[pacman-dev] (Locally) signing a key with pacman-key?

[Allan McRae]

Hi,

While playing around with package/database signing, I noticed that I 
could only validate my packages if I imported my key with pacman-key and 
then gave it "ultimate" trust.  Setting "high" trust allows the signing 
to be verified but with an unknown trust level.  So it seems to me that 
we always need (at least) one key with ultimate trust in our pacman 
keyring.  I am still confirming my understanding of this on the gpg 
mailing list so feel free to correct me if I am completely wrong!


So, the procedure for someone to use a signed repo would be either:

1) Import the key for a signed repo (which may be used to sign other 
keys for that repo) and give it "ultimate" trust.  While giving ultimate 
trust to a key that is not yours may be a bit strange, it is only 
ultimate trust as fas as the pacman keyring goes so may be acceptable...

2) Have your personal key in the pacman keyring with "ultimate" trust. 
Import the key for the signed repo and locally sign it with your key. 
If that key is a "master key" that signs other keys used in the signed 
repo, then we need to give it a trust level (probably full...).


I think both methods have their pros and cons.  It should be up to the 
user to decide which they use.

The second method has the advantage that you have to explicitly give the 
key a trust level so importing a key for a repo does not allow that key 
to be used to install a package adding a bunch of new keys which have 
been signed by it.  It has the disadvantage that you would have to 
import your secret key into pacman's keyring...

If people think the second method is reasonable, it would be good to add 
an option to pacman-key to allow signing (locally only) of keys.

Discuss!
Allan