17 Jun
2012
17 Jun
'12
8 p.m.
However: Distributing a pacman keychain master key to more than one machine is rarely a sensible solution. If you actually want the very specific additional security checks offered by only allowing signed packages, you must ensure a properly secured master key with a diligently confirmed web of trust. If the private master key, which is being generated with --init, leaks, it is trivial for a hypothetical attacker to directly sign manipulated packages with this key, which basically invalidates the security benefit signed packages are supposed to offer.
Good point, I though about this one too, but what about automatic `pacman-key --init' at install time? This would solve the problem no?