[pacman-dev] [PATCH 2/2] pacman-key: make sure we actually use the Web of Trust, which GnuPG doesn't.

Allan McRae allan at archlinux.org
Mon Oct 7 03:03:48 UTC 2019

On 7/10/19 12:53 pm, Eli Schwartz wrote:
> On 10/6/19 10:42 PM, Allan McRae wrote:
>>> +	if (( $(vercmp "$gpg_ver" 2.2.17) >= 0 )); then
>>> +		add_gpg_conf_option "$conffile" 'keyserver-options' 'no-self-sigs-only,no-import-clean'
>> Doesn't import-clean actually do what we want?   Strips signatures from
>> keys not in the keyring?  Assuming users are not setting up the initial
>> keyring by importing keys manually...
> Hmm, on second thought you're right. no-self-sigs-only will prevent the
> main thing that annoys us, which is getting rid of sigs we want because
> we have the WoT keys which match it.
> no-import-clean would return us to feature parity with the older gnupg
> releases, but that's not the fundamental goal, and the only benefit it
> would get us is being able to later on import a master key and have it
> validate, which seems like an unlikely event. Anyway, it seems like
> refreshing that key would re-acquire the cleaned signatures.
> Do you want to leave the import-clean setting out entirely, or take the
> opportunity to start having the keyring be guaranteed to be cleaned?

no-self-sigs-only,import-clean seems a good trade off as default

More information about the pacman-dev mailing list