[pacman-dev] [PATCH] makepkg: add flag 'recvkeys' to retrieve PGP keys from 'validpgpkeys' in PKGBUILDs

Allan McRae allan at archlinux.org
Tue Apr 4 02:46:48 UTC 2017


On 04/04/17 12:43, Bruno Pagani wrote:
> Le 03/04/2017 à 19:02, Alli a écrit :
> 
>>> Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I
>>> don’t say that this patch is useless, but just that this feature already
>>> exists elsewhere somehow.
>>  Okay, I didn't know about this feature of gnupg, so thanks for that.
>>
>> Pacman seems to have a feature of downloading required PGP keys on demand,
>> so I was going for something similar in the user experience with makepkg.
>>
>> It still might be useful for AUR maintainers as a one liner of how to fix
>> PGP signature errors seen by users? Certainly easier to find than the above
>> setting.
> 
> I think that all uses cases can come with a solution without having to
> modify makepkg. The one you describe means that people don’t really care
> about checking the keys by themselves, so the AUR helper they use could
> probably use a separated GPG keyring/db with this option set (not sure
> if that’s easy to do/configure, but it probably should).
> 

What is there to check?  You are not explicitly trusting the key in your
keyring - only downloading it.  makepkg then confirms the key matches
the fingerprint given to determine it is the key "trusted" by the packager.

A


More information about the pacman-dev mailing list