[arch-general] Pacman makepkg and signatures

[Myra Nelson]

On Sun, Oct 23, 2011 at 23:24, Allan McRae <allan at archlinux.org> wrote:
> On 24/10/11 14:10, Myra Nelson wrote:
>>
>> Since I don't listen in on irc conversations and haven't picked up on
>> this being discussed on the mailing list, I thought I would go ahead
>> and ask a seemingly dumb question. When building a pacakge from core,
>> extra, or community with makepkg should I locate the signature key for
>> the source tarball and import it into the pacman-key database, or will
>> there be a mechanism for this in the future, or since the same package
>> is used by the devs is it completely unnecessry for me to worry about?
>> Obviously the build completes after issuing the warning about a
>> problem with signature verification and being sure you trust the
>> package so it's not a problem, I'm just trying to stay ahead of the
>> curve.
>
>
> pacman-key's gpg database is only for use with pacman.
>
> I assume you are rebuilding packages using ABS and have run into a case with
> the source files have signatures.  These are checked using your users gpg
> keyring, not the pacman one.  If you want to verify the signatures are good,
> then you will need to import the key to your local keyring.  Or you could
> trust the developers have checked it and assume the provided checksum is
> enough...   Depends how paranoid you are.
>
> Allan
>
>

I suppose it would count as ABS. I use svn checkout  --depth empty the
use svn update to get my package builds etc. Then do the terrible
thing of running trunk builds for my box on my base and core packages
with my makepkg config set to my machine instead of generic.
Occassional breakage but Arch has taught me how to fix it and keep
going without asking too many dumb questions.

As to how paranoid I am, not paranoid enough not to trust the
developers or I wouldn't be using Arch.

Thanks again for your assistance.

Myra

-- 
Life's fun when your sick and psychotic!