Bug #647
[pacman] pacman-key is unable to fetch keys securely
100%
Description
the secure gpg.conf we include is placed at /etc/pacman.d but pacman-keys looks for it at /etc/pacman.d/gnupg so it's ignored.
this is a problem because keys are retrieved in plain text from the keyservers and even if it's a publicly available wot i'd consider it bad practice to be mitm-prone. it's also an example configuration for users...
that said, retrieving keys from hkp + tls (hkps://) is broken since gnupg 2.1, so this bug report would have to wait until that is fixed.
History
Updated by fauno about 9 years ago
yesterday i've found the solution to using hkps with gpg. turns out dirmngr doesn't use /etc/ssl/certs to verify certificates, but symlinking this dir to /etc/gnupg/trusted-certs or ${GPGHOME}/trusted-certs works
i can implemented this solution later, unless someone thinks it's unsafe
Updated by fauno about 9 years ago
i must have reached a working server by chance, because it doesn't work anymore. the issue is this: https://bugs.g10code.com/gnupg/issue1792
Updated by fauno about 9 years ago
- Subject changed from [pacman] default gpg.conf is misplaced to [pacman] pacman-key is unable to fetch keys securely
Updated by Anonymous about 9 years ago
- % Done changed from 0 to 100
- Status changed from open to not-a-bug
reverted changes to default from pacman to solve compatibility issues against pacstrap -> https://projects.parabola.nu/abslibre.git/commit/?id=eac23547da0bbfc69c824d21730a8a414e7e0309
Updated by fauno about 9 years ago
what does it mean? default is to fetch keys over a plain text connection