On 09/02/15 05:31 PM, Manuel Reimer wrote:
On 02/09/2015 11:23 PM, Daniel Micay wrote:
Pacman uses a web of trust model. There are 5 trusted master keys and other keys are only trusted if either 3 master keys have signed them or the user has explicitly marked them as trusted. Never trust any keys yourself and you will have no issues. There is no MITM attack vector.
Today, I had the following situation:
:: Synchronizing package databases... core is up to date extra is up to date community is up to date :: Starting full system upgrade... resolving dependencies... looking for conflicting packages...
Packages (11) binutils-2.25-2 gcc-4.9.2-3 gcc-libs-4.9.2-3 glibc-2.21-1 inkscape-0.91-3 libiodbc-3.52.9-2 linux-api-headers-3.18.5-1 linux-firmware-20150206.17657c3-1 net-snmp-5.7.3-1 patch-2.7.4-1 virtualbox-4.3.20-5
Total Installed Size: 431.48 MiB Net Upgrade Size: 5.52 MiB
:: Proceed with installation? [Y/n] y checking keyring... downloading required keys... :: Import PGP key 2048R/02FD1C7A934E614545849F19A6234074498E9CEE, "Christian Hesse (Arch Linux Package Signing) <arch@eworm.de>", created: 2011-08-12? [Y/n] n error: required key missing from keyring error: failed to commit transaction (unexpected error) Errors occurred, no packages were upgraded.
No "keyring package" update pending but pacman still asks me to import/trust a key? I guess something is going wrong here?
I had the exactly same output on a second computer running Arch Linux.
It's not asking you to trust a key. It's asking you to import one. See what I wrote about the web of trust model. There is no MITM attack vector.