On 24/12/21 01:30, Jeremy Huntwork wrote:
On Thu, Dec 23, 2021 at 10:14 AM Jeremy Huntwork <jeremy@merelinux.org> wrote:
The reason I don't see it as being a problem for me is that my intent is to release authoritative packages from one source, a CI/CD pipeline that is triggered off of the main repository. Validation and trust of humans that are allowed to push to that repository and trigger official releases can be handled via other mechanisms. Community repositories might have slightly different requirements, but my expectation is that every repository used could have one official public key.
I suppose if I did have a reason for supporting multiple keys, those would all have to be shipped/installed together and then pacman could loop through them until one of them validates the sig. asignify is fast enough though because of its methods and algorithms used (blake2) that I don't really see that as an issue either.
I'm not a fan of the idea that if a user has a handful of non-distro repositories configured, that every package signature would need checked against multiple keys until one passed. Is there no way of identifying the correct signing key from the signature file? Allan