[arch-general] pacman 4.0.0 signing
s.jansen at gmail.com
Fri Oct 14 00:12:12 EDT 2011
On Thu, Oct 13, 2011 at 10:41 PM, Allan McRae <allan at archlinux.org> wrote:
> On 14/10/11 13:27, Sander Jansen wrote:
>> After upgrading to the new pacman 4.0, the system update following
>> fails due a lot of untrusted signatures (unknown trust error).
>> I'm guessing we need to verify we really trust these signatures. I've
>> found this guide regarding validating gpg keys:
>> http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume
>> this will be a lot similar, except using the pacman-key frontend to do
>> the verification.
>> So let me step through and see if understand correctly:
>> All the developers keys seem to be published here:
>> http://www.archlinux.org/developers/ and
>> So to trust Andrea Scarpino's key I would get the pgp key from the
>> above webpage (PGP Key: 0xD30DB0AD) and finger it:
>> pacman-key --finger 0xD30DB0AD
>> then compare the finger print with the one thats linked to his profile:
>> It seems to match, so there is a good chance it's the real deal, so
>> now I can locally sign it:
>> pacman-key --lsign-key 0xD30DB0AD
>> Correct? In examples of the article also marks the key as trusted.
>> Would that be a good idea?
>> We have to do this for each and every Arch developer I guess? Is there
>> a faster way?
> You could do it this way... but yes, it will take a long time.
> At the moment I just use "SigLevel = Optional TrustAll" which means imported
> keys are automatically considered as trusted without you having to manually
> verify them. That is obviously not the best solution, but it is an option
> until Arch gets a proper keyring sorted.
Ah ok. Just read your blog as well
More information about the arch-general