On Thu, Dec 23, 2021 at 10:14 AM Jeremy Huntwork <[email protected]> wrote: > The reason I don't see it as being a problem for me is that my intent > is to release authoritative packages from one source, a CI/CD pipeline > that is triggered off of the main repository. Validation and trust of > humans that are allowed to push to that repository and trigger > official releases can be handled via other mechanisms. Community > repositories might have slightly different requirements, but my > expectation is that every repository used could have one official > public key.
I suppose if I did have a reason for supporting multiple keys, those would all have to be shipped/installed together and then pacman could loop through them until one of them validates the sig. asignify is fast enough though because of its methods and algorithms used (blake2) that I don't really see that as an issue either. JH
