[arch-dev-public] RFC Final Comment Period: Store PGP keys for source file signatures alongside PKGBUILDs

Allan McRae allan at archlinux.org
Sun Mar 27 07:46:05 UTC 2022

On 11/3/22 09:12, Allan McRae via arch-dev-public wrote:
> An RFC has now entered Final Comment Period. In 14 days, discussion will 
> end and the proposal will either be accepted, rejected or withdrawn:
> https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/11
> Please visit the above link for discussion.
> Summary:
> Store the PGP signing keys listed in a PKGBUILDs `validpgpkeys` array 
> alongside the PKGBUILD in our VCS.
> Motivation:
> The PGP keyserver infrastructure has become increasingly brittle over 
> recent years. This can make helping with updates or rebuilds of packages 
> difficult due to lack of access to the valid signing key. Having the 
> signing key exported alongside the PKGBUILD would allow for anybody to 
> import the key into their keyring and verify the source.

It has been 14 days, with no negative comments.  The RFC is now accepted.

I will work on patches to automate this.


More information about the arch-dev-public mailing list