Based on the feedback on #archlinux-pacman, I have reworked the WKD patches: we now ask the user whether they want to import a missing PGP key before doing any remote lookup, which eliminates the need for a second temporary keyring. Without a remote lookup, we only know the ID of the package signing key, so we display the packager in addition to the key ID for user convenience. This patch series entirely replaces all previously sent patches regarding WKD support. - PATCH v3 1/3 restructures the user confirmation in the described way. It incorporates the previous patches 3/5 and 4/5 because to have a standalone patch, we need to retrieve the user ID to display a user-friendly confirmation message. Other than that, it's mostly moving existing code around to fit the new workflow. - PATCH v3 2/3 is a simplified version of the previous patch 2/5, since doing the confirmation first allows us to drop the temporary keyring. Note that in contrast to the previous approach, we don't check any more whether the key retrieved from the WKD has the correct key ID, it is now the responsibility of the WKD maintainer to ensure this. The reason for this change is that at the time we are able to check the key ID, we have already imported the key anyway. - PATCH v3 3/3 is unchanged from "[PATCH v2] libmakepkg: check if PACKAGER has the expected format for WKD lookup", included simply for the convenience of having a complete patch series. Jonas Witschel (3): signing: move key import confirmation before key_search signing: add ability to import keys using a WKD libmakepkg: check if PACKAGER has the expected format for WKD lookup lib/libalpm/be_package.c | 12 +- lib/libalpm/signing.c | 120 ++++++++++++++---- lib/libalpm/signing.h | 2 +- lib/libalpm/sync.c | 22 +++- scripts/libmakepkg/lint_config/variable.sh.in | 6 + src/pacman/callback.c | 13 +- 6 files changed, 136 insertions(+), 39 deletions(-) -- 2.23.0