Comment # 21 on bug 1184808 from 
(In reply to Dirk Weber from comment #20)
> Would it be possible and make sense that the openSUSE package signing key
> signs(=trusts) the SUSE package signing key and then the SUSE key would
> automatically be imported as trusted on openSUSE?

Basically yes, but not as 'quick' fix now.

We're already working on a 'zypper keys' command to support viewing and
managing the trusted keys. Once we have a better tool to inspect and manipulate
the keys, we can think about automatism. Otherwise unwanted results or miss
behavior are hard to detect and fix.

Whatever automatism we offer it needs to be configurable, and the sane default
is 'none'. The request/ideas so far contain a 'configurable list of
fingerprints that may be autoimported'. A transitive trust, like you suggested
also fits in there. But IMO one wants to define which keys are allowed to auto
import keys by signing them.

You are receiving this mail because: