Systemd service/timer that automatically updates existing keys from WKD
For situations in which we do have new signatures which have been released, we may want a service on user systems that update existing keys via WKD to have an updated set of keys before updating archlinux-keyring.
Rationale:
Keys are updated in WKD after a release of archlinux-keyring (currently this is still done in the https://gitlab.archlinux.org/archlinux/wkd repo).
User systems may upgrade any time after that and pacman will pull new keys from WKD automatically, however it will not pull updates for existing keys.
Packages that are signed with a key that still had marginal trust in release A
(and therefore already existed on the user system since release A
) and gained full trust in release B
will not be updated before the user does a system upgrade. This leads to the requirement of installing archlinux-keyring before doing a system upgrade, as otherwise the key will still have marginal trust on the user system and the signatures of other updated packages using the key in question will fail to validate.
To remedy this situation I think it would be helpful to have a service update existing keys from WKD twice daily on a timer.
I am not 100% sure whether this has side-effects in regards to revocations, but as we only ever update WKD after issuing a release and not when updating the default branch, this should be fine(?).