So, I changed the code to use gpgme. Here are the patches for your evaluation. By the way, I'm not {angry,upset,crying} :) I really want to see package signing in pacman, but I know that this is a complex issue that will need lots of discussion. Below, follows a little explanation of the general idea of each patch. [PATCH 1/5] pacman-key: keyring management tool The script that helps with management for pacman keyring. It uses gpg, instead of gpg2 and is heavly inpired on apt-key, from debian. It is very straightforward. [PATCH 2/5] Signature verification functions Two functions: one for signatures in memory and another for signatures in files. Signatures of packages are stored in the repository and are copied to memory before verification. The signatures of database files are stored on files, hence the new function. [PATCH 3/5] Verify the signatures of databases and packages The calls for the signature functions. Verification of database updates and package instalations from the repositories. I didn't worry about local instalations, but it doesn't mean they are not there. If it were verified before (as Dan suggests), they are there. :) A point raised by Dan was that the reading of the signature from the repository was too complex. The reaasoning behind it is that signatures grow according to the size of the key used to sign. So, we can't be never sure if some buffer size is really enough. Maybe it is enough now, but in the future it may be not and we'll have a new bug in the bugtracker. My implementation is simple and robust, so it will work with any signature size. [PATCH 4/5] Parameter to select key to sign Just a new parameter to allow the packager to select the key he wants to use. if the key is not specified, his default key will be used. [PATCH 5/5] Document new options related to package signing Just documentation. No imporant comment. As always, comments and suggestions are welcome. -- Denis A. Altoé Falqueto