1 files changed, 16 insertions, 1 deletions

diff --git a/local/update-02-gpg b/local/update-02-gpg
index e61c7aa..79fbff4 100755
--- a/local/update-02-gpg
+++ b/local/update-02-gpg
@@ -60,10 +60,25 @@ case ${VERIFY_SIGS} in
 		# create a dedicated GNUPGHOME
 		TMPHOME=$(mktemp -d)
 		trap 'rm -rf "${TMPHOME}"' EXIT
-		# transfer the keys
+		# transfer the keys:
+		# - ONLY for the developer in question
+		# - and chain to L1
+		CHAIN=(
+		ABD00913019D6354BA1D9A132839FE0D796198B1 # openpgp-auth+l1@gentoo.org
+		2C13823B8237310FA213034930D132FF0FF50EEB # openpgp-auth+l2-dev@gentoo.org
+		18F703D702B1B9591373148C55D3238EC050396E # openpgp-auth+l2-srv@gentoo.org
+		)
 		gpg -q --export "${GOOD_KEYS[@]}" | GNUPGHOME=${TMPHOME} gpg -q --import
 		# use new GNUGPHOME to restrict to dev's keys
 		export GNUPGHOME=${TMPHOME}
+		cat >>$GNUPGHOME/gpg.conf <<-EOF
+		# Workaround for chain trust issue
+		trust-model always
+		EOF
+		for _k in "${CHAIN[@]}" ; do
+		  echo "trusted-key $_k" >> $GNUPGHOME/gpg.conf
+		done
+		#GNUPGHOME=${TMPHOME} gpg --check-trustdb
 		;;
 	no)
 		;;