[pacman-dev] pacman-key imports and key trust levels

[Allan McRae]

On 26/03/11 13:40, Ray Kohler wrote:
> So, after a couple of days of messing around (and fixing random things
> here and there), I was able to go end-to-end, verifying a signed repo
> DB, and then installing a signed package from that repo. Very nice!
>
> I ended up testing out the failure case on verifying signatures a bit
> more than I wanted, though, as I something surprised me: When
> importing keys with pacman-key, they keys themselves are imported
> fine, but they are not marked as sufficiently trusted that the
> signatures are worth anything.
>
> I just imported my "real" GPG pubring (which has nothing in it but my
> own key) with "pacman-key -a ~/.gnupg/pubring.gpg", and used that same
> key to sign a package and add that package to a signed repo. GPGme
> returns "unknown key" when asked to verify these sigs, so pacman
> flunks them as "invalid signature". After editing the trustdb to mark
> this key as "ultimate" (hey, it's my own key after all), everything
> worked.
>
> So, my question is, where does the fault lie? Did I make some wrong
> assumption? Should pacman-key set high levels of trust on keys it
> imports? Should alpm configure GPGme with trust-level=always?

I posted on the gpgme list trying to clarify what was needed for a 
signature to be validated.  Essentially one key with ultimate trust is 
needed in a gpg keyring.  So, the options are:

1) the user creates their own key in the pacman keyring and uses that to 
sign keys for the repos they want to add

2) the users imports the master key for any repo they use with ultimate 
trust

I personally prefer option #1, but it really makes no difference given 
the keyring is probably only used for pacman.

For Arch, I guess we will have one (or more) master keys that will sign 
all the developer keys.  The user will have to manually import the 
master key and then install a pacman-keyring package (signed by that 
key) which contains all the developers keys.

Allan