless of version number
  # - URLs will have $repo replaced by the name of the current repo
  # - URLs will have $arch replaced by the name of the architecture
  # Repository entries are of the format:
  # [repo-name]
  # Server = ServerName
  # Include = IncludePath
  # The header [repo-name] is crucial - it must be present and
  # uncommented to enable the repo.
  # The testing repositories are disabled by default. To enable, uncomment the
  # repo name header and Include lines. You can add preferred servers immediately
  # after the header, and they will be used before the default mirrors.
  #[testing]
  #Include = /etc/pacman.d/mirrorlist
  [core]
  Include = /etc/pacman.d/mirrorlist
  [extra]
  Include = /etc/pacman.d/mirrorlist
  #[community-testing]
  #Include = /etc/pacman.d/mirrorlist
  [community]
  Include = /etc/pacman.d/mirrorlist
  # If you want to run 32 bit applications on your x86_64 system,
  # enable the multilib repositories as required here.
  #[multilib-testing]
  #Include = /etc/pacman.d/mirrorlist
  [multilib]
  Include = /etc/pacman.d/mirrorlist
  # An example of a custom package repository. See the pacman manpage for
  # tips on creating your own repositories.
  #[custom]
  #Server = file:///home/custompkgs
  Here it is.

• Fulldisk encryption with a gpg encrypted key?

  Hi all, anyone know if it is possible to encrypt a root partition using a gpg encrypted key?
  To create it and open it I would use something like this.
  #dd if=/dev/urandom bs=512 count=4|gpg –symmetric –a > ./rootkey.gpg
  #gpg --quiet --decrypt rootkey.gpg | cryptsetup -v --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3
  #gpg --decrypt key.gpg 2>/dev/null | cryptsetup luksOpen /dev/sda3 root
  which works, if i can manually enter the commands to decrypt the drive, but how would i do that at boot? i was reading a article on the gentoo wiki about creating custom scripts etc etc to handle it all. can something similar be applied in arch linux? if this is at all possible is there somewhere where i can find some documentation regarding doing this?
  cheers.

  Nothing wrong with using LUKS, and in a way I am still using LUKS but what I am doing here is having a key file encrypted using GnuPG and stored between the MBR and first partition. In my modified /lib/initcpio/hooks/encrypt script it will ask for the password for the keyfile to decrypt the root partition and if an incorrect password is entered more than say 3 times it will shred the keyfile making the root partition impossible to ever decrypt. For a backup for myself I will have a copy of the gpg encrypted key stored somewhere on the web.
  So basically adding a whole new layer of security to the system. The more layers of security you can add the better.
  I do know this is a little over board, but its more for the fun of doing it. In a strange sort of nerdy way
  But back to what you were saying about the libraries? From the archlinux wiki
  These options allow users to add files to the image. Both BINARIES and FILES are added before hooks are run, and may be used to override files used or provided by a hook. BINARIES are dependency-parsed, meaning any required libraries will also be added. FILES are added as-is. For example:
  So I shouldn't have to worry about them.

• Viewing multiple thumbs before importing?

  Hi,
  I am going through photo discs trying to accumulate relevent photos to make a Photo Book. I don't want to import every single photo on each disc in order to look at and them in iPhoto - and would prefer not to have to click on each photo to see what it is before importing. Does anyone know if there is a way to view multiple thumbs before selecting which to import?

  Ah yes...thank you very much! I never venture up there because I am terrified I will mess with stuff that should be just left alone and I have developed a blind spot to then search up there for things.... Unfortunately there is nothing in the Contextual Menu Folder so I can't manually remove anything there.
  Unless you have another suggestion, I suppose I will browse around his site and see if there is a reference to solving this particular problem in downloading the program.
  Thanks for your help Terence.

• How do i show date and time info of videos in Iphone as they appeare before import in iPhoto?

  How do i show date and time info of videos in Iphone as they appeare before import in iPhoto? or even as they appear on the iPhone itself? The selection on tool bar for show info is greyed out.

