[arch-general] maintainer keyring (Re: [arch-dev-public] Pacman 4.0.0 RC1 "release")

Gaetan Bisson bisson at archlinux.org
Wed Sep 14 20:14:59 EDT 2011

[2011-09-14 23:16:53 +0200] clemens fischer:
> Could the dev's and package maintainer keys be put into a (signed)
> keyring, please?  Much easier to handle than downloading and "gpg
> --import"ing them one by one.

Pacman devs will correct me if I am wrong but pacman and/or pacman-key
will eventually automatically download and add to the keyring missing
keys that have signed packages which you are trying to install. (It
does not mean they will be trusted by default.)

In the meantime, I wrote this little script. (Do not run it blindly.)

# Fetch all keys that have signed packages in the repos and put them in
# some temporary keyring.


	--keyserver hkp://pgp.mit.edu
	--homedir ${homedir}

mkdir -p "${homedir}"

for i in /var/lib/pacman/sync/*.db; do
	tar xf "$i" -O
done \
| awk '/%PGPSIG%/ {getline;print}' \
| while read i; do
	echo "${i}" \
	| base64 -d \
	| ${gpg} --verify - /dev/null 2>&1 \
	| sed 's/.*key ID //;t;d'
done \
| sort -u \
| while read x; do
	${gpg} --recv-key "${x}"

# That keyring can now be fed to pacman-key.

# In addition, if you want to trust everybody...

${gpg} --fingerprint \
| awk '/fingerprint/{print $4$5$6$7$8$9$10$11$12$13$14":6:"}' \
| ${gpg} --import-ownertrust


More information about the arch-general mailing list