On 04/04/17 12:43, Bruno Pagani wrote: > Le 03/04/2017 à 19:02, Alli a écrit : > >>> Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I >>> don’t say that this patch is useless, but just that this feature already >>> exists elsewhere somehow. >> Okay, I didn't know about this feature of gnupg, so thanks for that. >> >> Pacman seems to have a feature of downloading required PGP keys on demand, >> so I was going for something similar in the user experience with makepkg. >> >> It still might be useful for AUR maintainers as a one liner of how to fix >> PGP signature errors seen by users? Certainly easier to find than the above >> setting. > > I think that all uses cases can come with a solution without having to > modify makepkg. The one you describe means that people don’t really care > about checking the keys by themselves, so the AUR helper they use could > probably use a separated GPG keyring/db with this option set (not sure > if that’s easy to do/configure, but it probably should). >
What is there to check? You are not explicitly trusting the key in your keyring - only downloading it. makepkg then confirms the key matches the fingerprint given to determine it is the key "trusted" by the packager. A
