Arch Linux User Repository

Please do not ask for support for GnuPG in the comments here. Thanks.

Also please make use of markdown backticks when posting code blocks and command output. But again this is GnuPG issues, not aurman issues.

@Cavsfan Try https://wiki.archlinux.org/index.php/GnuPG#Import_a_public_key manually and fix any problems.

@j1simon, @Cavsfan, really, is it that hard, to read the pinned comments and accept, that this is NOT the right place for such "issues"?

I meant "Y" not "U"

@polygamma, I fully trust adding this key and gave it a "U" but, it got these errors:

gpg: keyserver receive failed: No data
2018-06-18 12:44:17,909 - classes - search_and_fetch_pgp_keys - ERROR - Import PGP key 4C3CE98F9579981C21CA1EC3465022E743D71E39 failed.
2018-06-18 12:44:17,909 - main - main - ERROR - 
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/aurman/main.py", line 734, in main
    process(argv[1:])
  File "/usr/lib/python3.6/site-packages/aurman/main.py", line 646, in process
    package.show_pkgbuild(noedit, show_changes, pgp_fetch, keyserver, always_edit, default_show_changes)
  File "/usr/lib/python3.6/site-packages/aurman/classes.py", line 1051, in show_pkgbuild
    self.search_and_fetch_pgp_keys(fetch_always, keyserver)
  File "/usr/lib/python3.6/site-packages/aurman/classes.py", line 935, in search_and_fetch_pgp_keys
    raise ConnectionProblem("Import PGP key {} failed.".format(pgp_key))
aurman.own_exceptions.ConnectionProblem: Import PGP key 4C3CE98F9579981C21CA1EC3465022E743D71E39 failed.

@enbQao - Really depends on what you want to achieve. Do you want to be sure, that the guy on the GitHub picture https://github.com/polygamma is the one, who has pushed the changes? Guess you'll have to visit me in Kiel, Germany for that. Do you want to be sure, that the one who "owns" this AUR package is the one, who pushed the changes? Well, you have to hope, that nobody stole the SSH private key for this package. Do you want to be sure, that the one responsible for the GitHub repository https://github.com/polygamma/aurman is the one, who pushed the changes? Write an email to the E-Mail address mentioned on the GitHub profile and hope, that nobody hacked the GitHub Account and/or the E-Mail address.

Besides that: The PGP key has been newly created just for the purpose of signing aurman commits and releases, so there are no other people on earth who could really verify that it's the PGP key of "Jonni Westphalen". But since the commits and releases have not been signed at all just a few days ago, you do not lose any security by "trusting" the new PGP key. All in all aurman is open source, just look at the sourcecode if you want to be sure, that there is nothing "fishy".

Addition: As time passes, it's getting more and more unlikely, that the dev of aurman is not the one, who introduced PGP signing with that key, because well, guess he would not let it pass, that his accounts and private keys have been stolen without making noise.

Hi, with the latest update, it said

"PGP Key 4C3CE98F9579981C21CA1EC3465022E743D71E39 found in PKGBUILD of aurman and is not known yet. Do you want to import the key?"

I know I can probably trust this, but how can I verify myself that I can trust this?

(seeing all the comments here I hope this is the right place to ask)

@Eschwartz - see: https://aur.archlinux.org/cgit/aur.git/commit/?h=aurman&id=2dc46d3f2ff2