You are not logged in.
Hi, I'm currently maintaining the headsetcontrol package from the AUR. Upstream recently starts using key to sign sources, and due to unfamiliarity with the procedure I have several questions regarding this topic.
Question 1: Do key severs sync with each other?
I have read from various sources stating that key servers sync from each other. However, I found out this to be false. The key is unavailable from Arch's (or GPG's) default key server (which I think is https://keyserver.ubuntu.com/) but is available from https://keys.openpgp.org. I currently have both servers in my config according to the Wiki.
Question 2 and 3: What is the policy regarding keys for an AUR package, especially when they aren't available from the default key server? Do I need to include the public key in the source tree along with the PKGBUILD script?
My current approach is leaving a pinned comment with the instruction on how to import the key manually. However, while looking for references in the main repos, I see that the keys are included along with the PKGBUILD script in a different folder. I guess the question really is "should I do the same with an AUR package," considering the key cannot be easily imported automatically by an AUR helper.
Last edited by TheBill2001 (2024-04-06 11:54:10)
Offline
Q1 :
some do, others never sync.
https://wiki.archlinux.org/title/OpenPGP#Keyserver
Q2 & Q3 :
no clear consensus.
It has been discussed on the aur-general mailing list recently, see https://lists.archlinux.org/archives/li … 5CKEMXITO/
My personal opinion is that any solution that leaves the decision to trust a key with the user is a good solution .
Automatically trusting keys is worse then not using them.
Last edited by Lone_Wolf (2024-04-06 10:20:42)
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Offline
The for linking the mailing list. It seems fine to just include the key with PKGBUILD per RFC 0011. At least with an AUR helper like yay, by default it only searches from keyservers and prompt the user.
Offline