[pacman-dev] [Package Signing] [repo-add] Check signature used to verify is not only good but is also in a list of accepted keys

Allan McRae allan at archlinux.org
Thu Feb 3 21:10:23 EST 2011

On 04/02/11 11:41, Denis A. Altoé Falqueto wrote:
> Hi, Allan and friends :)
> I'm working on the items of the todo list [1] for package signing and
> have a question with the item of the subject of this email.
> Basically, what should be the list of accepted keys? The keys in
> pacman's keyring? Probably yes, isn't it? So the signature is made
> with a key from user's keyring (be it the default or one passed as
> parameter) and the verifying should be made with pacman's keyring?
> Just asking to be sure.
> [1] https://wiki.archlinux.org/index.php/User:Allan/Package_Signing

Essentially I am not so sure myself!

This TODO came from a note in the "repo-add: add -v/--verify option" 
commit message.   But in the end, I would think the pacman keyring 
should be used for verification here as separation from the users 
keyring is probably preferable.


More information about the pacman-dev mailing list