this post was submitted on 06 Apr 2024
11 points (92.3% liked)
Arch Linux
7759 readers
2 users here now
The beloved lightweight distro
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Many tools that use GPG, especially package managers, will download keys so they can verify signatures. It’s nothing to worry about. That developer probably signed something you use.
The
archlinux-keyring
package will install a few gpg keys.But also, the AUR also uses gpg keys to validate things.
Just searching the AUR for one of the repos that Jaffa linked to in another comment...
https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=librespot
Here is the PKGBUILD. Note line 24:
And I'm sure if you got through the AUR there are plenty of packages that use this
Many AUR helpers (like paru, or yay, etc), will either auto download these keys for you, or prompt you. Even if you were to build this pkgbuild by hand, unless you removed that line, it would require you to import the key for the makepkg to work. So "how does a fresh arch install wind up with GPG keys that I didn't manually import?" ... the answer is AUR helpers most likely (or you did it manually for a makepkg and just forgot).
It's also worth pointing out that GPG handles signing things, but also signature verification. These are all public keys in your system. Having public keys that have been used for signature verification is perfectly normal and kind of the point. If you had Roderick's private key that would be weird.
Alright, I was really worried that somehow, my computer was compromised. I'm still a newbie 😅.
Thank you!