msys2 / MSYS2-keyring

Master and packager keys for MSYS2 official Pacman repositories
24 stars 9 forks source link

Consider removing revoked keys from the keyring #48

Open lazka opened 10 months ago

lazka commented 10 months ago

Currently a "revoked" key is included in the keyring, and installed on the user system. It's just disabled then by pacman-key, because the keyid is on the revoked list.

I don't think there is a reason why we shouldn't just remove the certificates, and just keep the ID for disabling.

This would get rid of some outdated keys from the keyring, and also the key refresh is faster since those keys don't get refreshed, at least for new users.

I've asked Arch people on IRC, and they think it's OK, they just don't have a policy for removing them from the keyring, which is why they keep them.

lazka commented 10 months ago

Turns out pacman-key doesn't check if a key exists before trying to disable it: https://github.com/msys2/msys2-pacman/blob/490334306c2e906ed97f09bd4a87f2afed200029/scripts/pacman-key.sh.in#L352

We'd need to patch it before we can remove the old keys from the keyring.