Welcome to the Pacman bug tracker. Please search the current bugs and feature requests before filing a new one! Use advanced search and select "Search in Comments".

* Please select the correct category and version.
* Write a descriptive summary, background info, and provide a reproducible test case whenever possible.

FS#73705 - Key ID downgrade when unable to fetch keys

Attached to Project: Pacman
Opened by Allan McRae (Allan) - Thursday, 10 February 2022, 01:26 GMT
Task Type Bug Report
Category General
Status Unconfirmed
Assigned To Allan McRae (Allan)
Architecture All
Severity Medium
Priority Normal
Reported Version 6.0.1
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No


We are doing a keyid downgrade when we are unable to fetch keys. It should probably be noted that 0xshort keyid are trivially bruteforced and any downgrades could imply that we are fetching malicious key.

Again, how bad this is probably depends on the trust model of the distro. Arch
should be fine. Not sure if there is a good solution here. Do we still have the keyid lookup issue for subkeys problem with the recent ubuntu keyservers?
This task depends upon