2 files changed, 47 insertions, 11 deletions
diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt
index 225b352f..103a1fdd 100644
--- a/doc/pacman-key.8.txt
+++ b/doc/pacman-key.8.txt
@@ -110,18 +110,27 @@ Options
 
 Providing a Keyring for Import
 ------------------------------
-A distribution or other repository provided may want to provide a set of valid
+A distribution or other repository provided may want to provide a set of
 PGP keys used in the signing of its packages and repository databases that can
-be readily imported into the pacman keyring.  This is achieved by providing a
+be readily imported into the pacman keyring. This is achieved by providing a
 PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the
-directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be
-provided containing a list of revoked key IDs for that keyring. These files are
-required to be signed (detached) by a trusted PGP key that the user must
-manually import to the pacman keyring. This prevents a potentially malicious
-repository adding keys to the pacman keyring without the users knowledge.
-
-A key being marked as revoked always takes priority over the key being added to
-the pacman keyring, regardless of the keyring it is provided in.
+directory +{pkgdatadir}/keyrings+.
+
+Optionally, the file `foo-trusted` can be provided containing a list of trusted
+key IDs for that keyring. This file will inform the user which keys a user
+needs to verify and sign to build a local web of trust.
+
+Also optionally, the file `foo-revoked` can be provided containing a list of
+revoked key IDs for that keyring. Revoked is defined as "no longer valid for
+any signing", so should be used with prudence. A key being marked as revoked
+will be disabled in the keyring and no longer treated as valid, so this always
+takes priority over it's trusted state in any other keyring.
+
+All files are required to be signed (detached) by a trusted PGP key that the
+user must manually import to the pacman keyring. This prevents a potentially
+malicious repository adding keys to the pacman keyring without the users
+knowledge.
+
 
 See Also
 --------
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index cb76a403..d0f338f6 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -219,6 +219,11 @@ verify_keyring_input() {
 		keyfile="${KEYRING_IMPORT_DIR}/${keyring}.gpg"
 		validate_with_gpg "${keyfile}" || ret=1
 
+		keyfile="${KEYRING_IMPORT_DIR}/${keyring}-trusted"
+		if [[ -f "${keyfile}" ]]; then
+			validate_with_gpg "${keyfile}" || ret=1
+		fi
+
 		keyfile="${KEYRING_IMPORT_DIR}/${keyring}-revoked"
 		if [[ -f "${keyfile}" ]]; then
 			validate_with_gpg "${keyfile}" || ret=1
@@ -270,9 +275,31 @@ populate_keyring() {
 		"${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg"
 	done
 
-	# Read the revoked key IDs to an array. The conversion from whatever is inside the file
+	# Read the trusted key IDs to an array. The conversion from whatever is inside the file
 	# to key ids is important, because key ids are the only guarantee of identification
 	# for the keys.
+	local -A trusted_ids
+	for keyring in "${KEYRINGIDS[@]}"; do
+		if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then
+			while read key; do
+				key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" 2>/dev/null | grep ^pub | cut -d: -f5)"
+				if [[ -n ${key_id} ]]; then
+					# Mark this key to be lsigned
+					trusted_ids[$key_id]="${keyring}"
+				fi
+			done < "${KEYRING_IMPORT_DIR}/${keyring}-trusted"
+		fi
+	done
+
+	if (( ${#trusted_ids[@]} > 0 )); then
+		msg "$(gettext "Locally signing trusted keys in keyring...")"
+		for key_id in "${!trusted_ids[@]}"; do
+			msg2 "$(gettext "Locally signing key %s...")" "${key_id}"
+			"${GPG_PACMAN[@]}" --quiet --lsign-key "${key_id}"
+		done
+	fi
+
+	# Read the revoked key IDs to an array.
 	local -A revoked_ids
 	for keyring in "${KEYRINGIDS[@]}"; do
 		if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then