[pacman-dev] [arch-general] Package signing

Aleksis Jauntēvs aleksis.jauntevs at gmail.com
Fri May 7 14:28:39 CEST 2010

On Friday 07 May 2010 04:10:44 Denis A. Altoé Falqueto wrote:
> On Thu, May 6, 2010 at 12:57 AM, Denis A. Altoé Falqueto
> <denisfalqueto at gmail.com> wrote:
> > I will test more use cases (like signing a third party key and
> > importing it in pacman's keyring to see if gpg will compute the right
> > trust level).
> This pastebin is the current development for pacman-key. Still needs
> some more testing.
> http://pastebin.com/JcAevBjL

I did some very basic testing and it looks like it is working ok. 

Still thinking further - if the signatures are updated with pacman-keyring 
package, what if user doesn't update often and skips one or more versions of 
this package? Does this means that user still will have some unremoved 
signatures in his pacman keyring? Correct me if I understand this wrong. 

And other question, if some developers key becomes invalid, how to deal with 
all packages in the repos signed with this signature?

Aleksis Jauntēvs

More information about the pacman-dev mailing list