Hi, good news everyone, thanks to Florian Pritz we now have a working WKD [1] I had to modify the fingerprint check again [2] because the key used for signing might be a subkey, so we need to loop trough all subkeys and check if one of these key IDs matches the one used for signing the package. The latest patch series now works with the keys published in the Arch Linux WKD. I tested this by creating a new keyring containing only the master signing keys, then installing a random package from each of the developers whose key is ready for WKD support (the ones with three "Yes" in the table in [3]). This worked successfully, so from my side, this code is now ready for merging. I welcome any feedback on the code and any testing whether everything works as expected. For convenience I cloned the pacman repository on Gitlab and provide the patch series in the "wkd" branch there [4]. A possible test setup looks like this: # Build pacman with WKD patches added git clone --branch wkd https://gitlab.com/diabonas/pacman.git mkdir pacman/build && cd pacman/build meson .. && ninja # Prepare keyring (similar to what pacman-key --populate archlinux would # do, but only import the master signing keys) fakeroot pacman-key --init --gpgdir keyring fakeroot pacman-key --gpgdir keyring --recv-keys \ $(cut -d':' -f1 /usr/share/pacman/keyrings/archlinux-trusted) fakeroot pacman-key --gpgdir keyring --lsign \ $(cut -d':' -f1 /usr/share/pacman/keyrings/archlinux-trusted) gpg --homedir keyring --import-ownertrust \ /usr/share/pacman/keyrings/archlinux-trusted mkdir -p root/var/lib/pacman # Install a package, key will be looked up in the WKD # Output should be: # debug: looking up key for arojas@archlinux.org using WKD # debug: unknown key, found Antonio Rojas <arojas@archlinux.org> remotely fakeroot ./pacman --root root --gpgdir keyring --debug -Syu libaio Other interesting test cases are: - Use a package by a packager that doesn't use an Arch Linux UID (first column in [3] is No), e.g. "linux-headers": the WKD key lookup should fail with "key lookup failed, unknown key", but the key should be found and imported from a keyserver. - Disable keyserver access by adding the line "keyserver broken.invalid" to "keyring/gpg.conf". Now importing the key for "libaio" from the WKD should still work, while installing "linux-headers" fails with 'error: key "A5E9288C4FA415FA" could not be looked up remotely'. (Don't forget to delete the keys from the pacman keyring using "gpg --homedir keyring --delete-keys 9D74DF6F91B7BDABD5815CA84AC5588F941C2A25 8218F88849AAC522E94CF470A5E9288C4FA415FA" first if you've already imported them.) - Test whether installing a file directly using fakeroot ./pacman --root root --gpgdir keyring --debug -U \ https://mex.mirror.pkgbuild.com/core/os/x86_64/libaio-0.3.112-1-x86_64.pkg.t... instead of using the database also retrieves the key from the WKD. Cheers, Jonas [1] https://bugs.archlinux.org/task/63171#comment180697 [2] https://lists.archlinux.org/pipermail/pacman-dev/2019-August/023518.html [3] https://wiki.archlinux.org/index.php/User:Diabonas/WKD_support_by_developer_... [4] https://gitlab.com/diabonas/pacman