Hi, I have pushed an archlinux-keyring package into [testing] so we have something real to talk about. I revised some of my initial ideas. The package is compatible to pacman-key --populate; it seems gpg will also just accept a keyring that is just a bunch of keys put into one file. The remaining issues is the install script of the actual package. Atm I run "pacman-key --init" on install and "--populate" on upgrade. Is there a scenario where running init might not be a good idea? It wont increase security to let users do this manually; even worse: people might just not do it then. So I am going with a "works out-of-the-box" experience here. There are at least two problems with using pacman-key: It is extremely verbose and it requires the keyring to be signed which will lead to a bootstrapping problem. I started a thread about this on pacman-dev; so if you have ideas why this signature check might not be useless let me know there. Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com