You are not logged in.

#1 2016-11-01 22:06:50

Salkay
Member
Registered: 2014-05-22
Posts: 411

[SOLVED] Who is NicoHood (and should I trust them?)

I did an update this morning, and was presented with the following

:: Import PGP key 4096R/97312D5EB9D7AE7D0BD4307351DAE9B7C1AE9161, "N <mail@nicohood.de>", created: 2015-06-18? [Y/n] 

Normally, I just accept these mindlessly (is that bad?), but this time, the name "N" seemed odd. I did a search on the forums, and this page suggested that I should check the list of developers and trusted users. Indeed, this key matched with the trusted user NicoHood. However, the key was unsigned by all six master keys. Apparently "trusted users should have their key signed by at least three master keys". What is going on here, and should I have imported the key?

Last edited by Salkay (2016-11-02 02:32:17)

Offline

#2 2016-11-01 23:32:23

ngoonee
Forum Fellow
From: Between Thailand and Singapore
Registered: 2009-03-17
Posts: 7,234

Re: [SOLVED] Who is NicoHood (and should I trust them?)

Yes, accepting anything mindlessly is bad. Surprising that his keys are unsigned though, he's not a new TU. Probably best to ask in arch-general on this.


Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.

Offline

#3 2016-11-01 23:49:11

Scimmia
Bug Wrangler
Registered: 2012-09-01
Posts: 7,261

Re: [SOLVED] Who is NicoHood (and should I trust them?)

Update the archlinux-keyring package first, his key was just signed.

Offline

#4 2016-11-02 00:59:08

Salkay
Member
Registered: 2014-05-22
Posts: 411

Re: [SOLVED] Who is NicoHood (and should I trust them?)

ngoonee wrote:

Yes, accepting anything mindlessly is bad. Surprising that his keys are unsigned though, he's not a new TU. Probably best to ask in arch-general on this.

Thanks ngoonee. I'll keep your advice in mind.

Scimmia wrote:

Update the archlinux-keyring package first, his key was just signed.

Thanks Scimmia. I updated a few packages at once, including archlinux-keyring. The "checking keys in keyring" steps came before the installation steps, so presumably some other package needed it to be imported first. I checked in `/usr/share/pacman/keyrings/archlinux.gpg`, and I can confirm that NicoHood's key is in there.

Also, where does the key that I manually imported go in this case? It wasn't in `gpg --list-keys`, and `sudo gpg --list-keys` was empty. I thought I should check and make sure I hadn't previously "mindlessly accepted" anything potentially dodgy. yikes

Offline

#5 2016-11-02 01:36:44

Allan
Member
From: Brisbane, AU
Registered: 2007-06-09
Posts: 10,875
Website

Re: [SOLVED] Who is NicoHood (and should I trust them?)

Pacman has its own keyring.  Use pacman-key to query it.

Offline

#6 2016-11-02 02:32:05

Salkay
Member
Registered: 2014-05-22
Posts: 411

Re: [SOLVED] Who is NicoHood (and should I trust them?)

Allan wrote:

Pacman has its own keyring.  Use pacman-key to query it.

Thanks Allan. I just reset the keyring. I searched through my history, and apparently I'd already done that a couple of years ago. I guess I'd just forgotten…

Offline

Board footer

Powered by FluxBB