[pacman-dev] [PATCH v2 3/3] pacman-key: clean keys on import to remove unknown signatures

Eli Schwartz eschwartz at archlinux.org
Mon Oct 7 03:11:20 UTC 2019

There is no good reason to bloat the keyring by importing tons of
signatures we cannot use; drop any signatures that don't validate
against another available key (probably the master keys).

If any desired signatures get cleaned, the key can be refreshed after
importing the new signing public key.

Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>

v3: introduce new followup which adds import-clean -- it has been around
for some time, and seems generally useful even if not directly
applicable to WoT fixes, so let us seize the opportunity to implement

 scripts/pacman-key.sh.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 93600bc0..117acc40 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -209,6 +209,7 @@ initialize() {
 	add_gpg_conf_option "$conffile" 'no-permission-warning'
 	add_gpg_conf_option "$conffile" 'lock-never'
 	add_gpg_conf_option "$conffile" 'keyserver-options' 'timeout=10'
+	add_gpg_conf_option "$conffile" 'keyserver-options' 'import-clean'

 	local gpg_ver=$(gpg --version | awk '{print $3; exit}')
 	if (( $(vercmp "$gpg_ver" 2.2.17) >= 0 )); then

More information about the pacman-dev mailing list