Y
Hacker News
new
|
ask
|
show
|
jobs
by
majewsky
2553 days ago
Correct. The only time when this would concern you is when you add a third-party repository, e.g. one of [1]. This usually involves a manual TOFU step where you do the equivalent of `gpg --recv-keys $ID` on the pacman keyring.
[1]
https://wiki.archlinux.org/index.php/Unofficial_user_reposit...
1 comments
jwilk
2553 days ago
Beware that "gpg --recv-keys <keyid>" (or even "gpg --recv-keys <fingerprint>"!) can be tricked into inserting malicious keys into the keyring:
https://dev.gnupg.org/T3398
link
https://dev.gnupg.org/T3398