[arch-dev-public] gnupg 2.3.1-1 pulled from [testing]
Morten Linderud
foxboron at archlinux.org
Mon May 10 17:31:13 UTC 2021
Yo!
It seems like gnupg 2.3.1-1 was built and pushed to [testing] briefly before
being removed. The reason from the removal is because there are changes to how
gnupg verifies signatures that depends on the key UIDs being properly signed.
In the case of my key, "foxboron at archlinux.org" is of marginal trust while
"morten at linderud.pw" is fully trusted. Since packages are signed with "--sender
foxboron at archlinux.org" gnupg cares about this trust level starting from
2.3.0-1. This results in failing signature checks if you have this package and
attempt to fetch packages signed by me.
Related issue:
https://dev.gnupg.org/T4735
Why was this removed with no headsup? It caused a fair bit of confusion for a
few people and the cause of this issue isn't very clear when packaged fail to
verify. Ideally we should have pushed gnupg with an epoch?
To testers:
The best course of action is to downgrade the gnupg package to 2.2.27-1 from the
package archive or your local package cache.
https://archive.archlinux.org/packages/g/gnupg/
<sidenote> gnupg is terrible :) </sidenote>
--
Morten Linderud
PGP: 9C02FF419FECBE16
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20210510/d42bd301/attachment.sig>
More information about the arch-dev-public
mailing list