[pacman-dev] pacman-key imports and key trust levels

[Ray Kohler]

So, after a couple of days of messing around (and fixing random things
here and there), I was able to go end-to-end, verifying a signed repo
DB, and then installing a signed package from that repo. Very nice!

I ended up testing out the failure case on verifying signatures a bit
more than I wanted, though, as I something surprised me: When
importing keys with pacman-key, they keys themselves are imported
fine, but they are not marked as sufficiently trusted that the
signatures are worth anything.

I just imported my "real" GPG pubring (which has nothing in it but my
own key) with "pacman-key -a ~/.gnupg/pubring.gpg", and used that same
key to sign a package and add that package to a signed repo. GPGme
returns "unknown key" when asked to verify these sigs, so pacman
flunks them as "invalid signature". After editing the trustdb to mark
this key as "ultimate" (hey, it's my own key after all), everything
worked.

So, my question is, where does the fault lie? Did I make some wrong
assumption? Should pacman-key set high levels of trust on keys it
imports? Should alpm configure GPGme with trust-level=always?

While I'm talking about signing stuff - I noticed an open question on
what to do with the downloaded DB if sig verification fails. I suggest
it be deleted, and the sig be deleted also. These are generally small
files, and it feels really wrong to keep a file "live" on my disk
which has been declared untrustworthy.