[arch-general] pacman 4.0.0 signing

[Sander Jansen]

On Thu, Oct 13, 2011 at 10:41 PM, Allan McRae <allan at archlinux.org> wrote:
> On 14/10/11 13:27, Sander Jansen wrote:
>>
>> After upgrading to the new pacman 4.0, the system update following
>> fails due a lot of untrusted signatures (unknown trust error).
>>
>> I'm guessing we need to verify we really trust these signatures. I've
>> found this guide regarding validating gpg keys:
>> http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume
>> this will be a lot similar, except using the pacman-key frontend to do
>> the verification.
>>
>> So let me step through and see if understand correctly:
>>
>> All the developers keys seem to be published here:
>> http://www.archlinux.org/developers/ and
>> http://www.archlinux.org/trustedusers
>>
>> So to trust Andrea Scarpino's key I would get the pgp key from the
>> above webpage (PGP Key: 0xD30DB0AD) and finger it:
>>
>> pacman-key --finger 0xD30DB0AD
>>
>> then compare the finger print with the one thats linked to his profile:
>>
>>
>> http://pgp.mit.edu:11371/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0xD30DB0AD
>>
>> It seems to match, so there is a good chance it's the real deal, so
>> now I can locally sign it:
>>
>> pacman-key --lsign-key 0xD30DB0AD
>>
>> Correct? In examples of the article also marks the key as trusted.
>> Would that be a good idea?
>>
>> We have to do this for each and every Arch developer I guess? Is there
>> a faster way?
>>
>
>
> You could do it this way... but yes, it will take a long time.
>
> At the moment I just use "SigLevel = Optional TrustAll" which means imported
> keys are automatically considered as trusted without you having to manually
> verify them.  That is obviously not the best solution, but it is an option
> until Arch gets a proper keyring sorted.
>
> Allan
>

Ah ok. Just read your blog as well
(http://allanmcrae.com/2011/08/pacman-package-signing-3-pacman)

Thanks,

Sander