[arch-general] Updating the archlinux-keyring package

[Leonid Isaev]

On Fri, 14 Feb 2014 03:43:38 -0800
Don deJuan <donjuansjiz at gmail.com> wrote:

> On 02/14/2014 03:00 AM, Plonky Duby wrote:
> > I do agree with that, i switched on a laptop which was off since september
> > 2013 and i had some issue with some key.
> >
> > I had to update key, before having a sucessfull update.
> >
> >
> >
> >
> > 2014-02-13 20:21 GMT+01:00 Leonid Isaev <lisaev at umail.iu.edu>:
> >
> >> Hi,
> >>
> >>         Recently I had to fix a corrupted pacman db from a 3 month old
> >> livecd
> >> and realized that this process is not so innocent. Specifically, there is
> >> a chance to get a trojaned package on the system simply because the
> >> archlinux-keyring package on the iso is outdated. Of course, other similar
> >> scenarios are possible, e.g. a fresh install is made from an old livecd,
> >> or a
> >> server is updated after several months of uptime: new packages are pulled
> >> in
> >> but signature checks are made using the old keyring currently on the host.
> >>         So, instead of relying on the discrete updates of
> >> archlinux-keyring,
> >> wouldn't is make more sense to have a systemd timer/cron job to frequently
> >> refresh pacman keyring?
> >>
> >> Thanks,
> >> --
> >> Leonid Isaev
> >> GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
> >>
> 
> pacman-key --refresh-keys ??

Well, I run this on the home server via a systemd timer, so that I don't
forget to do it before an update. It is certainly not necessary on a
frequently updated machine, but might be a good idea for a livecd before an
installation.

Cheers,
-- 
Leonid Isaev
GPG key fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140214/e640d9a2/attachment-0001.asc>