1 files changed, 28 insertions, 1 deletions

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index cb76a403..d0f338f6 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -219,6 +219,11 @@ verify_keyring_input() {
 		keyfile="${KEYRING_IMPORT_DIR}/${keyring}.gpg"
 		validate_with_gpg "${keyfile}" || ret=1
 
+		keyfile="${KEYRING_IMPORT_DIR}/${keyring}-trusted"
+		if [[ -f "${keyfile}" ]]; then
+			validate_with_gpg "${keyfile}" || ret=1
+		fi
+
 		keyfile="${KEYRING_IMPORT_DIR}/${keyring}-revoked"
 		if [[ -f "${keyfile}" ]]; then
 			validate_with_gpg "${keyfile}" || ret=1
@@ -270,9 +275,31 @@ populate_keyring() {
 		"${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg"
 	done
 
-	# Read the revoked key IDs to an array. The conversion from whatever is inside the file
+	# Read the trusted key IDs to an array. The conversion from whatever is inside the file
 	# to key ids is important, because key ids are the only guarantee of identification
 	# for the keys.
+	local -A trusted_ids
+	for keyring in "${KEYRINGIDS[@]}"; do
+		if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then
+			while read key; do
+				key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" 2>/dev/null | grep ^pub | cut -d: -f5)"
+				if [[ -n ${key_id} ]]; then
+					# Mark this key to be lsigned
+					trusted_ids[$key_id]="${keyring}"
+				fi
+			done < "${KEYRING_IMPORT_DIR}/${keyring}-trusted"
+		fi
+	done
+
+	if (( ${#trusted_ids[@]} > 0 )); then
+		msg "$(gettext "Locally signing trusted keys in keyring...")"
+		for key_id in "${!trusted_ids[@]}"; do
+			msg2 "$(gettext "Locally signing key %s...")" "${key_id}"
+			"${GPG_PACMAN[@]}" --quiet --lsign-key "${key_id}"
+		done
+	fi
+
+	# Read the revoked key IDs to an array.
 	local -A revoked_ids
 	for keyring in "${KEYRINGIDS[@]}"; do
 		if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then