On 14/10/11 13:27, Sander Jansen wrote:
After upgrading to the new pacman 4.0, the system update following
fails due a lot of untrusted signatures (unknown trust error).
I'm guessing we need to verify we really trust these signatures. I've
found this guide regarding validating gpg keys:
http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume
this will be a lot similar, except using the pacman-key frontend to do
the verification.
So let me step through and see if understand correctly:
All the developers keys seem to be published here:
http://www.archlinux.org/developers/ and
http://www.archlinux.org/trustedusers
So to trust Andrea Scarpino's key I would get the pgp key from the
above webpage (PGP Key: 0xD30DB0AD) and finger it:
pacman-key --finger 0xD30DB0AD
then compare the finger print with the one thats linked to his profile:
http://pgp.mit.edu:11371/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0xD30DB0AD
It seems to match, so there is a good chance it's the real deal, so
now I can locally sign it:
pacman-key --lsign-key 0xD30DB0AD
Correct? In examples of the article also marks the key as trusted.
Would that be a good idea?
We have to do this for each and every Arch developer I guess? Is there
a faster way?
You could do it this way... but yes, it will take a long time.
At the moment I just use "SigLevel = Optional TrustAll" which means
imported keys are automatically considered as trusted without you having
to manually verify them. That is obviously not the best solution, but
it is an option until Arch gets a proper keyring sorted.
Allan
