Am Mon, 15 Dec 2008 13:50:49 -0600 schrieb Chris Brannon <cmbrannon@cox.net>:
Try removing trustdb from the gpg directory, while leaving pubring intact. You'll see what I mean. To summarize, it checks the signature if the key is found in pubring.
Yes, you're right. Got this in debug when the key is not trusted (no trustdb): summary=0 fpr=0403BBB7C3907CDA95FBB3E61221825A96A08062 status=0 timestamp=1228738371 wrong_key_usage=0 pka_trust=0 chain_model=0 validity=0 validity_reason=0 key=17 hash=2 error: Package /var/cache/pacman/pkg/abook-0.5.6-4-i686.pkg.tar.gz has an invalid signature. abook-0.5.6-4-i686.pkg.tar.gz is invalid or corrupted And this when the signing pubkey is trusted: summary=3 fpr=0403BBB7C3907CDA95FBB3E61221825A96A08062 status=0 timestamp=1228738371 wrong_key_usage=0 pka_trust=0 chain_model=0 validity=4 validity_reason=0 key=17 hash=2 debug: installing packages debug: found cached pkg: /var/cache/pacman/pkg/abook-0.5.6-4-i686.pkg.tar.gz debug: loading target '/var/cache/pacman/pkg/abook-0.5.6-4-i686.pkg.tar.gz' debug: no package signature file found The last line confused me...
I think pacman should at least complain if the signing key is not found in the public keyring. Thoughts?
IMHO pacman should refuse to install anything from core and extra if the signature is not found or corrupted. I don't know what to to with community (maybe a second keyring with TU signatures?) My thoughts were to make a option to each repo section in pacman.conf. With this option: Keyring = /foo/bar we have an indicator that pacman should check for correct signatures and users could have their unsigned or self-signed repos additionally.
-- Chris
Regards Gerhard