FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

 
 
LinkBack Thread Tools
 
Old 10-24-2011, 04:10 AM
Myra Nelson
 
Default Pacman makepkg and signatures

Since I don't listen in on irc conversations and haven't picked up on
this being discussed on the mailing list, I thought I would go ahead
and ask a seemingly dumb question. When building a pacakge from core,
extra, or community with makepkg should I locate the signature key for
the source tarball and import it into the pacman-key database, or will
there be a mechanism for this in the future, or since the same package
is used by the devs is it completely unnecessry for me to worry about?
Obviously the build completes after issuing the warning about a
problem with signature verification and being sure you trust the
package so it's not a problem, I'm just trying to stay ahead of the
curve.

Myra
--
Life's fun when your sick and psychotic!
 
Old 10-24-2011, 04:24 AM
Allan McRae
 
Default Pacman makepkg and signatures

On 24/10/11 14:10, Myra Nelson wrote:

Since I don't listen in on irc conversations and haven't picked up on
this being discussed on the mailing list, I thought I would go ahead
and ask a seemingly dumb question. When building a pacakge from core,
extra, or community with makepkg should I locate the signature key for
the source tarball and import it into the pacman-key database, or will
there be a mechanism for this in the future, or since the same package
is used by the devs is it completely unnecessry for me to worry about?
Obviously the build completes after issuing the warning about a
problem with signature verification and being sure you trust the
package so it's not a problem, I'm just trying to stay ahead of the
curve.



pacman-key's gpg database is only for use with pacman.

I assume you are rebuilding packages using ABS and have run into a case
with the source files have signatures. These are checked using your
users gpg keyring, not the pacman one. If you want to verify the
signatures are good, then you will need to import the key to your local
keyring. Or you could trust the developers have checked it and assume
the provided checksum is enough... Depends how paranoid you are.


Allan
 

Thread Tools




All times are GMT. The time now is 08:53 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org