[arch-dev-public] pacman root key issue with gnupg-2.1

Gaetan Bisson bisson at archlinux.org
Fri Dec 5 02:50:57 UTC 2014

[2014-12-01 16:31:28 -1000] Gaetan Bisson:
> Right. It seems porting the pacman keyring from pre-2.1 to 2.1
> mishandles the no-password case: signing anything with the resulting
> master key fails. We should be able to fix that by manually fiddling
> with the keyring, but I haven't found how yet.
> As you point out, recreating a fresh keyring with gnupg-2.1 is the
> easiest solution, though it will inconvenience users that have already
> imported and signed keys locally. I suggest we post a news item advising
> all users to do that.

How about the following news announcement:

	The upgrade to gnupg-2.1 tampered with the pacman keyring in a
	way that rendered the local master key unable to sign other
	keys. This is only an issue if you ever intend to customize your
	pacman keyring. We nevertheless recommend all users regenerate a
	fresh keyring using:

		sudo pacman -Syu
		sudo rm -fr /etc/pacman.d/gnupg
		sudo pacman-key --init
		sudo pacman-key --populate archlinux

	[End of the announcement.]

Additionally, to avoid future issues with pacman-key communication
passphrases to gnupg, I suggest updating our pacman package with:
- "pinentry-mode loopback" in /etc/pacman.d/gnupg/gpg.conf
- "allow-loopback-pinentry" in /etc/pacman.d/gnupg/gpg-agent.conf

See: https://bbs.archlinux.org/viewtopic.php?pid=1480570#p1480570



More information about the arch-dev-public mailing list