Package Details: leiningen 1:2.7.0-1

Git Clone URL: https://aur.archlinux.org/leiningen.git (read-only)
Package Base: leiningen
Description: Automating Clojure projects without setting your hair on fire.
Upstream URL: https://github.com/technomancy/leiningen
Licenses: EPL
Submitter: None
Maintainer: ckafi
Last Packager: ckafi
Votes: 125
Popularity: 1.304241
First Submitted: 2010-05-19 02:29
Last Updated: 2016-08-26 21:35

Pinned Comments

ckafi commented on 2016-04-21 08:39

Giving Ultimate trust to unknown keys is a terrible idea and I absolutely do *not* recommend it. As with other signed packages you've got three options:

• import the key and sign it locally
gpg --recv-keys 5A92E04305696D78 && gpg --lsign-key 5A92E04305696D78

• add the key to the 'validpgpkeys' array in the PKGBUILD
validpgpkeys=('2E708FB2FCECA07FF8184E275A92E04305696D78')

• use makepkg --skippgpcheck

Once again, do NOT give ultimate trust to random keys from the internet!

Latest Comments

rpodgorny commented on 2016-12-04 02:26

please update or orphan, thank you...

joekiller commented on 2016-11-18 15:58

I created an update for 2.7.1 here: https://github.com/joekiller/leiningen.git

daniel.appelt commented on 2016-10-28 09:43

A comment stating that "auto-key-retrieve" needs to be enabled in /~/.gnupg/gpg.conf next to the validpgpkeys entry in the PKGBUILD would maybe be helpful for new users.

simonorono commented on 2016-10-08 01:29

Which keyserver can be used for this key?

csgero commented on 2016-06-26 16:01

For validpgpkeys in PKGBUILD to work you'll also have to enable auto-key-retrieve in your /~/.gnupg/gpg.conf file. To do this, uncomment the line
#keyserver-options auto-key-retrieve

hidebu commented on 2016-04-21 10:53

I see. I just commented it because I could manage it only that way... after makepkg I reverted it. but yes, it is really BAD idea, also I forgot to check how to skip verifying PGP sign..
just to verify a sign of file, I usually don't do that neither...

I removed the comment.

ckafi commented on 2016-04-21 08:39

Giving Ultimate trust to unknown keys is a terrible idea and I absolutely do *not* recommend it. As with other signed packages you've got three options:

• import the key and sign it locally
gpg --recv-keys 5A92E04305696D78 && gpg --lsign-key 5A92E04305696D78

• add the key to the 'validpgpkeys' array in the PKGBUILD
validpgpkeys=('2E708FB2FCECA07FF8184E275A92E04305696D78')

• use makepkg --skippgpcheck

Once again, do NOT give ultimate trust to random keys from the internet!

ronjouch commented on 2016-04-20 09:02

@hidebu I certainly do *not* want to give ultimate trust to an unkown third party; here's a layman explanation of what the consequences of ultimate trust are: http://security.stackexchange.com/questions/69062/what-is-the-difference-between-full-and-ultimate-trust

This workaround seems worse than the problem being addressed; hoping someone or the maintainer @ckafi proposes/commits a proper fix.

synthetic commented on 2016-04-19 23:40

Same here:
leiningen-2.6.1-standalone.zip ... FAILED (unknown public key 5A92E04305696D78)

lianxiangru commented on 2016-04-19 18:14

Once again:
leiningen-2.6.1-standalone.zip ... FAILED (unknown public key 5A92E04305696D78)

All comments