[arch-dev-public] pacman root key issue with gnupg-2.1

Gaetan Bisson bisson at archlinux.org
Tue Dec 2 02:31:28 UTC 2014

[2014-12-01 13:33:18 +1000] Allan McRae:
> On 01/12/14 13:22, Gaetan Bisson wrote:
> > [2014-12-01 12:14:34 +1000] Allan McRae:
> >> With GnuPG 2.1, they have tightened up on keys without a passphrase.  We
> >> don't have a passphrase on the root key in the pacman keyring...  This
> >> means that things like adding keys (pacman-key --recv-key <keyid>) now fail.
> > 
> > Strange, --recv-key works fine here, running gnupg-2.1.0-6 on a
> > pre-gnupg-2.1 pacman-keyring.
> > 
> How about --lsign?

Right. It seems porting the pacman keyring from pre-2.1 to 2.1
mishandles the no-password case: signing anything with the resulting
master key fails. We should be able to fix that by manually fiddling
with the keyring, but I haven't found how yet.

As you point out, recreating a fresh keyring with gnupg-2.1 is the
easiest solution, though it will inconvenience users that have already
imported and signed keys locally. I suggest we post a news item advising
all users to do that.



More information about the arch-dev-public mailing list