jc_gargma <[email protected]> writes: >> SigLevel = Never > > With respect, installing without a valid signature doesn't sit well with me, > especially when combined with refreshing gnupg keys over http. > > I took a roundabout route to ensure signature enforcement: > 1) Update the /etc/pacman.d/gnupg/gpg.conf to use > hkps://hkps.pool.sks-keyservers.net > 2) Create /etc/pacman.d/gnupg/dirmngr.conf and add > hkp-cacert /usr/share/gnupg/sks-keyservers.netCA.pem > to it.
i was going to say we already did that but when gnupg 2.1 broke hkps we
rolled it back to hkp. if it's working now we should change it back to
hkps :)
> 3) sudo pacman-keyring --refresh-keys
> 4) sudo pacman -S parabola-keyring
> 5) sigterm no longer required root processes for gpg-agent and dirmngr
some time ago we were including a cronjob that did this for you. now i
see we're providing a systemd service and timer to run refresh-keys, so
it should be:
systemctl restart pacman-keyring.service # for manual refresh
systemctl enable pacman-keyring.timer # for weekly refreshes
--
:O
signature.asc
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
