Re: pacman 4.0.0 signing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Fri, Oct 14, 2011 at 5:27 AM, Sander Jansen <s.jansen@xxxxxxxxx> wrote:
> After upgrading to the new pacman 4.0, the system update following
> fails due a lot of untrusted signatures (unknown trust error).
>
> I'm guessing we need to verify we really trust these signatures. I've
> found this guide regarding validating gpg keys:
> http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume
> this will be a lot similar, except using the pacman-key frontend to do
> the verification.
>
> So let me step through and see if understand correctly:
>
> All the developers keys seem to be published here:
> http://www.archlinux.org/developers/ and
> http://www.archlinux.org/trustedusers
>
> So to trust Andrea Scarpino's key I would get the pgp key from the
> above webpage (PGP Key: 0xD30DB0AD) and finger it:
>
> pacman-key --finger 0xD30DB0AD
>
> then compare the finger print with the one thats linked to his profile:
>
> http://pgp.mit.edu:11371/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0xD30DB0AD
>
> It seems to match, so there is a good chance it's the real deal, so
> now I can locally sign it:
>
> pacman-key --lsign-key 0xD30DB0AD
>
> Correct? In examples of the article also marks the key as trusted.
> Would that be a good idea?
>
> We have to do this for each and every Arch developer I guess? Is there
> a faster way?
>
> Sander
>


Maybe http://identi.ca/conversation/84528911#notice-84578762 helps.


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux