[Dev] If you are having problems with "David P. <megver83 at openmailbox.org>" keys

fauno fauno at endefensadelsl.org
Mon Apr 24 22:17:35 GMT 2017

jc_gargma <jc_gargma at iserlohn-fortress.net> writes:

>> SigLevel    = Never
> With respect, installing without a valid signature doesn't sit well with me, 
> especially when combined with refreshing gnupg keys over http.
> I took a roundabout route to ensure signature enforcement:
> 1) Update the /etc/pacman.d/gnupg/gpg.conf to use 
> hkps://hkps.pool.sks-keyservers.net
> 2) Create /etc/pacman.d/gnupg/dirmngr.conf and add
> hkp-cacert /usr/share/gnupg/sks-keyservers.netCA.pem
> to it.

i was going to say we already did that but when gnupg 2.1 broke hkps we
rolled it back to hkp.  if it's working now we should change it back to
hkps :)

> 3) sudo pacman-keyring --refresh-keys
> 4) sudo pacman -S parabola-keyring
> 5) sigterm no longer required root processes for gpg-agent and dirmngr

some time ago we were including a cronjob that did this for you.  now i
see we're providing a systemd service and timer to run refresh-keys, so
it should be:

    systemctl restart pacman-keyring.service # for manual refresh
    systemctl enable pacman-keyring.timer    # for weekly refreshes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 617 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20170424/7f9cff04/attachment.sig>

More information about the Dev mailing list