Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider removing revoked keys from the keyring #48

Open
lazka opened this issue Dec 8, 2023 · 1 comment
Open

Consider removing revoked keys from the keyring #48

lazka opened this issue Dec 8, 2023 · 1 comment

Comments

@lazka
Copy link
Member

lazka commented Dec 8, 2023
edited
Loading

Currently a "revoked" key is included in the keyring, and installed on the user system. It's just disabled then by pacman-key, because the keyid is on the revoked list.

I don't think there is a reason why we shouldn't just remove the certificates, and just keep the ID for disabling.

This would get rid of some outdated keys from the keyring, and also the key refresh is faster since those keys don't get refreshed, at least for new users.

I've asked Arch people on IRC, and they think it's OK, they just don't have a policy for removing them from the keyring, which is why they keep them.
@lazka
Copy link
Member Author

lazka commented Dec 27, 2023

Turns out pacman-key doesn't check if a key exists before trying to disable it: https://github.com/msys2/msys2-pacman/blob/490334306c2e906ed97f09bd4a87f2afed200029/scripts/pacman-key.sh.in#L352

We'd need to patch it before we can remove the old keys from the keyring.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lazka