[arch-general] when keys aren't updated
Pacman could do with a feature to bypass authors packages and keys so those don't disrupt updates.
On 6/21/21 11:36 PM, Jude DaShiell via arch-general wrote:
Pacman could do with a feature to bypass authors packages and keys so those don't disrupt updates.
They don't disrupt updates. The keys are updated via archlinux-keyring, or via an "Import this key?" prompt via WKD / the SKS pool. If none of these options are to your taste, you may edit pacman.conf and set SigLevel = Never, thereby "bypassing" keys. By doing so, you COMPLETELY sacrifice security, but apparently this is your desire so ¯\_(ツ)_/¯. -- Eli Schwartz Bug Wrangler and Trusted User
The particular key cannot be imported; it's not in public key servers yet. On Mon, 21 Jun 2021, Eli Schwartz via arch-general wrote:
On 6/21/21 11:36 PM, Jude DaShiell via arch-general wrote:
Pacman could do with a feature to bypass authors packages and keys so those don't disrupt updates.
They don't disrupt updates. The keys are updated via archlinux-keyring, or via an "Import this key?" prompt via WKD / the SKS pool.
If none of these options are to your taste, you may edit pacman.conf and set SigLevel = Never, thereby "bypassing" keys. By doing so, you COMPLETELY sacrifice security, but apparently this is your desire so ?\_(?)_/?.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On Mon, 21 Jun 2021, Jude DaShiell via arch-general wrote:
Pacman could do with a feature to bypass authors packages and keys so those don't disrupt updates.
IMO, ignoring signatures is a severe security issue and should not be done light-mindedly. The normal way to fix this is to update the keyring first or to refresh the keys via pacman-key. Only if this fails (e.g., because the signature of the keyring or the database itself is unknown), one should consider installing packages without signature checks: Set "Siglevel = Never" in pacman.conf, update the keyring, revert the Siglevel in pacman.conf and do further updates. regards, Erich -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmDRXNgACgkQCu7JB1Xa e1rVfw//eqaARnDCNO31v3MBEYgYQCk7rEqeubZ0iQK8I8renDRW8uvu6NNMNiNx PiJMn+q1J6WP0OA7MFs5/T6hHC1neNyvQNvMWxFL2vFGEGMJUt6Svjhp+O4YnTDL XyODhPjSVEO16hW/OqVS0gZk+uReqeCy2gbSkMnXuS/6LfBPp4wTU9ybh/Yjte77 twuTAMrjzixLrWEhgHmhQY+/ZeB/pMZQTBHzmZJGrf5iphBNa1tcspOZ8J4t4T4K +tGtOT7FiKN5o0WKYMYUSYuQ0aoallIuqwPFOQBgEYrybPhOotPgZwzzhgc5NH3W 54dPsb2lR1X97MS4JxszS79B+c4DALip8cwsFkXqJ4YbKhmwQhjEn3A8i/E6DpWq /HbDbbSXns1zOHZzMp85KxSA71ux7AJLTi6UwkYySZQHPWKzvvCZqufq9m7TwbKN +ZsCgLw3XA1YKMuQ44zLAqWkPg/+Qt1lOAaEeEun5fmGNXkgoV7h8LCN0aRiHGk+ 7z2Ei1xJ0jzP3rfMZHB+v1y9YU9goLHD441TLLrvQHesRU+zrToPxFats9LtzLA5 1J/HPXgMo2ntYW6mM4+cPRbCzCRrDrrtbRcEJlqmMST93gaRo17blgfhGENtdv3J Tg42Urkva0BpSXm0iOeQ/gRgVxoDASbOduAWyoJt00jrPkjqHXE= =YU6S -----END PGP SIGNATURE-----
Pacman could do with a feature to bypass authors packages and keys so those don't disrupt updates. That would mean installing packages that are not bearing valid signature. If you don’t want package signing, simply disable signature checking altogether in your pacman configuration. Accepting all the security implications, of course.
An update being impossible due to invalid signatures is an intended feature, not a bug.
participants (4)
-
Eli Schwartz
-
Erich Eckner
-
Jude DaShiell
-
mpan