[pacman-dev] [PATCH 0/5] Manage signing keys using a WKD (FS#63171)

Jonas Witschel diabonas at gmx.de
Wed Jul 17 20:06:48 UTC 2019


as explained in https://bugs.archlinux.org/task/63171, it would be nice
if pacman could receive new PGP keys and refresh expired ones using a
Web Key Directory (WKD) instead of using keyservers. This patch series
adds the corresponding functionality to pacman and pacman-key.

Since WKD is not enabled on archlinux.org yet, it might be a little
early to merge this as I have only been able to test it locally on my
machine. However since this is my first potential pacman contribution, I
wanted to get it out early to gather some feedback on the code.
Unfortunately GnuPG/GPGME handles WKD keys quite differently from
keyserver keys, so you have to jump through some hoops to enable the
usual cofirm-then-import workflow for keys.

WKD support for pacman is complete, so it would be possible to remove
the keyserver code and rely solely on WKD if the need should arise
(though this would require changes to the Arch Linux packaging policy,
see the bug report).
pacman-key on the other hand is lacking a convenient way of refreshing
all keys using WKD, currently every key needs to be refreshed manually
by e-mail address using "pacman-key -r". This is because "gpg
--refresh-keys" is hardwired to use keyservers. Hopefully the situation
will change in future versions of GnuPG, see the corresponding commit
message for reference, if not we need to work around this by listing
every key in the keyring by email and doing a refresh using WKD.


Jonas Witschel (5):
  common: move rmrf to util-common
  signing: add ability to import keys using a WKD
  sync: lookup missing keys in the WKD using the packager email
  be_package: lookup missing keys in the WKD using the packager email
  pacman-key: receive keys from WKD with -r/--recv-keys

 lib/libalpm/alpm.h       |   1 +
 lib/libalpm/be_package.c |  12 ++-
 lib/libalpm/signing.c    | 175 ++++++++++++++++++++++++++++-----------
 lib/libalpm/signing.h    |   2 +-
 lib/libalpm/sync.c       |   9 +-
 lib/libalpm/util.c       |  23 +++++
 lib/libalpm/util.h       |   1 +
 scripts/pacman-key.sh.in |  19 +++--
 src/common/util-common.c |  42 ++++++++++
 src/common/util-common.h |   2 +
 src/pacman/util.c        |  40 ---------
 src/pacman/util.h        |   1 -
 12 files changed, 226 insertions(+), 101 deletions(-)


More information about the pacman-dev mailing list