From 2a792ac7bb1ceda42767c696e2664819b47ffc3b Mon Sep 17 00:00:00 2001
From: Eli Schwartz <eschwartz@archlinux.org>
Date: Sun, 6 Oct 2019 23:11:20 -0400
Subject: pacman-key: clean keys on import to remove unknown signatures

There is no good reason to bloat the keyring by importing tons of
signatures we cannot use; drop any signatures that don't validate
against another available key (probably the master keys).

If any desired signatures get cleaned, the key can be refreshed after
importing the new signing public key.

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
---
 scripts/pacman-key.sh.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 93600bc0..117acc40 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -209,6 +209,7 @@ initialize() {
 	add_gpg_conf_option "$conffile" 'no-permission-warning'
 	add_gpg_conf_option "$conffile" 'lock-never'
 	add_gpg_conf_option "$conffile" 'keyserver-options' 'timeout=10'
+	add_gpg_conf_option "$conffile" 'keyserver-options' 'import-clean'
 
 	local gpg_ver=$(gpg --version | awk '{print $3; exit}')
 	if (( $(vercmp "$gpg_ver" 2.2.17) >= 0 )); then
-- 
cgit v1.2.3-24-g4f1b