  Welcome T G Brown to the  iMovie boards..
  the socalled timestamp is within the imports.. if you select a clip in iM and hit the key combo Apple-I, you can see recording time and date.
  unfortunately, this info isn't delivered to any software. Bruce Gee (geethree.com, excellent plug-in maker) told us, there's no 'API' he could use for such a feature...
  same on the pro side, read this discussion at the FinalCutExpress boards:
  http://discussions.apple.com/message.jspa?messageID=7982935
  Forum member Ian offers a solution with a 3rd party app ....
  so: pen&pencil and typing timestamp manually into any 'Title' seems to be your only option...

• Can you filter/search images before importing them?

  Is there a way to filter images before importing them in Lightroom?
  Scenario
  I work with an extensive image collection stored on a server. The images contain a full set of metadata, including keywords and more. When I work on a specific project, I import the images into a Lightroom collection. That way I can easily review, rate and add additional keywords to those best-of images.
  The challenge is that the images I want to add are from numerous folders. Plus, I often only want to add some images from those folders (not the entire folder). This collection process can be very time consuming -- manually locating the images and checking/unchecking the ones I want and repeating the process for the different folders the images reside in.
  The process could be greatly simplified (and a lot faster) if I could filter/search for images that contain key words or other metadata to find the full set of images I want to import.
  The key is that I’m not using a workflow to simply import all images from a memory card or download folder. I’m working from a large collection of existing images and want to import a subset of those images.
  Thanks in advance.

  No, you cannot filter or search images before importing them.
  But immediatley after import the images are automatically displayed in <Previous Import>.
  They will be displayed there until you import another set of images.
  While displayed in <Previous Import> they can be searched and filtered.

• Installation with LVM and gpg-encrypted key, what to tell Grub

  Hi,
  after years of using Gentoo Linux I grew tired of the compilation effort, so I decided to give Arch Linux a shot. I like the idea of a basic system which I can fit to my needs instead of a bloated distribution.
  I want to encrypt my disk and did this with the following tutorials:
  Official Arch Linux Install Guide
  DM Crypt with LUKS
  Basic Cryptsetup
  Gentoo DM-Crypt with LUKS
  So far, the installation worked well, but I'm stuck with this problem:
  I have a gpg encrypted key stored on a SD-Card.
  My mkinitcpio.conf has the hook line:
  HOOKS="base udev autodetect pata scsi sata mmc usbinput fsck keymap encrypt lvm2 filesystems
  /etc/default/grub contains:
  GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda6:vg root=/dev-mapper/vg-root ro cryptkey=/dev/mmcblk0p1:jfs:/Key.gpg"
  However, if I am booting, there are the following outputs:
  No key available with this passphrase.
  Invalid keyfile. Reverting to passphrase.
  A password is required to access the vg volume:
  Enter passphrase for /dev/sda6:
  So, obviously, he isn't able to gpg-decrypt the key, or am I missing something?
  I do really need some help at this point.

  On my gentoo installation, I had to tell cryptsetup to use the decrypted key as password for the new key. In fact
  gpg -q -d <GPG-Keyfile> | cryptsetup luksOpen /dev/<encryptedPartition> <cryptContainer>
  did exactly what I wanted.
  I wanted to have my system highly secured, so a password-protected keyfile on an extern medium was the best choice.
  Edit: There has been another tutorial: System encryption with gpg encrypted keys, but it's out of date.
  Last edited by iarumas (2012-12-05 22:50:34)

• How do I rename the iphoto library on one computer before importing it to another location with other iphoto libraries?

  How do I rename the iphoto library on one computer before importing it to another location with other iphoto libraries?

  How do I rename the iphoto library on one computer before importing it to another location with other iphoto libraries?
  Quit iPhoto.
  Select the Library in the Finder, click the name,  and edit the name like for any file.

• Do I need to compress video before importing into DVD SP?

