Updating to gnupg 2.4 results in the Alexey's packager key losing trust:
error: perl-Error: signature from "Alexey Pavlov (Alexpux) <alexpux@gmail.com>" is marginal trust
:: File /var/cache/pacman/pkg/perl-Error-0.17029-1-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
error: perl-LWP-MediaTypes: signature from "Alexey Pavlov (Alexpux) <alexpux@gmail.com>" is marginal trust
Do you want to delete it? [Y/n]
:: File /var/cache/pacman/pkg/perl-LWP-MediaTypes-6.04-1-any.pkg.tar.zst is corrupted (invalid or corrupted package (PGP signature)).
This is because the packager key has 3 out of currently 4 signatures using a weak algo (SHA1), the 4. is Ray's revoked key, so ignore:
$ gpg --list-packets packager/Alexpux.asc | grep -n2 "digest algo 2"
26-:signature packet: algo 1, keyid F40D263ECA25678A
27- version 4, created 1411928539, md5len 0, sigclass 0x10
28: digest algo 2, begin of digest a6 d5
29- hashed subpkt 2 len 4 (sig created 2014-09-28)
30- subpkt 16 len 8 (issuer key ID F40D263ECA25678A)
--
33-:signature packet: algo 1, keyid 9F418C233E652008
34- version 4, created 1411983368, md5len 0, sigclass 0x10
35: digest algo 2, begin of digest ed 29
36- hashed subpkt 2 len 4 (sig created 2014-09-29)
37- subpkt 16 len 8 (issuer key ID 9F418C233E652008)
--
40-:signature packet: algo 1, keyid BBE514E53E0D0813
41- version 4, created 1411922751, md5len 0, sigclass 0x10
42: digest algo 2, begin of digest 79 8e
43- hashed subpkt 2 len 4 (sig created 2014-09-28)
44- subpkt 16 len 8 (issuer key ID BBE514E53E0D0813)
--
47-:signature packet: algo 1, keyid DA7EF2ABAEEA755C
48- version 4, created 1412450524, md5len 0, sigclass 0x10
49: digest algo 2, begin of digest 95 fe
50- hashed subpkt 2 len 4 (sig created 2014-10-04)
51- subpkt 16 len 8 (issuer key ID DA7EF2ABAEEA755C)
The short-term workaround is to pass --allow-weak-key-signatures in pacman-key
A mid term to rebuild all packages from Alexey
A long term -> #14
In theory, Alexey could re-sign his packagers key with a better algo, and @elieux could add a signature for Alexey's packagers key, which would with mine get us back to three non-weak signatures. Not sure that's worth it.
Updating to gnupg 2.4 results in the Alexey's packager key losing trust:
This is because the packager key has 3 out of currently 4 signatures using a weak algo (SHA1), the 4. is Ray's revoked key, so ignore:
--allow-weak-key-signatures
in pacman-keyIn theory, Alexey could re-sign his packagers key with a better algo, and @elieux could add a signature for Alexey's packagers key, which would with mine get us back to three non-weak signatures. Not sure that's worth it.
I've added a regression test in https://github.com/msys2/msys2-tests/pull/56 as well, so we notice when the key trust fails in the future.