[arch-dev-public] gnupg 2.3.1-1 pulled from [testing]

Morten Linderud foxboron at archlinux.org
Mon May 10 17:31:13 UTC 2021


It seems like gnupg 2.3.1-1 was built and pushed to [testing] briefly before
being removed. The reason from the removal is because there are changes to how
gnupg verifies signatures that depends on the key UIDs being properly signed.

In the case of my key, "foxboron at archlinux.org" is of marginal trust while
"morten at linderud.pw" is fully trusted. Since packages are signed with "--sender
foxboron at archlinux.org" gnupg cares about this trust level starting from
2.3.0-1. This results in failing signature checks if you have this package and
attempt to fetch packages signed by me.

Related issue:

Why was this removed with no headsup? It caused a fair bit of confusion for a
few people and the cause of this issue isn't very clear when packaged fail to
verify. Ideally we should have pushed gnupg with an epoch?

To testers:
    The best course of action is to downgrade the gnupg package to 2.2.27-1 from the
    package archive or your local package cache.


<sidenote> gnupg is terrible :) </sidenote>

Morten Linderud
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20210510/d42bd301/attachment.sig>

More information about the arch-dev-public mailing list