FS#54312 - [archlinux-keyring] amavisd-new package signed by unknown key

Attached to Project: Arch Linux
Opened by Noel Kuntze (thermi) - Monday, 05 June 2017, 16:15 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 02 September 2017, 07:54 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

The amavisd-new package in version 2.11.0-4 is signed by an unknown key (4096R/051EAD6A6155389D69DA02E5EB763B4E9DB887A6)
by Thore Bödecker (foxxx0@archlinux.org). This causes pacman to print a request to import the key. As far as I know,
the key is supposed to be in archlinux-keyring, but it isn't. Please add the key or do something else appropriate
to get rid of the request, because it's not inherently safe to just confirm the request.

Looks like this:

:: Import PGP key 4096R/051EAD6A6155389D69DA02E5EB763B4E9DB887A6, "Thore Bödecker <foxxx0@archlinux.org>", created: 2017-05-22? [Y/n]

Steps to reproduce:

Try to install or upgrade the amavisd-new package from community.
This task depends upon

Closed by  Doug Newgard (Scimmia)
Saturday, 02 September 2017, 07:54 GMT
Reason for closing:  Fixed
Comment by Jan de Groot (JGC) - Saturday, 10 June 2017, 22:31 GMT
Pacman will only trust keys that are signed by at least 3 master keys for the official repositories. There's nothing wrong with downloading the key from a keyserver unless you change pacman.conf to trust any key.

Loading...