Package Details: leiningen 1:2.7.0-1

Git Clone URL: https://aur.archlinux.org/leiningen.git (read-only)
Package Base: leiningen
Description: Automating Clojure projects without setting your hair on fire.
Upstream URL: https://github.com/technomancy/leiningen
Licenses: EPL
Submitter: None
Maintainer: ckafi
Last Packager: ckafi
Votes: 123
Popularity: 1.035728
First Submitted: 2010-05-19 02:29
Last Updated: 2016-08-26 21:35

Pinned Comments

ckafi commented on 2016-04-21 08:39

Giving Ultimate trust to unknown keys is a terrible idea and I absolutely do *not* recommend it. As with other signed packages you've got three options:

• import the key and sign it locally
gpg --recv-keys 5A92E04305696D78 && gpg --lsign-key 5A92E04305696D78

• add the key to the 'validpgpkeys' array in the PKGBUILD
validpgpkeys=('2E708FB2FCECA07FF8184E275A92E04305696D78')

• use makepkg --skippgpcheck

Once again, do NOT give ultimate trust to random keys from the internet!

Latest Comments

csgero commented on 2016-06-26 16:01

For validpgpkeys in PKGBUILD to work you'll also have to enable auto-key-retrieve in your /~/.gnupg/gpg.conf file. To do this, uncomment the line
#keyserver-options auto-key-retrieve

hidebu commented on 2016-04-21 10:53

I see. I just commented it because I could manage it only that way... after makepkg I reverted it. but yes, it is really BAD idea, also I forgot to check how to skip verifying PGP sign..
just to verify a sign of file, I usually don't do that neither...

I removed the comment.

ckafi commented on 2016-04-21 08:39

Giving Ultimate trust to unknown keys is a terrible idea and I absolutely do *not* recommend it. As with other signed packages you've got three options:

• import the key and sign it locally
gpg --recv-keys 5A92E04305696D78 && gpg --lsign-key 5A92E04305696D78

• add the key to the 'validpgpkeys' array in the PKGBUILD
validpgpkeys=('2E708FB2FCECA07FF8184E275A92E04305696D78')

• use makepkg --skippgpcheck

Once again, do NOT give ultimate trust to random keys from the internet!

ronjouch commented on 2016-04-20 09:02

@hidebu I certainly do *not* want to give ultimate trust to an unkown third party; here's a layman explanation of what the consequences of ultimate trust are: http://security.stackexchange.com/questions/69062/what-is-the-difference-between-full-and-ultimate-trust

This workaround seems worse than the problem being addressed; hoping someone or the maintainer @ckafi proposes/commits a proper fix.

synthetic commented on 2016-04-19 23:40

Same here:
leiningen-2.6.1-standalone.zip ... FAILED (unknown public key 5A92E04305696D78)

lianxiangru commented on 2016-04-19 18:14

Once again:
leiningen-2.6.1-standalone.zip ... FAILED (unknown public key 5A92E04305696D78)

heapifyman commented on 2016-04-19 13:43


gpg verification fails: unknown key 5A92E04305696D78

after downloading gpg key, build fails with: key is not trusted

ckafi commented on 2016-03-24 16:55

Can't reproduce the validity check failures

mayweed commented on 2016-03-20 18:10

That package should be in an official repo, with an optional dependency to clojure...

abigguyforyou commented on 2016-03-18 18:24

Once again, lein does not pass the validity check.

All comments