You are not logged in.
- Topics: Active | Unanswered
#1 2012-01-26 19:40:43
- bratmaxe
- Member
- From: Germany
- Registered: 2010-11-07
- Posts: 71
[SOLVED]Import Dev/TU-keys blindly?
Hi,
I'm currently setting up the package-signing on my system and I'm not yet familiar with gnupg. So just to play safe: Am I right that it is safe to import all the Developer&Trusted-User keys, which pacman offers me when installing/upgrading packages, without manually verifying them? As far as I understand verifying the 5 masterkeys manually should be sufficient, right?
Thanks!
Last edited by bratmaxe (2012-01-27 11:28:46)
Offline
#2 2012-01-26 19:56:03
- stefanwilkens
- Member
- From: Enschede, the Netherlands
- Registered: 2008-12-10
- Posts: 624
Re: [SOLVED]Import Dev/TU-keys blindly?
Hi,
I'm currently setting up the package-signing on my system and I'm not yet familiar with gnupg. So just to play safe: Am I right that it is safe to import all the Developer&Trusted-User keys, which pacman offers me when installing/upgrading packages, without manually verifying them? As far as I understand verifying the 5 masterkeys manually should be sufficient, right?
Thanks!
You could manually import the keys as they are listed on the various pages.
Master Keys: https://www.archlinux.org/master-keys/
Developer Keys: http://www.archlinux.org/developers/
Trusted User Keys: http://www.archlinux.org/trustedusers/
I manually imported all the keys from their profiles and then locally signed the master keys. Should be all you need and you know where the key information came from 
Scripts to do this are here:
https://wiki.archlinux.org/index.php/Pa … omatically
Last edited by stefanwilkens (2012-01-26 19:57:02)
Arch i686 on Phenom X4 | GTX760
Offline
#3 2012-01-26 20:09:15
- bratmaxe
- Member
- From: Germany
- Registered: 2010-11-07
- Posts: 71
Re: [SOLVED]Import Dev/TU-keys blindly?
Thanks, I know about these options, but my question is rather: If e.g. a new TU/developer joins and I'm getting asked by pacman if I would like to import the key, can I blindly do this because it must be signed by the master-keys anyway, or should I manually "verify" every key before I let pacman import it?
Offline
#4 2012-01-26 22:43:22
- Leonid.I
- Member
- From: Aethyr
- Registered: 2009-03-22
- Posts: 999
Re: [SOLVED]Import Dev/TU-keys blindly?
In principle you shouldn't manually verify as long as the dev key is signed by Arch master. However, it also depends on the config: TrustAll vs TrustedOnly. In the latter case you'll have to locally sign the dev key by your pacman master key (my understanding at least, because Arch master sigs only elevate trust level to marginal and you need full).
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
#5 2012-01-27 11:27:58
- bratmaxe
- Member
- From: Germany
- Registered: 2010-11-07
- Posts: 71
Re: [SOLVED]Import Dev/TU-keys blindly?
Okay thanks for your answers! I just tested it myself: I tried to install offlineimap, which is signed by a TU whose key is not signed by the masterkeys yet. Pacman offered me to import the key, which I did, but then failed with an error:
error: offlineimap: signature from "Jaroslav Lichtblau (trusted user) <removed_email_here>" is unknown trust
error: failed to commit transaction (invalid or corrupted package (PGP signature))
Errors occurred, no packages were upgraded.So I think that proves it I will mark it as solved for now.
Offline