You are not logged in.
- Topics: Active | Unanswered
#1 2016-11-01 22:06:50
- Salkay
- Member
- Registered: 2014-05-22
- Posts: 619
[SOLVED] Who is NicoHood (and should I trust them?)
I did an update this morning, and was presented with the following
:: Import PGP key 4096R/97312D5EB9D7AE7D0BD4307351DAE9B7C1AE9161, "N <mail@nicohood.de>", created: 2015-06-18? [Y/n] Normally, I just accept these mindlessly (is that bad?), but this time, the name "N" seemed odd. I did a search on the forums, and this page suggested that I should check the list of developers and trusted users. Indeed, this key matched with the trusted user NicoHood. However, the key was unsigned by all six master keys. Apparently "trusted users should have their key signed by at least three master keys". What is going on here, and should I have imported the key?
Last edited by Salkay (2016-11-02 02:32:17)
Offline
#2 2016-11-01 23:32:23
- ngoonee
- Forum Fellow
- From: Between Thailand and Singapore
- Registered: 2009-03-17
- Posts: 7,354
Re: [SOLVED] Who is NicoHood (and should I trust them?)
Yes, accepting anything mindlessly is bad. Surprising that his keys are unsigned though, he's not a new TU. Probably best to ask in arch-general on this.
Allan-Volunteer on the (topic being discussed) mailn lists. You never get the people who matters attention on the forums.
jasonwryan-Installing Arch is a measure of your literacy. Maintaining Arch is a measure of your diligence. Contributing to Arch is a measure of your competence.
Griemak-Bleeding edge, not bleeding flat. Edge denotes falls will occur from time to time. Bring your own parachute.
Offline
#3 2016-11-01 23:49:11
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 11,544
Re: [SOLVED] Who is NicoHood (and should I trust them?)
Update the archlinux-keyring package first, his key was just signed.
Offline
#4 2016-11-02 00:59:08
- Salkay
- Member
- Registered: 2014-05-22
- Posts: 619
Re: [SOLVED] Who is NicoHood (and should I trust them?)
Yes, accepting anything mindlessly is bad. Surprising that his keys are unsigned though, he's not a new TU. Probably best to ask in arch-general on this.
Thanks ngoonee. I'll keep your advice in mind.
Update the archlinux-keyring package first, his key was just signed.
Thanks Scimmia. I updated a few packages at once, including archlinux-keyring. The "checking keys in keyring" steps came before the installation steps, so presumably some other package needed it to be imported first. I checked in `/usr/share/pacman/keyrings/archlinux.gpg`, and I can confirm that NicoHood's key is in there.
Also, where does the key that I manually imported go in this case? It wasn't in `gpg --list-keys`, and `sudo gpg --list-keys` was empty. I thought I should check and make sure I hadn't previously "mindlessly accepted" anything potentially dodgy. 
Offline
#5 2016-11-02 01:36:44
- Allan
- Pacman
- From: Brisbane, AU
- Registered: 2007-06-09
- Posts: 11,384
- Website
Re: [SOLVED] Who is NicoHood (and should I trust them?)
Pacman has its own keyring. Use pacman-key to query it.
Offline
#6 2016-11-02 02:32:05
- Salkay
- Member
- Registered: 2014-05-22
- Posts: 619
Re: [SOLVED] Who is NicoHood (and should I trust them?)
Pacman has its own keyring. Use pacman-key to query it.
Thanks Allan. I just reset the keyring. I searched through my history, and apparently I'd already done that a couple of years ago. I guess I'd just forgotten…
Offline