[pacman-dev] [Package Signing] [repo-add] Check signature used to verify is not only good but is also in a list of accepted keys
Allan McRae
allan at archlinux.org
Thu Feb 3 21:10:23 EST 2011
On 04/02/11 11:41, Denis A. Altoé Falqueto wrote:
> Hi, Allan and friends :)
>
> I'm working on the items of the todo list [1] for package signing and
> have a question with the item of the subject of this email.
>
> Basically, what should be the list of accepted keys? The keys in
> pacman's keyring? Probably yes, isn't it? So the signature is made
> with a key from user's keyring (be it the default or one passed as
> parameter) and the verifying should be made with pacman's keyring?
>
> Just asking to be sure.
>
> [1] https://wiki.archlinux.org/index.php/User:Allan/Package_Signing
>
Essentially I am not so sure myself!
This TODO came from a note in the "repo-add: add -v/--verify option"
commit message. But in the end, I would think the pacman keyring
should be used for verification here as separation from the users
keyring is probably preferable.
Allan
More information about the pacman-dev
mailing list