[pacman-dev] [PATCH] makepkg: add flag 'recvkeys' to retrieve PGP keys from 'validpgpkeys' in PKGBUILDs

Bruno Pagani bruno.n.pagani at gmail.com
Tue Apr 4 06:45:18 UTC 2017

Le 03/04/2017 à 19:46, Allan McRae a écrit :

> On 04/04/17 12:43, Bruno Pagani wrote:
>> Le 03/04/2017 à 19:02, Alli a écrit :
>>>> Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I
>>>> don’t say that this patch is useless, but just that this feature already
>>>> exists elsewhere somehow.
>>>  Okay, I didn't know about this feature of gnupg, so thanks for that.
>>> Pacman seems to have a feature of downloading required PGP keys on demand,
>>> so I was going for something similar in the user experience with makepkg.
>>> It still might be useful for AUR maintainers as a one liner of how to fix
>>> PGP signature errors seen by users? Certainly easier to find than the above
>>> setting.
>> I think that all uses cases can come with a solution without having to
>> modify makepkg. The one you describe means that people don’t really care
>> about checking the keys by themselves, so the AUR helper they use could
>> probably use a separated GPG keyring/db with this option set (not sure
>> if that’s easy to do/configure, but it probably should).
> What is there to check?  You are not explicitly trusting the key in your
> keyring - only downloading it.  makepkg then confirms the key matches
> the fingerprint given to determine it is the key "trusted" by the packager.
> A

You might not trust the packager/maintainer. You might want to check
this is the right key by looking at the sigs, checking whether you have
a path to it, or whatever. I’ve also seen people using --lsign, but not
sure why.

But my point here is more that you might want to have automatic key
retrieval for makepkg but not for other PGP uses for whatever reason.
But this is solved by a separated GNUPGHOME.

So no reason to discuss it further, since in the end we both agree that
there is no reason to bake that into makepkg.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 520 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20170403/7a2ff1f5/attachment-0001.asc>

More information about the pacman-dev mailing list