You are not logged in.
https://gist.github.com/rjhansen/67ab92 … 8d6955275f
How should we as Arch users react to this situation? My /etc/pacman.d/gnupg/gpg.conf uses `keyserver hkp://pool.sks-keyservers.net` which now could potentially brick my GPG installation. Do we need a separate keyserver that only trusted users can push onto?
Offline
This looks bad. Are other distros also using GPG for package signing? What are they considering as a solution?
Offline
Arch Linux does not use the keyservers to update the pacman keyring. That is done with the archlinux-keyring package. Just make sure you don't execute the "refresh-keys" or "recv-keys" commands of "pacman-key".
Edit: If you build your own (AUR) packages, don't use automatic key retrieval or at least do it with a special build user so you don't brick the gpg keyring of your normal user account. Look for the keys manually on pool.sks-keyservers.net, and only import them if they are not bloated with spam. (neverending text after -----BEGIN PGP PUBLIC KEY BLOCK----- )
Last edited by progandy (2019-06-29 21:58:09)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
There is a mitigation section in the article:
https://gist.github.com/rjhansen/67ab92 … itigations
Users who are confident editing their GnuPG configuration files should follow the following process:
1. Open gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it.
2. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it.
Can anyone confirm if this is suitable for Arch?
Offline
There is a mitigation section in the article:
...
Can anyone confirm if this is suitable for Arch?
This is for your user keychain, not Arch's; but yes, you could do this.
Offline
@rodneyp290 I have not been able to add a key I do not already have from the keyserver hkps://keys.openpgp.org but it may be suitable for refresh-keys.
Offline
@rodneyp290 I have not been able to add a key I do not already have from the keyserver hkps://keys.openpgp.org but it may be suitable for refresh-keys.
This new keyserver only publishes keys without any identifying information like user ids to comply with the GDPR. Currently gnupg doesn't work with such keys. Only after you explicitly allow publishing will it be added, keys where that was done should work I think.
https://keys.openpgp.org/about/faq#older-gnupg
Last edited by progandy (2019-07-02 14:43:20)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
https://lists.gnupg.org/pipermail/gnupg … 00439.html
gnupg 2.2.17 includes client side mitigation's but I believe the change of default to self-sigs-only breaks Web of Trust which may impact the archlinux-keyring when fetching a missing key.
Edit:
Possible solutions for the archlinux-keyring:
Private keyserver such as used by Debian
WKD
Last edited by loqs (2019-07-10 20:47:45)
Offline