Cannot import PGP keys for the Arch AUR package

[Thalley]

When attempting to install the https://aur.archlinux.org/packages/protonvpn-gui/ package via yay I see the following issue:

:: PGP keys need importing:
 -> A884 41BD 4864 F95B EE08 E63A 71EB 4740 1994 0E11, required by: python-proton-client  python-protonvpn-nm-lib  protonvpn-gui
==> Import? [Y/n] 
:: Importing keys with gpg...
gpg: keyserver receive failed: No name
problem importing keys

[calexandru2018]

Hey @Thalley

This is mentioned on our support page: https://protonvpn.com/support/official-linux-client-arch/ (check the Notes)

[Thalley]

Hey @Thalley

This is mentioned on our support page: https://protonvpn.com/support/official-linux-client-arch/ (check the Notes)

Hi @calexandru2018 I've followed the steps. The issue I encountered was that the I would get the above if I tried to import it via yay. When I did a manual import and declined the input choice in yay it worked.

I would argue that this issue should be kept open, because automatic import of the keys should be possible.

[calexandru2018]

I'm not sure that I fully understood what you meant here:

The issue I encountered was that the I would get the above if I tried to import it via yay. When I did a manual import and declined the input choice in yay it worked.

Could you please explain with a bit more of detail ?

[Thalley]

@calexandru2018 If I try to install protonvpn-gui via yay and press Y when yay asks for import (==> Import? [Y/n] ), it still fails with the above error. Only if I press n and use the manually imported keys it works.

yay should be able to import the keys and use those.

[calexandru2018]

I see. Well correct, yay should do that but the the problem is that our keys are officially available on our webpage/kb and also here: https://keys.openpgp.org/search?q=opensource%40proton.me (which certain distros point at)

Given that packages are installed from AUR, unless users have configured a specific keyserver that they trust, keys should be installed manually for security measures.

[Thalley]

I see. Well correct, yay should do that but the the problem is that our keys are officially available on our webpage/kb and also here: https://keys.openpgp.org/search?q=opensource%40proton.me (which certain distros point at)

Given that packages are installed from AUR, unless users have configured a specific keyserver that they trust, keys should be installed manually for security measures.

So it is by design? I guess that somewhat makes sense - It's just uncommon to handle keys manually when installing AUR packages.

If this is indeed by design, and there's no plans to change that, I guess this issue can be closed, but perhaps with a link from https://aur.archlinux.org/packages/protonvpn-gui/ to this issue as many of the comments are related to this.

[calexandru2018]

@Thalley to clarify:

• Each distro often comes preconfigured with certain keyservers
• Each keyserver contains gpg keys which literally anyone can upload
• Given the quantity of keyservers, it can get hard to track where all key are stored or who uploaded them
• At this point, we provide two solutions:

1. If your machine is pointing to keys.opengpg.org, then the key can be automatically fetched *
2. Else you can follow our instructions: https://protonvpn.com/support/official-linux-client-arch/

• And the only reason we have it there in the first place was because someone had uploaded a different gpg key with our information.

[calexandru2018]

And this is specific to AUR, because as soon as you start installing software from the official Arch/Manjaro repos you usually don't have to worry about it, as you install pre-packages binaries.