On Thu, Oct 13, 2011 at 10:41 PM, Allan McRae <allan@xxxxxxxxxxxxx> wrote: > On 14/10/11 13:27, Sander Jansen wrote: >> >> After upgrading to the new pacman 4.0, the system update following >> fails due a lot of untrusted signatures (unknown trust error). >> >> I'm guessing we need to verify we really trust these signatures. I've >> found this guide regarding validating gpg keys: >> http://www.pps.jussieu.fr/~jch/software/pgp-validating.html. I assume >> this will be a lot similar, except using the pacman-key frontend to do >> the verification. >> >> So let me step through and see if understand correctly: >> >> All the developers keys seem to be published here: >> http://www.archlinux.org/developers/ and >> http://www.archlinux.org/trustedusers >> >> So to trust Andrea Scarpino's key I would get the pgp key from the >> above webpage (PGP Key: 0xD30DB0AD) and finger it: >> >> pacman-key --finger 0xD30DB0AD >> >> then compare the finger print with the one thats linked to his profile: >> >> >> http://pgp.mit.edu:11371/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0xD30DB0AD >> >> It seems to match, so there is a good chance it's the real deal, so >> now I can locally sign it: >> >> pacman-key --lsign-key 0xD30DB0AD >> >> Correct? In examples of the article also marks the key as trusted. >> Would that be a good idea? >> >> We have to do this for each and every Arch developer I guess? Is there >> a faster way? >> > > > You could do it this way... but yes, it will take a long time. > > At the moment I just use "SigLevel = Optional TrustAll" which means imported > keys are automatically considered as trusted without you having to manually > verify them. That is obviously not the best solution, but it is an option > until Arch gets a proper keyring sorted. > > Allan > Ah ok. Just read your blog as well (http://allanmcrae.com/2011/08/pacman-package-signing-3-pacman) Thanks, Sander
