[arch-dev-public] pacman root key issue with gnupg-2.1

Allan McRae allan at archlinux.org
Sun Dec 7 22:18:29 UTC 2014

On 08/12/14 06:44, Gaetan Bisson wrote:
> [2014-12-07 21:27:39 +1000] Allan McRae:
>> On 05/12/14 12:50, Gaetan Bisson wrote:
>>> [2014-12-01 16:31:28 -1000] Gaetan Bisson:
>>>> Right. It seems porting the pacman keyring from pre-2.1 to 2.1
>>>> mishandles the no-password case: signing anything with the resulting
>>>> master key fails. We should be able to fix that by manually fiddling
>>>> with the keyring, but I haven't found how yet.
>>>> As you point out, recreating a fresh keyring with gnupg-2.1 is the
>>>> easiest solution, though it will inconvenience users that have already
>>>> imported and signed keys locally. I suggest we post a news item advising
>>>> all users to do that.
>>> How about the following news announcement:
>>> 	The upgrade to gnupg-2.1 tampered with the pacman keyring in a
>>> 	way that rendered the local master key unable to sign other
>>> 	keys. This is only an issue if you ever intend to customize your
>>> 	pacman keyring. We nevertheless recommend all users regenerate a
>>> 	fresh keyring using:
>>> 		sudo pacman -Syu
>>> 		sudo rm -fr /etc/pacman.d/gnupg
>>> 		sudo pacman-key --init
>>> 		sudo pacman-key --populate archlinux
>>> 	[End of the announcement.]
>>> Additionally, to avoid future issues with pacman-key communication
>>> passphrases to gnupg, I suggest updating our pacman package with:
>>> - "pinentry-mode loopback" in /etc/pacman.d/gnupg/gpg.conf
>>> - "allow-loopback-pinentry" in /etc/pacman.d/gnupg/gpg-agent.conf
>>> See: https://bbs.archlinux.org/viewtopic.php?pid=1480570#p1480570
>> As far as I can tell, those options are just supposed to allow gpg to
>> work without a pinentry.  But we should never require a password to be
>> entered, so it does not matter whether the pinentry is available or not.
>> So I am missing the reason to add this.
> Sure. That's just a precaution in case future versions of gnupg require
> pinentry even for empty passwords. But as you say that's unneeded now.
> I'll post the announcement later today if no one has further comments.

My only comment is to add a comment about using haveged.  I have not
successfully generated a key without it running lately...

More information about the arch-dev-public mailing list