Open lazka opened 10 months ago
Turns out pacman-key doesn't check if a key exists before trying to disable it: https://github.com/msys2/msys2-pacman/blob/490334306c2e906ed97f09bd4a87f2afed200029/scripts/pacman-key.sh.in#L352
We'd need to patch it before we can remove the old keys from the keyring.
Currently a "revoked" key is included in the keyring, and installed on the user system. It's just disabled then by pacman-key, because the keyid is on the revoked list.
I don't think there is a reason why we shouldn't just remove the certificates, and just keep the ID for disabling.
This would get rid of some outdated keys from the keyring, and also the key refresh is faster since those keys don't get refreshed, at least for new users.
I've asked Arch people on IRC, and they think it's OK, they just don't have a policy for removing them from the keyring, which is why they keep them.