After upgrading to the new pacman 4.0, the system update following fails due a lot of untrusted signatures (unknown trust error). I'm guessing we need to verify we really trust these signatures. I've found this guide regarding validating gpg keys: http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume this will be a lot similar, except using the pacman-key frontend to do the verification. So let me step through and see if understand correctly: All the developers keys seem to be published here: http://www.archlinux.org/developers/ and http://www.archlinux.org/trustedusers So to trust Andrea Scarpino's key I would get the pgp key from the above webpage (PGP Key: 0xD30DB0AD) and finger it: pacman-key --finger 0xD30DB0AD then compare the finger print with the one thats linked to his profile: http://pgp.mit.edu:11371/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0xD30DB0AD It seems to match, so there is a good chance it's the real deal, so now I can locally sign it: pacman-key --lsign-key 0xD30DB0AD Correct? In examples of the article also marks the key as trusted. Would that be a good idea? We have to do this for each and every Arch developer I guess? Is there a faster way? Sander
On Fri, Oct 14, 2011 at 5:27 AM, Sander Jansen <s.jansen@gmail.com> wrote:
After upgrading to the new pacman 4.0, the system update following fails due a lot of untrusted signatures (unknown trust error).
I'm guessing we need to verify we really trust these signatures. I've found this guide regarding validating gpg keys: http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume this will be a lot similar, except using the pacman-key frontend to do the verification.
So let me step through and see if understand correctly:
All the developers keys seem to be published here: http://www.archlinux.org/developers/ and http://www.archlinux.org/trustedusers
So to trust Andrea Scarpino's key I would get the pgp key from the above webpage (PGP Key: 0xD30DB0AD) and finger it:
pacman-key --finger 0xD30DB0AD
then compare the finger print with the one thats linked to his profile:
http://pgp.mit.edu:11371/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0xD30DB0AD
It seems to match, so there is a good chance it's the real deal, so now I can locally sign it:
pacman-key --lsign-key 0xD30DB0AD
Correct? In examples of the article also marks the key as trusted. Would that be a good idea?
We have to do this for each and every Arch developer I guess? Is there a faster way?
Sander
Maybe http://identi.ca/conversation/84528911#notice-84578762 helps.
On 14/10/11 13:27, Sander Jansen wrote:
After upgrading to the new pacman 4.0, the system update following fails due a lot of untrusted signatures (unknown trust error).
I'm guessing we need to verify we really trust these signatures. I've found this guide regarding validating gpg keys: http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume this will be a lot similar, except using the pacman-key frontend to do the verification.
So let me step through and see if understand correctly:
All the developers keys seem to be published here: http://www.archlinux.org/developers/ and http://www.archlinux.org/trustedusers
So to trust Andrea Scarpino's key I would get the pgp key from the above webpage (PGP Key: 0xD30DB0AD) and finger it:
pacman-key --finger 0xD30DB0AD
then compare the finger print with the one thats linked to his profile:
http://pgp.mit.edu:11371/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0xD30DB0AD
It seems to match, so there is a good chance it's the real deal, so now I can locally sign it:
pacman-key --lsign-key 0xD30DB0AD
Correct? In examples of the article also marks the key as trusted. Would that be a good idea?
We have to do this for each and every Arch developer I guess? Is there a faster way?
You could do it this way... but yes, it will take a long time. At the moment I just use "SigLevel = Optional TrustAll" which means imported keys are automatically considered as trusted without you having to manually verify them. That is obviously not the best solution, but it is an option until Arch gets a proper keyring sorted. Allan
On Thu, Oct 13, 2011 at 10:41 PM, Allan McRae <allan@archlinux.org> wrote:
On 14/10/11 13:27, Sander Jansen wrote:
After upgrading to the new pacman 4.0, the system update following fails due a lot of untrusted signatures (unknown trust error).
I'm guessing we need to verify we really trust these signatures. I've found this guide regarding validating gpg keys: http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume this will be a lot similar, except using the pacman-key frontend to do the verification.
So let me step through and see if understand correctly:
All the developers keys seem to be published here: http://www.archlinux.org/developers/ and http://www.archlinux.org/trustedusers
So to trust Andrea Scarpino's key I would get the pgp key from the above webpage (PGP Key: 0xD30DB0AD) and finger it:
pacman-key --finger 0xD30DB0AD
then compare the finger print with the one thats linked to his profile:
http://pgp.mit.edu:11371/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0xD30DB0AD
It seems to match, so there is a good chance it's the real deal, so now I can locally sign it:
pacman-key --lsign-key 0xD30DB0AD
Correct? In examples of the article also marks the key as trusted. Would that be a good idea?
We have to do this for each and every Arch developer I guess? Is there a faster way?
You could do it this way... but yes, it will take a long time.
At the moment I just use "SigLevel = Optional TrustAll" which means imported keys are automatically considered as trusted without you having to manually verify them. That is obviously not the best solution, but it is an option until Arch gets a proper keyring sorted.
Allan
Ah ok. Just read your blog as well (http://allanmcrae.com/2011/08/pacman-package-signing-3-pacman) Thanks, Sander
participants (3)
-
Allan McRae
-
Karol Blazewicz
-
Sander Jansen