Arch Linux

Summary and Info:

Allow multiple signatures for a single package to be handled by pacman.

Details:

Currently, a package can be signed multiple times with
> gpg --detach-sign -u uid1 -u uid2 package.pkg.tar.xz
and added to the database via
> repo-add repo.db.tar.gz package.pkg.tar.xz
as usual. However, 'pacman -S package' currently fails if one of the signing keys is not trusted.

I propose the following change to the possible values in pacman.conf for "SigLevel":
"Required:n" is introduced. "n" is some number, determining the number of signatures which are required to be valid - ignoring invalid signatures - to trust the package. Alternatively "n" can be "All", meaning that all present signatures need to be valid and that at least one signature is available.
"Required" gets deprecated and is now synonym for "Required:1" (or "Required:All" - more consistent with the current behaviour, which probably no one relies on, currently.)

This has the following two advantages:
1st long-time-packages:
A package can get a couple of signatures and as long as at least one is valid, it will be considered valid (if "Required" is specified, like the current default is).
2nd reproducible built packages:
If packages built multiple times on different machines, by different users and signed by different keys, are binary identical, they can accumulate signatures, increasing the level of trust. One could think of a "repo for paranoid" which has only packages with multiple signatures, showing that the packages have not been modified by a single person. Then, one could put into its pacman.conf 'SigLevel = Required:3 DatabaseOptional'

Let me know if you like this functionality in principle, and I'll try to figure out how to implement it and provide a patch.

Cheers,
deepthought