Hi after an issue while upgrading my armv7h device, pacman complained about PGP issues and untrusted packages.
I found that archlinuxarm-keyring is present in both CORE and AUR repositories with same version number.
I suspect a security breach allowing to push untrusted packages using keys in the package from AUR
Am I paranoid? I do there should be no archlinuxarm-keyring package in AUR:
$this->bbcode_second_pass_code('', '
sudo pacman -Ss archlinux keyring
core/archlinux-keyring 20210110-1 [installed]
Arch Linux PGP keyring
core/archlinuxarm-keyring 20140119-1 [installed]
Arch Linux ARM PGP keyring
')
When I look at packages from main repo and AUR, you can see the package is also present!
$this->bbcode_second_pass_code('', '
yaourt -Ss archlinux keyring
core/archlinux-keyring 20210110-1 [installed]
Arch Linux PGP keyring
core/archlinuxarm-keyring 20140119-1 [installed]
Arch Linux ARM PGP keyring
aur/archlinux32-keyring 20200408-1.0 (4) (0.23)
Arch Linux 32 PGP keyring
aur/archlinuxarm-keyring 20140119-1 [installed] (0) (0.00)
Arch Linux ARM PGP keyring
')
Here are the official archlinuxarm-keyring package:
https://github.com/archlinuxarm/PKGBUIL ... rm-keyring
This one shouldn't be trusted
https://aur.archlinux.org/packages/arch ... m-keyring/