[arch-general] pacman security when importing new keys?
Daniel Micay
danielmicay at gmail.com
Tue Feb 10 13:31:02 UTC 2015
On 10/02/15 08:15 AM, Mike Cloaked wrote:
> On Tue, Feb 10, 2015 at 12:59 PM, Dennis Lange <dennis at lumalab.net> wrote:
>
>> Hi Manuel,
>>
>> thanks for posting this thread. I also wondered about the key from
>> eworm. Sure he is a trusted user but accepting keys made me a little bit
>> nervous. Is there a way to verify my pacman keys?
>>
>> Dennis
>>
>>
> I guess you can verify fingerprints from the list at
>
> https://www.archlinux.org/master-keys/
No, you don't have to anything like that. There is never a need to
manually verify the keys of developers and trusted users because they
are part of the web of trust model. There are 5 trusted master keys and
they are part of the installation from the get go. A key is trusted if
it is signed by at least 3 master keys - you only ever need to mark keys
for third party repositories as trusted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150210/1f1ba55c/attachment.asc>
More information about the arch-general
mailing list