On Fri, Oct 14, 2011 at 5:27 AM, Sander Jansen <s.jansen@xxxxxxxxx> wrote: > After upgrading to the new pacman 4.0, the system update following > fails due a lot of untrusted signatures (unknown trust error). > > I'm guessing we need to verify we really trust these signatures. I've > found this guide regarding validating gpg keys: > http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume > this will be a lot similar, except using the pacman-key frontend to do > the verification. > > So let me step through and see if understand correctly: > > All the developers keys seem to be published here: > http://www.archlinux.org/developers/ and > http://www.archlinux.org/trustedusers > > So to trust Andrea Scarpino's key I would get the pgp key from the > above webpage (PGP Key: 0xD30DB0AD) and finger it: > > pacman-key --finger 0xD30DB0AD > > then compare the finger print with the one thats linked to his profile: > > http://pgp.mit.edu:11371/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0xD30DB0AD > > It seems to match, so there is a good chance it's the real deal, so > now I can locally sign it: > > pacman-key --lsign-key 0xD30DB0AD > > Correct? In examples of the article also marks the key as trusted. > Would that be a good idea? > > We have to do this for each and every Arch developer I guess? Is there > a faster way? > > Sander > Maybe http://identi.ca/conversation/84528911#notice-84578762 helps.
