You are not logged in.

Pages: 1

#1 2012-01-18 18:42:13

yl3dy
Member
Registered: 2011-07-27
Posts: 19

[SOLVED] Strange pacman behaviour - keeps asking about developer keys

After setting up pacman4 and pacman-keys using Allan's blog post, getting the following strange (for me) behaviour:

Despite all 5 master keys added and marginally trusted, pacman asks about inclusion of developer/TU certificate on package install. As far as I understood from GnuPG handbook, certificate signed by >= 3 marginally trusted keys is considered valid. So it would be logical if pacman didn't ask about adding these certificates at all.

I don't know GnuPG and Arch developer ideas behind signed packages very well, so the question: is it a bug, "just as planned", or I've done something wrong?

pacman.conf:

...
SigLevel = Optional TrustAll
...

list of keys:

$ sudo pacman-key -l
/etc/pacman.d/gnupg/pubring.gpg
-------------------------------
pub   2048R/2241E4A8 2012-01-18
uid                  Pacman Keychain Master Key <pacman@localhost>

pub   4096R/FFF979E7 2011-11-29
uid                  Allan McRae (Arch Linux Master Key) <allan@master-key.archlinux.org>

pub   3072R/CDFD6BB0 2011-11-29
uid                  Dan McGee (Arch Linux Master Key) <dan@master-key.archlinux.org>
sub   3072R/87E611F8 2011-11-29

pub   3072R/4C7EA887 2011-11-25
uid                  Ionut Biru (Arch Linux Master Key) <ionut@master-key.archlinux.org>

pub   3072R/6AC6A4C2 2011-11-18
uid                  Pierre Schmitz (Arch Linux Master Key) <pierre@master-key.archlinux.org>
sub   1024R/86872C2F 2011-11-18
sub   3072R/1B516B59 2011-11-18

pub   3072R/824B18E8 2011-11-19
uid                  Thomas Bächler (Arch Linux Master Key) <thomas@master-key.archlinux.org>

GnuPG settings for pacman:

no-greeting
no-permission-warning
lock-never
keyserver hkp://pgp.mit.edu:11371
keyserver-options timeout=10

example of strange output:

# pacman -S amarok
resolving dependencies...
looking for inter-conflicts...

Targets (4): liblastfm-0.3.3-2  qtscriptgenerator-0.1.0-5  taglib-extras-1.0.1-2  amarok-2.5.0-1

Total Download Size:    45.68 MiB
Total Installed Size:   101.66 MiB

Proceed with installation? [Y/n] y
:: Retrieving packages from extra...
 qtscriptgenerator-0.1.0-5-x86_64    3.8 MiB  5.68M/s 00:01 [################################] 100%
 taglib-extras-1.0.1-2-x86_64       20.3 KiB  10.3M/s 00:00 [################################] 100%
 liblastfm-0.3.3-2-x86_64          136.8 KiB  11.0M/s 00:00 [################################] 100%
 amarok-2.5.0-1-x86_64              41.7 MiB  8.94M/s 00:05 [################################] 100%
(4/4) checking package integrity                            [################################] 100%
error: qtscriptgenerator: key "F3E1D5C5D30DB0AD" is unknown
:: Import PGP key D30DB0AD, "Andrea Scarpino <bash.lnx@gmail.com>", created 2011-04-19? [Y/n]

Last edited by yl3dy (2012-01-18 19:12:36)

Offline

#2 2012-01-18 18:46:11

wonder
Developer
From: Bucharest, Romania
Registered: 2006-07-05
Posts: 5,941
Website

Re: [SOLVED] Strange pacman behaviour - keeps asking about developer keys

is ok, master keys != packager keys.

just import keys when pacman asks.

Give what you have. To someone, it may be better than you dare to think.

Offline

#3 2012-01-18 18:59:16

yl3dy
Member
Registered: 2011-07-27
Posts: 19

Re: [SOLVED] Strange pacman behaviour - keeps asking about developer keys

Well, I thought that, as far as developer keys are signed with master keys (which in turn are trusted locally), pacman would say "this key is ok". Otherwise I don't get the idea of the "web of trust".

Is it possible to convince pacman in this idea, or I'll need to import all TU/dev keys manually/by script?

Offline

#4 2012-01-18 19:06:45

jjacky
Member
Registered: 2011-11-09
Posts: 347
Website

Re: [SOLVED] Strange pacman behaviour - keeps asking about developer keys

Yeah I think that's the idea, the keys will be trusted. However, you still need to import them first...

blog - github

Offline

#5 2012-01-18 19:06:45

wonder
Developer
From: Bucharest, Romania
Registered: 2006-07-05
Posts: 5,941
Website

Re: [SOLVED] Strange pacman behaviour - keeps asking about developer keys

yl3dy wrote:

Well, I thought that, as far as developer keys are signed with master keys (which in turn are trusted locally), pacman would say "this key is ok". Otherwise I don't get the idea of the "web of trust".

that's the idea

Is it possible to convince pacman in this idea, or I'll need to import all TU/dev keys manually/by script?

eventually you won't need to do that once we have a keyring package, which contains all packagers keys+masters

Give what you have. To someone, it may be better than you dare to think.

Offline

#6 2012-01-18 19:11:18

yl3dy
Member
Registered: 2011-07-27
Posts: 19

Re: [SOLVED] Strange pacman behaviour - keeps asking about developer keys

Okay, it seems I've got the point. Thank you!

Offline

Pages: 1

Board footer

Powered by FluxBB