pkg/49441: GPG key that signs the pkg-vulnerabilities file is extremely had to find

[fleshenough%gmail.com@localhost]

>Number:         49441
>Category:       pkg
>Synopsis:       GPG key that signs the pkg-vulnerabilities file is extremely had to find
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          doc-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Dec 01 17:15:00 +0000 2014
>Originator:     Kyle Amon
>Release:        6.1.5
>Organization:
BackWatcher, Inc.
>Environment:
NetBSD netbsd.gnutec.com 6.1.5 NetBSD 6.1.5 (GENERIC) amd64
>Description:
It is extremely difficult to find and import the gpg key that signs the pkg-vulnerabilities file (http://ftp.netbsd.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities).  It should be easy to find, but it's not. Neither the keyid, it's location, nor how to otherwise import it is listed in an appropriate man page, or in any appropriate place on the NetBSD website.  I searched all over google with appropriate keywords (i.e. pkgsrc security team gpg key), and came up empty after an unreasonably long effort.  Without this key, the -s options to pkg_admin's 'fetch-pkg-vulnerabilities' and 'check-pkg-vulnerabilities' commands can't work.
>How-To-Repeat:
Look in the pkg_install related man pages and in the pkgsrc related documentation on the NetBSD website.  Nothing.
>Fix:
I finally resorted to this extreme measure to find and import the key...

gpg2 --search-keys $( zcat /var/db/pkg/pkg-vulnerabilities | gpg2 -vv --verify 2>&1 | grep keyid | awk '{print "0x"$6}' )

I suggest listing this keyid (0F03B7A97DBE3F8C) in an appropriate man page, adding it to the '4.1.5. Checking for security vulnerabilities in installed packages' section of 'The pkgsrc guide', and/or adding the key itself as a file in the http://ftp.netbsd.org/pub/NetBSD/packages/vulns/ directory.