  Hello,
  this is probably stupid question, but I would like to know, if I need to compress my video before I import it into DVD SP as an asset. It looks like everyone use Compressor before importing into DVD SP, (setting up number of passes, bit rates and so on), and then they do it again when setting up preferences in DVD SP. (setting 1 pass or 2passes, bit rate values)
  So is not the video actually compressed twice? Once in Compressor and once in DVD SP?
  And also, what video formats are actually OK to import into DVD SP? (QT, AVI, FCP movie, etc)
  Does DVD SP take them all, or does it only have to be QT?
  Thank you and I appologize for these novice questions.

  Welcome to the Boards
  Madagascar wrote:
  So is not the video actually compressed twice? Once in Compressor and once in DVD SP?
  And also, what video formats are actually OK to import into DVD SP? (QT, AVI, FCP movie, etc)
  Does DVD SP take them all, or does it only have to be QT?
  Thank you and I appologize for these novice questions.
  m2v will not be recompressed when placed on tracks (though in some instances it may recompress on menus.) Ultimately it is better to compress outside of DVD SP for control of encodes (and making AC3 files) and also some formats may not be supported by importing into DVD SP directly.
  Some information to take a look at
  http://dvdstepbystep.com/faqs_3.php
  http://dvdstepbystep.com/faqs_7.php
  http://dvdstepbystep.com/qc.php
  http://dvdstepbystep.com/fasttrackover.php (middle section discusses Compressor a bit more)

• I connected a digital camera memory chip with approximately 100 photos on it. The photos showed up in iPhoto. I believe I deleted the photos from the memory chip before importing them. Is there any way I can get the photos back?

  I connected a digital camera memory chip with approximately 100 photos on it to import into iPhoto. The photos showed up in iPhoto. I believe I deleted the photos from the memory chip before importing them to iPhoto. Is there any way I can get the photos back?

  Terence, thanks that site is a gem...have to explore it more fully at home as it drove security here crazy
  Looks like just the ticket for saving mistakes.

• How do I "save" a calendar before importing it?

  How do I "save" a calendar before importing it?

  Ghanpoh,
  It really depends on what it is, exactly, that you wish to do. There are basically four ways to "save."
  1.) As you note, Save, Save_As and Save_as_a_Copy are for saving the Project file ONLY. I posted an article here on the differences amongst the three and why one would choose one over the others.
  2.) Archiver - this is accessed from the Toolbar and can "save" the Project with the media files in a couple of forms. This is used when a Project is complete, and one wishes to clear their HDD, but wants an "archived" copy of the Project with all media, in case they have to come back to it later.
  3.) Export - this is used to send the edited media to an AV file for play, distribution, etc. It is limited in formats, but is the quickest way to, well "export" you edited file (or part of it, using the WAB [Work Area Bar] to an AV file. Export>Movie is probably the most common.
  4.) Share - similar to Export, this is used when on is going to "export" the edited file to another medium, usually a "streaming" medium, like the Web, but also offers a myriad of other formats, like WMV (many flavors), or MOV (again, many flavors).
  The choice will be based on what the editor needs and wishes.
  Please tell us what you wish to do with your edited material, and someone can suggest the best method for you.
  Good luck,
  Hunt

• How do you go about quickly deleting photos on SD card before importing?

  II'm looking for quick efficient way to look over photos and discard obvious unwanted pics before import.

  Try using Image Capture.  It's in the Applications folder.  With iPhoto you can select just those photos you want to import.

• Apple has a problem and the cant solve it. I had some very important call but this new iphone just shut down on me and wont turn on i tried everything u can find in apple support nothing works for me. Anyone know what i can do?

  Apple has a problem and the cant solve it. I had some very important call but this new iphone just shut down on me and wont turn on i tried everything u can find in apple support nothing works for me. Anyone know what i can do?

  I would instead say you have a problem since nearly all IPs work as advertised.  IF you do have a bad phone, take it into an Apple store and get a replacement.  Hope you didn't jailbreak your phone though as Apple probably will tell you, you broke it, you fix it.