For clarity, On 05/11, Marc Lehmann via arch-general wrote: > He replied that the arch build system automatically treats all .sig files > as gpg signatures, and that this can't be switched off; that the signature > for http://dist.schmorp.de/liblzf/liblzf-3.6.tar.gz does not verify, and > claimed this affects all of the file signatures. This is indeed the case, see [0]. > I in turn replied that I consider this a candidate for a bug report > against the arch build system, as it shouldn't enforce treatment of > random .sig file as gpg signature. I also pointed out that it is a > security bug if arch linux treats .sig files without a hardcoded or > otherwise authenticated gpg key id, and shouldn't rely on a random > openpgp signature, even if that signature verifies. I did mention that > I can hardly imagine that the arch build system would be that broken > however. But this part is not, i.e. makepkg will only accept signatures from key(s) whose fingerprint are specified in validpgpkeys, and will not accept other random signatures. So there is no security issue here. I hope that was helpful. Regards, Tharre [0] https://wiki.archlinux.org/index.php/PKGBUILD#Sources -- PGP fingerprint: 42CE 7698 D6A0 6129 AA16 EF5C 5431 BDE2 C8F0 B2F4
Attachment:
signature.asc
Description: PGP signature