[pacman-dev] (Locally) signing a key with pacman-key?

Allan McRae allan at archlinux.org
Wed Nov 24 23:55:16 CET 2010


On 25/11/10 02:31, Denis A. Altoé Falqueto wrote:
> On Wed, Nov 24, 2010 at 1:58 PM, Allan McRae<allan at archlinux.org>  wrote:

>> However, if you are using an external repo maintained by one person, you
>> probably do not want to give that persons key any rights to sign other keys.
>>   So I would not want to give that key ultimate trust.  However, locally
>> signing the key would allow me to accept the packages from that repo as
>> validly signed.
>
> Agreed. A special key pair just for the purpose of trusting is very
> appropriate, specially with third party repositories. I'll update the
> wiki page with that advise.

I would add it as an option to the wiki rather than a complete replace. 
  Doing that is probably overkill for people who will just use the Arch 
repos, in which case setting one of the "Arch master" keys to ultimate 
trust would be fine.

>>>> If people think the second method is reasonable, it would be good to add
>>>> an
>>>> option to pacman-key to allow signing (locally only) of keys.
>>>
>>> In fact, it already has. It is the --trust option.
>>
>> Ah...  of course (and the --adv option is always there...).   Maybe we
>> should rename the --trust option to --edit-key to keep in line with what GPG
>> is really doing there and to make it clear you can set more than just trust.
>>   Also, it always seemed weird to me that I was setting --trust and then had
>> to type "trust" again at the prompt to do it.
>
> Yeah, I can change that. I really suck at naming things :)

Cool.  That is the sort of thing you do not really notice until the 
script is given a really good use.  Overall I am finding it very useful 
in managing my pacman keyring.

Allan






More information about the pacman-dev mailing list