Le 03/04/2017 à 19:46, Allan McRae a écrit :
On 04/04/17 12:43, Bruno Pagani wrote:
Le 03/04/2017 à 19:02, Alli a écrit :
Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I don’t say that this patch is useless, but just that this feature already exists elsewhere somehow. Okay, I didn't know about this feature of gnupg, so thanks for that.
Pacman seems to have a feature of downloading required PGP keys on demand, so I was going for something similar in the user experience with makepkg.
It still might be useful for AUR maintainers as a one liner of how to fix PGP signature errors seen by users? Certainly easier to find than the above setting. I think that all uses cases can come with a solution without having to modify makepkg. The one you describe means that people don’t really care about checking the keys by themselves, so the AUR helper they use could probably use a separated GPG keyring/db with this option set (not sure if that’s easy to do/configure, but it probably should).
What is there to check? You are not explicitly trusting the key in your keyring - only downloading it. makepkg then confirms the key matches the fingerprint given to determine it is the key "trusted" by the packager.
A
You might not trust the packager/maintainer. You might want to check this is the right key by looking at the sigs, checking whether you have a path to it, or whatever. I’ve also seen people using --lsign, but not sure why. But my point here is more that you might want to have automatic key retrieval for makepkg but not for other PGP uses for whatever reason. But this is solved by a separated GNUPGHOME. So no reason to discuss it further, since in the end we both agree that there is no reason to bake that into makepkg. Bruno