[arch-dev-public] pacman root key issue with gnupg-2.1
Allan McRae
allan at archlinux.org
Sun Dec 7 22:18:29 UTC 2014
On 08/12/14 06:44, Gaetan Bisson wrote:
> [2014-12-07 21:27:39 +1000] Allan McRae:
>> On 05/12/14 12:50, Gaetan Bisson wrote:
>>> [2014-12-01 16:31:28 -1000] Gaetan Bisson:
>>>> Right. It seems porting the pacman keyring from pre-2.1 to 2.1
>>>> mishandles the no-password case: signing anything with the resulting
>>>> master key fails. We should be able to fix that by manually fiddling
>>>> with the keyring, but I haven't found how yet.
>>>>
>>>> As you point out, recreating a fresh keyring with gnupg-2.1 is the
>>>> easiest solution, though it will inconvenience users that have already
>>>> imported and signed keys locally. I suggest we post a news item advising
>>>> all users to do that.
>>>
>>> How about the following news announcement:
>>>
>>> The upgrade to gnupg-2.1 tampered with the pacman keyring in a
>>> way that rendered the local master key unable to sign other
>>> keys. This is only an issue if you ever intend to customize your
>>> pacman keyring. We nevertheless recommend all users regenerate a
>>> fresh keyring using:
>>>
>>> sudo pacman -Syu
>>> sudo rm -fr /etc/pacman.d/gnupg
>>> sudo pacman-key --init
>>> sudo pacman-key --populate archlinux
>>>
>>> [End of the announcement.]
>>>
>>> Additionally, to avoid future issues with pacman-key communication
>>> passphrases to gnupg, I suggest updating our pacman package with:
>>> - "pinentry-mode loopback" in /etc/pacman.d/gnupg/gpg.conf
>>> - "allow-loopback-pinentry" in /etc/pacman.d/gnupg/gpg-agent.conf
>>>
>>> See: https://bbs.archlinux.org/viewtopic.php?pid=1480570#p1480570
>>>
>>
>> As far as I can tell, those options are just supposed to allow gpg to
>> work without a pinentry. But we should never require a password to be
>> entered, so it does not matter whether the pinentry is available or not.
>> So I am missing the reason to add this.
>
> Sure. That's just a precaution in case future versions of gnupg require
> pinentry even for empty passwords. But as you say that's unneeded now.
>
> I'll post the announcement later today if no one has further comments.
>
My only comment is to add a comment about using haveged. I have not
successfully generated a key without it running lately...
More information about the arch-dev-public
mailing list