[arch-dev-public] Updates to archlinux-keyring and signatures for packager keys

[Morten Linderud]

On Fri, Jan 14, 2022 at 04:57:00PM -0800, Brett Cornwall via arch-dev-public wrote:
> On 2022-01-14 21:12, David Runge via arch-dev-public wrote:
> > To all that have added a new @archlinux.org UID or have created a new
> > key, please make sure that all signatures you have received from main
> > signing keys are also present in the current keyring (`pacman-key
> > --list-sigs <nick>@archlinux.org`) or in the current HEAD of
> > archlinux-keyring (`./keyringctl inspect <nick>` in a clone of the
> > archlinux-keyring repository). If you have signatures that are not yet
> > in the keyring, you can add them yourself [2] and do not have to wait on
> > a main signing key holder to do it.
> 
> Thanks for your work on this initiative.
> 
> I see that my key has made it but the trust is only marginal:
> 
> 
> [~]$ pacman -Q archlinux-keyring
> archlinux-keyring 20220114-1
> [~]$ pacman-key --list-sigs ainola at archlinux.org
> gpg: Note: trustdb not writable
> pub   ed25519 2018-10-03 [SC] [expires: 2022-07-18]
>       BE2DBCF2B1E3E588AC325AEAA06B49470F8E620A
> [snip]
> uid           [marginal] Brett Cornwall <ainola at archlinux.org>
> sig 3        A06B49470F8E620A 2021-11-18  Brett Cornwall <brett at i--b.com>
> sig          4DC95B6D7BE9892E 2021-11-20  David Runge (Arch Linux Master Key) <dvzrv at master-key.archlinux.org>
> 
> 
> 
> Is this expected behavior?

No it's not :)

It seems like you haven't pulled the signature from Florian which is on your
issue. But you still need one signature for full trust.

This means you still need to sign packages with the brett at i--b.com UID.

-- 
Morten Linderud
PGP: 9C02FF419FECBE16
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20220115/15eed26a/attachment.sig>