I have had several (4 or 5) updates to manjaro-keyring over the past few days. Are there some trust issues going on? If so, what packages are being affected? Thanks for a wonderful distro, I’ve been using it for a couple years now and this is the first time I have had multiple keyring updates in a short time.
Just keyring maintenance, if there was trust issues that would affect users we would have made a official statement about it.
Thanks - I did a “pamac reinstall…” of the keyring and everything appears fine, I was just worried due to the multiple updates.
Sometimes things don’t get fixed at the first attempt, you can read more about it here.
We attempt to clean out old keys as for example requested here. During that process we also revoked keys like the one from Jonas, which are used in 3rd-party repos. However the most important thing was on why we did it to begin with:
People always complained about errors like this:
==> Appending keys from manjaro.gpg... gpg: public key of ultimately trusted key C5710DFCB05F5443 not found ==> Locally signing trusted keys in keyring... -> Locally signing key 7C89F4D439B2BFACF425107B62443D89B35859F8... -> Locally signing key 04BB537F5BC2D399BFA72F8F17C752B61B2F2E90... ==> ERROR: 04BB537F5BC2D399BFA72F8F17C752B61B2F2E90 could not be locally signed. -> Locally signing key 2FCB09A0E026F49B1060840BC0D1CCE50CC38123... ==> ERROR: 2FCB09A0E026F49B1060840BC0D1CCE50CC38123 could not be locally signed.
So I investigated further on why those messages popped up. In the end it was simple. The old revoked keys got never uploaded to the Ubuntu Keyserver which is now used by GNUPG after the SKS Pool Server disaster. Some can thank the GDPR takedowns for that. More info about it also here.
Anyway, the keys of manjaro-keyring were never uploadded or only partly to the keyserver, hence the errors. Just yesterday our team managed to upload those successfully. You can verify that via:
for i in $(cat /usr/share/pacman/keyrings/manjaro-trusted | cut -d: -f1); do gpg --keyserver keyserver.ubuntu.com --fingerprint $i; done; for i in $(cat /usr/share/pacman/keyrings/manjaro-revoked | cut -d: -f1); do gpg --keyserver keyserver.ubuntu.com --fingerprint $i; done;
So ya. Sometimes we have to updated the keyring more than once in a short time if we get more reports about that issue. So another update with all the local copy from the ubuntu keyserver might help to have the manjaro.gpg file more streamlined to the new situation.
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.