You are not logged in.
- Topics: Active | Unanswered
#1 2018-01-07 00:20:33
- benhansenslc
- Member
- Registered: 2018-01-07
- Posts: 2
[SOLVED]Asked to import PGP key 91BD8815 Deviser <deviser@frqrec.com>
When running `pacman -Syu` I am asked:
:: Import PGP key 4096R/91BD8815FE0040FA7FF5D68754C28F4FF5A1A949, "Deviser <deviser@frqrec.com>", created: 2012-05-06? [Y/n]
I can not find any refence to the key through Google or at https://www.archlinux.org/master-keys/#master-sigs or https://wiki.archlinux.org/index.php/Trusted_Users.
Is there a way to verify that I should trust this key or can I always assume that I should import keys pacman asks me to import?
I don't remember adding anything special to my /etc/pacman.conf
Thanks in advance.
Last edited by benhansenslc (2018-01-07 01:08:49)
Offline
#2 2018-01-07 00:30:29
- loqs
- Member
- Registered: 2014-03-06
- Posts: 17,369
Re: [SOLVED]Asked to import PGP key 91BD8815 Deviser <deviser@frqrec.com>
https://git.archlinux.org/archlinux-key … f5b942b163
Key should be in archlinux-keyring 20171213-1 as you ommited the output of pacman -Syu I can not see if that was also part of the update.
Edit:
https://www.archlinux.org/people/trusted-users/#dvzrv also welcome to the forums benhansenslc.
Last edited by loqs (2018-01-07 00:31:59)
Offline
#3 2018-01-07 00:40:36
- eschwartz
- Fellow
- Registered: 2014-08-08
- Posts: 4,097
Re: [SOLVED]Asked to import PGP key 91BD8815 Deviser <deviser@frqrec.com>
Note that the funny email address comes from the fact that dvzrv has a bunch of additional email addresses associated with his gpg key, and the GPGME library pacman uses for handling gpg keys has probably decided to list whatever happens to be the first email address associated with the key.
The good news is that importing a key does not assign any trust whatsoever, and in order to actually trust packages signed with that key, one of two things must be true:
1) you manually use pacman-key --lsign-key ... to mark the key as trusted.
2) the key is signed by the Arch Linux Master Keys, and those signatures are uploaded to the public keyservers which you then downloaded. This is in fact the case, and since you trust the Master Keys, everything is okay. 
Merely downloading a key, whether in pacman or in your user gpg installation, does nothing other than allow gpg to check if signatures match to inform you "untrusted good signature", but good signatures from people you don't (yet?) trust don't do anything, so...
Last edited by eschwartz (2018-01-07 00:44:58)
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
#4 2018-01-07 01:07:11
- benhansenslc
- Member
- Registered: 2018-01-07
- Posts: 2
Re: [SOLVED]Asked to import PGP key 91BD8815 Deviser <deviser@frqrec.com>
Great. Thanks for the help.
Offline