[Dev] Issues with GPG signatures when updating packages

[fauno]

bill-auger <bill-auger at peers.community> writes:

> Joshua -
>
> when was the last time you ran pacman -Syu ?
>
> updating the key-rings so explicitly should never be necessary
>
> whenever an updated key-ring is available, pacman should install it upon
> the next upgrade - and the --refresh keys command is run automatically
> as part of the install process
>
> so what i am saying is that your problem should have been solved
> trivially with `pacman -Syu` - the system is designed presumably so that
>  under normal circumstances, that should be sufficient to keep the
> key-rings sane - otherwise i think there is some bug to address here

i think the general issue is that pacman doesn't upgrade the keyrings
first (they removed this feature a while ago), so if the key signing a
package you're upgrading is on the keyring you're also upgrading, pacman
will treat it correctly as a badly signed package.

it shouldn't be noticeable if signers would allow a few days between
adding a new key to the keyring and start signing packages with it, as
people upgrading often would upgrade the keyrings before the signed
packages.

also doesn't archlinux-keyring have master keys that are fully trusted
and these sign the rest of keys so pacman's keyring validates them as
trusted too?  why is this failing?

back when signed packages were introduced, we didn't want to have master
keys and we agreed that every key on parabola-keyring would have to be
signed by three other keys, following a p2p web of trust instead of a
hierarchical one.

you could then locally sign keys of packagers you trust and then their
signatures would validate the rest of keys in the parabola-keyring :)

-- 
https://lainventoria.com.ar/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 617 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20180126/a60f9e54/attachment.sig>