[arch-general] when keys aren't updated

Erich Eckner arch at eckner.net
Tue Jun 22 03:45:26 UTC 2021


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On Mon, 21 Jun 2021, Jude DaShiell via arch-general wrote:

> Pacman could do with a feature to bypass authors packages and keys so
> those don't disrupt updates.

IMO, ignoring signatures is a severe security issue and should not be 
done light-mindedly.

The normal way to fix this is to update the keyring first or to refresh 
the keys via pacman-key. Only if this fails (e.g., because the signature 
of the keyring or the database itself is unknown), one should consider 
installing packages without signature checks: Set "Siglevel = Never" in 
pacman.conf, update the keyring, revert the Siglevel in pacman.conf and do 
further updates.

regards,
Erich

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE3p92iMrPBP64GmxZCu7JB1Xae1oFAmDRXNgACgkQCu7JB1Xa
e1rVfw//eqaARnDCNO31v3MBEYgYQCk7rEqeubZ0iQK8I8renDRW8uvu6NNMNiNx
PiJMn+q1J6WP0OA7MFs5/T6hHC1neNyvQNvMWxFL2vFGEGMJUt6Svjhp+O4YnTDL
XyODhPjSVEO16hW/OqVS0gZk+uReqeCy2gbSkMnXuS/6LfBPp4wTU9ybh/Yjte77
twuTAMrjzixLrWEhgHmhQY+/ZeB/pMZQTBHzmZJGrf5iphBNa1tcspOZ8J4t4T4K
+tGtOT7FiKN5o0WKYMYUSYuQ0aoallIuqwPFOQBgEYrybPhOotPgZwzzhgc5NH3W
54dPsb2lR1X97MS4JxszS79B+c4DALip8cwsFkXqJ4YbKhmwQhjEn3A8i/E6DpWq
/HbDbbSXns1zOHZzMp85KxSA71ux7AJLTi6UwkYySZQHPWKzvvCZqufq9m7TwbKN
+ZsCgLw3XA1YKMuQ44zLAqWkPg/+Qt1lOAaEeEun5fmGNXkgoV7h8LCN0aRiHGk+
7z2Ei1xJ0jzP3rfMZHB+v1y9YU9goLHD441TLLrvQHesRU+zrToPxFats9LtzLA5
1J/HPXgMo2ntYW6mM4+cPRbCzCRrDrrtbRcEJlqmMST93gaRo17blgfhGENtdv3J
Tg42Urkva0BpSXm0iOeQ/gRgVxoDASbOduAWyoJt00jrPkjqHXE=
=YU6S
-----END PGP SIGNATURE-----


More information about the arch-general mailing list