[pacman-dev] New way to download signing keys prone to MITM attacks?
Manuel Reimer
Manuel.Spam at nurfuerspam.de
Mon Feb 9 22:31:43 UTC 2015
On 02/09/2015 11:23 PM, Daniel Micay wrote:
> Pacman uses a web of trust model. There are 5 trusted master keys and
> other keys are only trusted if either 3 master keys have signed them or
> the user has explicitly marked them as trusted. Never trust any keys
> yourself and you will have no issues. There is no MITM attack vector.
Today, I had the following situation:
:: Synchronizing package databases...
core is up to date
extra is up to date
community is up to date
:: Starting full system upgrade...
resolving dependencies...
looking for conflicting packages...
Packages (11) binutils-2.25-2 gcc-4.9.2-3 gcc-libs-4.9.2-3
glibc-2.21-1 inkscape-0.91-3 libiodbc-3.52.9-2
linux-api-headers-3.18.5-1 linux-firmware-20150206.17657c3-1
net-snmp-5.7.3-1 patch-2.7.4-1 virtualbox-4.3.20-5
Total Installed Size: 431.48 MiB
Net Upgrade Size: 5.52 MiB
:: Proceed with installation? [Y/n] y
checking keyring...
downloading required keys...
:: Import PGP key 2048R/02FD1C7A934E614545849F19A6234074498E9CEE,
"Christian Hesse (Arch Linux Package Signing) <arch at eworm.de>", created:
2011-08-12? [Y/n] n
error: required key missing from keyring
error: failed to commit transaction (unexpected error)
Errors occurred, no packages were upgraded.
No "keyring package" update pending but pacman still asks me to
import/trust a key? I guess something is going wrong here?
I had the exactly same output on a second computer running Arch Linux.
More information about the pacman-dev
mailing list