[arch-general] Corrupt Package (confirmed 2 servers) dovecot, jansson, python2-pillow

Doug Newgard scimmia at archlinux.org
Mon Feb 12 00:05:41 UTC 2018

On Sun, 11 Feb 2018 16:22:04 -0600
"David C. Rankin" <drankinatty at suddenlinkmail.com> wrote:

> On 02/11/2018 07:09 AM, Doug Newgard via arch-general wrote:
> >> I refreshed the keylist with pacman-key no help, I finally just tagged
> >> TrustAll at the end of the line in packman.conf and it worked fine. There are
> >> screwed up signatures there.
> >>  
> > The issue is in your local keyring. Check all of the Arch Master Keys, make
> > sure they're all signed by your local master key.  
>   Can someone please explain why this key trust issue happened? In the past 7
> years, running 10+ Arch boxes I have never had to adjust the trust on any key
> within the arch-keyring. Why all of a sudden, and why on only one box, did I
> have to --lsign-key for the eschwartz93 key? That is why this seemed so bizarre.

It's hard to say why it happened without you actually checking the Arch Master
Keys like I mentioned. You should not be signing eschwartz's key, your pacman
local master key should sign all of the Arch Master Keys, and with signatures
from 3 of those, eschwartz's key becomes trusted. "Marginal trust" tells me
that either eschwartz's key didn't have the 3 required signatures or you
haven't signed all of the Arch Master Keys somehow.

More information about the arch-general mailing list