[pacman-dev] [arch-general] Package signing
aleksis.jauntevs at gmail.com
Fri May 7 14:28:39 CEST 2010
On Friday 07 May 2010 04:10:44 Denis A. Altoé Falqueto wrote:
> On Thu, May 6, 2010 at 12:57 AM, Denis A. Altoé Falqueto
> <denisfalqueto at gmail.com> wrote:
> > I will test more use cases (like signing a third party key and
> > importing it in pacman's keyring to see if gpg will compute the right
> > trust level).
> This pastebin is the current development for pacman-key. Still needs
> some more testing.
I did some very basic testing and it looks like it is working ok.
Still thinking further - if the signatures are updated with pacman-keyring
package, what if user doesn't update often and skips one or more versions of
this package? Does this means that user still will have some unremoved
signatures in his pacman keyring? Correct me if I understand this wrong.
And other question, if some developers key becomes invalid, how to deal with
all packages in the repos signed with this signature?
More information about the pacman-dev