[arch-dev-public] pacman root key issue with gnupg-2.1
Gaetan Bisson
bisson at archlinux.org
Fri Dec 5 02:50:57 UTC 2014
[2014-12-01 16:31:28 -1000] Gaetan Bisson:
> Right. It seems porting the pacman keyring from pre-2.1 to 2.1
> mishandles the no-password case: signing anything with the resulting
> master key fails. We should be able to fix that by manually fiddling
> with the keyring, but I haven't found how yet.
>
> As you point out, recreating a fresh keyring with gnupg-2.1 is the
> easiest solution, though it will inconvenience users that have already
> imported and signed keys locally. I suggest we post a news item advising
> all users to do that.
How about the following news announcement:
The upgrade to gnupg-2.1 tampered with the pacman keyring in a
way that rendered the local master key unable to sign other
keys. This is only an issue if you ever intend to customize your
pacman keyring. We nevertheless recommend all users regenerate a
fresh keyring using:
sudo pacman -Syu
sudo rm -fr /etc/pacman.d/gnupg
sudo pacman-key --init
sudo pacman-key --populate archlinux
[End of the announcement.]
Additionally, to avoid future issues with pacman-key communication
passphrases to gnupg, I suggest updating our pacman package with:
- "pinentry-mode loopback" in /etc/pacman.d/gnupg/gpg.conf
- "allow-loopback-pinentry" in /etc/pacman.d/gnupg/gpg-agent.conf
See: https://bbs.archlinux.org/viewtopic.php?pid=1480570#p1480570
Cheers.
--
Gaetan
More information about the arch-dev-public
mailing list