Hi,
good news everyone, thanks to Florian Pritz we now have a working WKD
[1] I had to modify the fingerprint check again [2] because the key used
for signing might be a subkey, so we need to loop trough all subkeys and
check if one of these key IDs matches the one used for signing the package.
The latest patch series now works with the keys published in the Arch
Linux WKD. I tested this by creating a new keyring containing only the
master signing keys, then installing a random package from each of the
developers whose key is ready for WKD support (the ones with three "Yes"
in the table in [3]). This worked successfully, so from my side, this
code is now ready for merging. I welcome any feedback on the code and
any testing whether everything works as expected. For convenience I
cloned the pacman repository on Gitlab and provide the patch series in
the "wkd" branch there [4]. A possible test setup looks like this:
# Build pacman with WKD patches added
git clone --branch wkd https://gitlab.com/diabonas/pacman.git
mkdir pacman/build && cd pacman/build
meson .. && ninja
# Prepare keyring (similar to what pacman-key --populate archlinux would
# do, but only import the master signing keys)
fakeroot pacman-key --init --gpgdir keyring
fakeroot pacman-key --gpgdir keyring --recv-keys \
$(cut -d':' -f1 /usr/share/pacman/keyrings/archlinux-trusted)
fakeroot pacman-key --gpgdir keyring --lsign \
$(cut -d':' -f1 /usr/share/pacman/keyrings/archlinux-trusted)
gpg --homedir keyring --import-ownertrust \
/usr/share/pacman/keyrings/archlinux-trusted
mkdir -p root/var/lib/pacman
# Install a package, key will be looked up in the WKD
# Output should be:
# debug: looking up key for arojas@archlinux.org using WKD
# debug: unknown key, found Antonio Rojas