[arch-general] pacman 4.0.0 signing

Allan McRae allan at archlinux.org
Thu Oct 13 23:41:43 EDT 2011

On 14/10/11 13:27, Sander Jansen wrote:
> After upgrading to the new pacman 4.0, the system update following
> fails due a lot of untrusted signatures (unknown trust error).
> I'm guessing we need to verify we really trust these signatures. I've
> found this guide regarding validating gpg keys:
> http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume
> this will be a lot similar, except using the pacman-key frontend to do
> the verification.
> So let me step through and see if understand correctly:
> All the developers keys seem to be published here:
> http://www.archlinux.org/developers/ and
> http://www.archlinux.org/trustedusers
> So to trust Andrea Scarpino's key I would get the pgp key from the
> above webpage (PGP Key:	0xD30DB0AD) and finger it:
> pacman-key --finger 0xD30DB0AD
> then compare the finger print with the one thats linked to his profile:
> http://pgp.mit.edu:11371/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0xD30DB0AD
> It seems to match, so there is a good chance it's the real deal, so
> now I can locally sign it:
> pacman-key --lsign-key 0xD30DB0AD
> Correct? In examples of the article also marks the key as trusted.
> Would that be a good idea?
> We have to do this for each and every Arch developer I guess? Is there
> a faster way?

You could do it this way... but yes, it will take a long time.

At the moment I just use "SigLevel = Optional TrustAll" which means 
imported keys are automatically considered as trusted without you having 
to manually verify them.  That is obviously not the best solution, but 
it is an option until Arch gets a proper keyring sorted.


More information about the arch-general mailing list