GPG package signing

Without any FUD, how is package signing dealt with in Manjaro?
Are the keys on it's own server?

There is an ongoing GPG key poisoning.

Would the biggest issue be AUR that requires a used to import a sig?

seee section mitigations & Repairs
stop using this keyservers go with another one more secure

Mitigations

At present I (speaking only for myself) do not believe the global keyserver network is salvageable. High-risk users should stop using the keyserver network immediately.

Users who are confident editing their GnuPG configuration files should follow the following process:

  1. Open gpg.conf in a text editor. Ensure there is no line starting with keyserver . If there is, remove it.
  2. Open dirmngr.conf in a text editor. Add the line keyserver hkps://keys.openpgp.org to the end of it.

keys.openpgp.org is a new experimental keyserver which is not part of the keyserver network and has some features which make it resistant to this sort of attack. It is not a drop-in replacement: it has some limitations (for instance, its search functionality is sharply constrained). However, once you make this change you will be able to run gpg --refresh-keys with confidence.

Repairs

If you know which certificate is likely poisoned, try deleting it: this normally goes pretty quickly. If your OpenPGP installation becomes usable again, congratulations. Acquire a new unpoisoned copy of the certificate and import that.

If you don't know which certificate is poisoned, your best bet is to get a list of all your certificate IDs, delete your keyrings completely, and rebuild from scratch using known-good copies of the public certificates.

If it's not part of the network, how does it get updated keys?

The best part is how they’ve known this could happen for at least the last TEN YEARS and done absolutely NOTHING about it. Sounds like the project needs a good shakeup in its leadership.

Isn’t it meant to be used as a breakaway type setup until something is/isn’t done on the main keyservers? So we change over to hkps://keys.openpgp.org for the time being? But then I guess it makes that a centralised server with a whole heap of its own issues. :thinking:

1 Like