Security of Arch repository

[lubo]

Even though the repository uses signed packages now, there are still multiple issues that need to be addressed:

1. From pacman/Package signing article on ArchWiki:
   Warning: The SigLevel TrustAll option exists for debugging purposes and makes it very easy to trust keys that have not been verified. You should use TrustedOnly for all official repositories.
   Meaning: You should not advise using SigLevel = TrustAll with your repository.
2. I'm unable to find where have you posted fingerprint of your key and therefore cannot verify authenticity of a key pacman is trying to pull.

[damige]

Bare with me as i'm not an expert on this subject. I have recently spent quite some time getting gpg to work with my nitrokey. Especially getting a backup nitrokey working was a challenge.

1. I'm assuming i would have to have someone verify it that is already by default trusted by arch?
   A quick search did not lead me to a standard way to do this.

2. Would putting the fingerprint in the readme of this git be sufficient?

[Zerophase]

There's a wiki page for trusted keys. That might be the right place to listed the key.

[lubo]

First of all, I'd like to say I'm very thankful for what you do. It's just that if you want to do something for people to use, then you gotta do it right.

1. Either that or leave it to the user, which is perfectly fine. If your key is not signed by Arch Linux developers, then the user is completely responsible for verifying it. That might sound difficult, but it's actually pretty easy. @Zerophase probably meant this section of the article I've already provided.
2. Yes, that would be sufficient.

[damige]

Provided signed packages on the repo and GPG key in description. This combined with the sums located on git should be sufficient? can i close ?

[lubo]

The README still suggest using SigLevel = TrustAll with the repository.