[pacman-dev] [PATCH] (newgpg) Let pacman specify GnuPG's home directory.

Chris Brannon cmbrannon at cox.net
Mon Dec 15 14:50:49 EST 2008


Gerhard Brauer <gerbra at archlinux.de> writes:

> Seems to work here in test environment.
> I copied root's pubrig and trustdb to /etc/pacman.d/gnupg/
> The package itself isn't checked (.sig file or signature), but that was
> not the reason of your patch.

If the signing key is not found in your public keyring, then pacman
will install the package without checking the signature.  OTOH, if the
signing key is available but not trusted and valid, pacman will refuse
to install the signed package.  Try removing trustdb from the gpg
directory, while leaving pubring intact.  You'll see what I mean.
To summarize, it checks the signature if the key is found in pubring.

I think pacman should at least complain if the signing key is not found
in the public keyring.  Thoughts?

-- Chris


More information about the pacman-dev mailing list