On Wed, Nov 24, 2010 at 1:58 PM, Allan McRae <allan@archlinux.org> wrote:
The reply I got from the gpg list indicates that we are right here and at least one ultimately trusted key is needed. So that at least clears up one confusion...
Good!
However, if you are using an external repo maintained by one person, you probably do not want to give that persons key any rights to sign other keys. So I would not want to give that key ultimate trust. However, locally signing the key would allow me to accept the packages from that repo as validly signed.
Agreed. A special key pair just for the purpose of trusting is very appropriate, specially with third party repositories. I'll update the wiki page with that advise.
If people think the second method is reasonable, it would be good to add an option to pacman-key to allow signing (locally only) of keys.
In fact, it already has. It is the --trust option.
Ah... of course (and the --adv option is always there...). Maybe we should rename the --trust option to --edit-key to keep in line with what GPG is really doing there and to make it clear you can set more than just trust. Also, it always seemed weird to me that I was setting --trust and then had to type "trust" again at the prompt to do it.
Yeah, I can change that. I really suck at naming things :) -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto Linux user #524555 -------------------------------------------