I was creating a new key for pass when I noticed a random expired GPG key assigned to a certain “Roderick van Domburg” in my list of keys. I don’t know any Rodericks, and this laptop has been whipped clean.

Should I be concerned? How could this even happen???

  • cosmicrose@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    ·
    9 months ago

    Many tools that use GPG, especially package managers, will download keys so they can verify signatures. It’s nothing to worry about. That developer probably signed something you use.

    • bisby@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      ·
      9 months ago

      The archlinux-keyring package will install a few gpg keys.

      But also, the AUR also uses gpg keys to validate things.

      Just searching the AUR for one of the repos that Jaffa linked to in another comment…

      https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=librespot

      Here is the PKGBUILD. Note line 24:

      validpgpkeys=('EC57B7376EAFF1A0BB56BB0187F5FDE8A56219F4') ## Roderick van Domberg
      

      And I’m sure if you got through the AUR there are plenty of packages that use this

      Many AUR helpers (like paru, or yay, etc), will either auto download these keys for you, or prompt you. Even if you were to build this pkgbuild by hand, unless you removed that line, it would require you to import the key for the makepkg to work. So “how does a fresh arch install wind up with GPG keys that I didn’t manually import?” … the answer is AUR helpers most likely (or you did it manually for a makepkg and just forgot).

      It’s also worth pointing out that GPG handles signing things, but also signature verification. These are all public keys in your system. Having public keys that have been used for signature verification is perfectly normal and kind of the point. If you had Roderick’s private key that would be weird.

    • Binette@lemmy.mlOP
      link
      fedilink
      arrow-up
      3
      ·
      9 months ago

      Alright, I was really worried that somehow, my computer was compromised. I’m still a newbie 😅.

      Thank you!

    • tal@lemmy.today
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      9 months ago

      And the keyring was originally designed to hold all kinds of (public, not private) keys other then one’s own to build out the web of trust, so the intended mode of operation was to have other public keys in there. In practice, I think that most people just have their own keys, though.

      Never quite reached the dream of a distributed, verified network.

  • colournoun@beehaw.org
    link
    fedilink
    arrow-up
    1
    ·
    9 months ago

    Was it just the public part of the key, or was the secret key there, too? If it was just the public part, then maybe you imported the key at some time in the past?