Suspicious archlinuxarm-keyring package in AUR !!!

Development on core packages and the distribution goes on in here.

Suspicious archlinuxarm-keyring package in AUR !!!

Postby nicolasvila » Sat Feb 20, 2021 11:09 am

Hi after an issue while upgrading my armv7h device, pacman complained about PGP issues and untrusted packages.
I found that archlinuxarm-keyring is present in both CORE and AUR repositories with same version number.

I suspect a security breach allowing to push untrusted packages using keys in the package from AUR

Am I paranoid? I do there should be no archlinuxarm-keyring package in AUR:

$this->bbcode_second_pass_code('', '
sudo pacman -Ss archlinux keyring
core/archlinux-keyring 20210110-1 [installed]
Arch Linux PGP keyring
core/archlinuxarm-keyring 20140119-1 [installed]
Arch Linux ARM PGP keyring
')

When I look at packages from main repo and AUR, you can see the package is also present!

$this->bbcode_second_pass_code('', '
yaourt -Ss archlinux keyring
core/archlinux-keyring 20210110-1 [installed]
Arch Linux PGP keyring
core/archlinuxarm-keyring 20140119-1 [installed]
Arch Linux ARM PGP keyring
aur/archlinux32-keyring 20200408-1.0 (4) (0.23)
Arch Linux 32 PGP keyring
aur/archlinuxarm-keyring 20140119-1 [installed] (0) (0.00)
Arch Linux ARM PGP keyring
')

Here are the official archlinuxarm-keyring package:
https://github.com/archlinuxarm/PKGBUIL ... rm-keyring
This one shouldn't be trusted
https://aur.archlinux.org/packages/arch ... m-keyring/
nicolasvila
 
Posts: 5
Joined: Tue Apr 18, 2017 9:46 am

Return to Arch Linux ARM

Who is online

Users browsing this forum: No registered users and 5 guests