[Dev] [News] Hyperbola users are now mitigated against Microarchitectural Data Sampling (MDS) vulnerabilities

André Silva emulatorman at hyperbola.info
Sat May 18 01:22:25 EEST 2019


On 05/17/2019 12:38 PM, Nelson H. F. Beebe wrote:
> I then tried the drastic solution of destroy the key directory and
> recreate it with
>
> 	rm -rf /etc/pacman.d/gnupg
> 	pacman-key --init
> 	pacman-key --populate archlinux
> 	pacman-key --populate parabola
> 	pacman-key --populate hyperbola
> 	pacman-key --refresh-keys

We haven't "archlinux" (our case is "arch") and "parabola" keys, you
should run:

rm -rf /etc/pacman.d/gnupg
pacman-key --init
pacman-key --populate hyperbola arch
pacman-key --refresh-keys

> I still get the same error, which looks like this:
> 
> 	# pacman -Sy hyperbola-keyring
> 	:: Synchronizing package databases...
> 	 core is up to date
> 	 extra is up to date
> 	 community is up to date
> 	resolving dependencies...
> 	looking for conflicting packages...
> 
> 	Packages (1) hyperbola-keyring-20190203-0
> 
> 	Total Download Size:    0.14 MiB
> 	Total Installed Size:   0.21 MiB
> 	Net Upgrade Size:      -0.07 MiB
> 
> 	:: Proceed with installation? [Y/n] y
> 	:: Retrieving packages...
> 	 hyperbola-keyring-20190203-0-any ...
> 	(1/1) checking keys in keyring       ...
> 	downloading required keys...
> 	:: Import PGP key 1024D/328E93B83AF8ED58EA6556171583217AE1AC7510, "Fomm Oberon <Urano>", created: 1999-02-27? [Y/n] y
> 	(1/1) checking package integrity        
> 	error: hyperbola-keyring: key "5AA99D86E1AC7510" is unknown
> 	:: Import PGP key 1024D/328E93B83AF8ED58EA6556171583217AE1AC7510, "Fomm Oberon <Urano>", created: 1999-02-27? [Y/n] y
> 	:: File /var/cache/pacman/pkg/hyperbola-keyring-20190203-0-any.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
> 	Do you want to delete it? [Y/n] n
> 	error: failed to commit transaction (invalid or corrupted package (PGP signature))

Seems you didn't install the previous version of hyperbola-keyring with
our build server public key when it was built and signed by me. Now the
latest hyperbola-keyring package was built and signed by our build
server since our current packages are being built through it.

So, you should disable signature verification manually by modifying the
line in /etc/pacman.conf:

SigLevel = Never

Install Hyperbola keyring package:

pacman -S --asdeps hyperbola-keyring

Reenable signature verification in /etc/pacman.conf:

SigLevel = Required DatabaseOptional

Reinstall Hyperbola keyring with signature verification enabled:

pacman -S --asdeps hyperbola-keyring

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.hyperbola.info/pipermail/dev/attachments/20190517/b2315013/attachment.bin>


More information about the Dev mailing list