[arch-dev-public] pacman root key issue with gnupg-2.1
Allan McRae
allan at archlinux.org
Sun Dec 7 11:27:39 UTC 2014
On 05/12/14 12:50, Gaetan Bisson wrote:
> [2014-12-01 16:31:28 -1000] Gaetan Bisson:
>> Right. It seems porting the pacman keyring from pre-2.1 to 2.1
>> mishandles the no-password case: signing anything with the resulting
>> master key fails. We should be able to fix that by manually fiddling
>> with the keyring, but I haven't found how yet.
>>
>> As you point out, recreating a fresh keyring with gnupg-2.1 is the
>> easiest solution, though it will inconvenience users that have already
>> imported and signed keys locally. I suggest we post a news item advising
>> all users to do that.
>
> How about the following news announcement:
>
> The upgrade to gnupg-2.1 tampered with the pacman keyring in a
> way that rendered the local master key unable to sign other
> keys. This is only an issue if you ever intend to customize your
> pacman keyring. We nevertheless recommend all users regenerate a
> fresh keyring using:
>
> sudo pacman -Syu
> sudo rm -fr /etc/pacman.d/gnupg
> sudo pacman-key --init
> sudo pacman-key --populate archlinux
>
> [End of the announcement.]
>
> Additionally, to avoid future issues with pacman-key communication
> passphrases to gnupg, I suggest updating our pacman package with:
> - "pinentry-mode loopback" in /etc/pacman.d/gnupg/gpg.conf
> - "allow-loopback-pinentry" in /etc/pacman.d/gnupg/gpg-agent.conf
>
> See: https://bbs.archlinux.org/viewtopic.php?pid=1480570#p1480570
>
As far as I can tell, those options are just supposed to allow gpg to
work without a pinentry. But we should never require a password to be
entered, so it does not matter whether the pinentry is available or not.
So I am missing the reason to add this.
Also, not that /etc/pacman.d/gnupg/gpg.conf is not owned by the pacman
package, but is created by gpg when generating the root key.
Allan
More information about the arch-dev-public
mailing list