FS#54312 - [archlinux-keyring] amavisd-new package signed by unknown key
Attached to Project:
Arch Linux
Opened by Noel Kuntze (thermi) - Monday, 05 June 2017, 16:15 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 02 September 2017, 07:54 GMT
Opened by Noel Kuntze (thermi) - Monday, 05 June 2017, 16:15 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 02 September 2017, 07:54 GMT
|
Details
Description:
The amavisd-new package in version 2.11.0-4 is signed by an unknown key (4096R/051EAD6A6155389D69DA02E5EB763B4E9DB887A6) by Thore Bödecker (foxxx0@archlinux.org). This causes pacman to print a request to import the key. As far as I know, the key is supposed to be in archlinux-keyring, but it isn't. Please add the key or do something else appropriate to get rid of the request, because it's not inherently safe to just confirm the request. Looks like this: :: Import PGP key 4096R/051EAD6A6155389D69DA02E5EB763B4E9DB887A6, "Thore Bödecker <foxxx0@archlinux.org>", created: 2017-05-22? [Y/n] Steps to reproduce: Try to install or upgrade the amavisd-new package from community. |
This task depends upon
Comment by Jan de Groot (JGC) -
Saturday, 10 June 2017, 22:31 GMT
Pacman will only trust keys that are signed by at least 3 master
keys for the official repositories. There's nothing wrong with
downloading the key from a keyserver unless you change pacman.conf
to trust any key.