On 09/02/15 05:31 PM, Manuel Reimer wrote: > On 02/09/2015 11:23 PM, Daniel Micay wrote: >> Pacman uses a web of trust model. There are 5 trusted master keys and >> other keys are only trusted if either 3 master keys have signed them or >> the user has explicitly marked them as trusted. Never trust any keys >> yourself and you will have no issues. There is no MITM attack vector. > > Today, I had the following situation: > > :: Synchronizing package databases... > core is up to date > extra is up to date > community is up to date > :: Starting full system upgrade... > resolving dependencies... > looking for conflicting packages... > > Packages (11) binutils-2.25-2 gcc-4.9.2-3 gcc-libs-4.9.2-3 > glibc-2.21-1 inkscape-0.91-3 libiodbc-3.52.9-2 > linux-api-headers-3.18.5-1 linux-firmware-20150206.17657c3-1 > net-snmp-5.7.3-1 patch-2.7.4-1 virtualbox-4.3.20-5 > > Total Installed Size: 431.48 MiB > Net Upgrade Size: 5.52 MiB > > :: Proceed with installation? [Y/n] y > checking keyring... > downloading required keys... > :: Import PGP key 2048R/02FD1C7A934E614545849F19A6234074498E9CEE, > "Christian Hesse (Arch Linux Package Signing) <[email protected]>", created: > 2011-08-12? [Y/n] n > error: required key missing from keyring > error: failed to commit transaction (unexpected error) > Errors occurred, no packages were upgraded. > > > > No "keyring package" update pending but pacman still asks me to > import/trust a key? I guess something is going wrong here? > > I had the exactly same output on a second computer running Arch Linux.
It's not asking you to trust a key. It's asking you to import one. See what I wrote about the web of trust model. There is no MITM attack vector.
signature.asc
Description: OpenPGP digital signature
