[arch-dev-public] gnupg 2.3.1-1 pulled from [testing]
foxboron at archlinux.org
Mon May 10 17:31:13 UTC 2021
It seems like gnupg 2.3.1-1 was built and pushed to [testing] briefly before
being removed. The reason from the removal is because there are changes to how
gnupg verifies signatures that depends on the key UIDs being properly signed.
In the case of my key, "foxboron at archlinux.org" is of marginal trust while
"morten at linderud.pw" is fully trusted. Since packages are signed with "--sender
foxboron at archlinux.org" gnupg cares about this trust level starting from
2.3.0-1. This results in failing signature checks if you have this package and
attempt to fetch packages signed by me.
Why was this removed with no headsup? It caused a fair bit of confusion for a
few people and the cause of this issue isn't very clear when packaged fail to
verify. Ideally we should have pushed gnupg with an epoch?
The best course of action is to downgrade the gnupg package to 2.2.27-1 from the
package archive or your local package cache.
<sidenote> gnupg is terrible :) </sidenote>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-dev-public