Like most distributions, SolydXK packages the keys needed for repository identification. You are only at risk if you manually download and install keys from a keyserver.
If you use keyservers to get your keys, follow these steps:
- Open ~/.gnupg/.gpg.conf in a text editor. Ensure there is no line starting with keyserver. If there is, remove it or put a "#" before it and save the file. In terminal you need to kill the dirmngr process: gpgconf --kill dirmngr
- If you need to import a repository key that isn't packaged, never use the old method with apt-key. Just download the keyfile and put it in the /etc/apt/trusted.gpg.d directory. That way you can easily see how big it is and getting rid if a poisoned key is simply a matter of deleting the file. Key files should be small, definitely smaller than 1 MB.
Source: https://solydxk.com/news/recent-gnupg-k ... dos-attack