Hello, I'd like to push the creation of our keyring package. This package will contain all gpg keys needed to verify our packages. First of all: if you disagree with everything I did: don't worry; I am fine if we end up with an entirely different solution but this should be a good start. After talking to others I would sum up the design goals as: * clear and transparent process; for the maintainer and users * complete and verifiable history of changes * has to work without any internet connection * no magic, no binary blobs; keep it as simple as possible As a result I created a git repo which is meant to store all packager and master keys: https://projects.archlinux.org/archlinux-keyring.git/ The advantage over putting these files directly into svn is that we could use a cleaner layout with subdirs, sign tags and verify the source. The result is a (signed) tarball which can be used in the actual package which would contain additional logic. The keyids are exported from archweb. I didn't distinguish between developers and trusted users as pacman itself does not know about this difference either. It also makes maintenance easier when people move between these groups or are active in both of them. A package prototype can be found at https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/a... It is not in any repo yet but I hope to put something into [testing] after a brief discussion. All this package does is installing/updating all master and packager keys and add them to the pacman keyring. Note that this does not set any trust level which is needed to actually verify packages. The user has to trust (lsign) each of the master keys to establish this. This is some kind of bootstrapping problem. Future versions of our installer should take care of and do this automatically during install. To make live easier for our current users we could add a simple helper script which displays the master keys and lsigns them after confirmation. The best way to do this is to use gpg --import-ownertrust which takes a simple text file of the format "<keyid>:<trustlevel>". I wouldn't want to use a binary file here. It is important that users always know what is going on. To sum things up: The keyring package would install all needed keys and contain a simple helper script to verify and trust the master keys. A news item would then describe how to use this helper but also show several ways to verify the authenticity of the master keys. Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com