README.md 3.82 KB
Newer Older
1
# archlinux-keyring
Jelle van der Waa's avatar
Jelle van der Waa committed
2

3
4
5
6
The archlinux-keyring project holds PGP packet material and tooling
(`keyringctl`) to create the distribution keyring for Arch Linux.
The keyring is used by pacman to establish the web of trust for the packagers
of the distribution.
Jelle van der Waa's avatar
Jelle van der Waa committed
7

8
The PGP packets describing the main signing keys can be found below the
9
10
[keyring/main](keyring/main) directory, while those of the packagers are located below the
[keyring/packager](keyring/packager) directory.
Jelle van der Waa's avatar
Jelle van der Waa committed
11

12
## Requirements
Jelle van der Waa's avatar
Jelle van der Waa committed
13

14
15
The following packages need to be installed to be able to create a PGP keyring
from the provided data structure and to install it:
16

17
Build:
Christian Hesse's avatar
Christian Hesse committed
18

19
* make
20
21
22
* findutils

Runtime:
Christian Hesse's avatar
Christian Hesse committed
23

24
25
* python
* sequoia-sq
26

27
Optional:
Christian Hesse's avatar
Christian Hesse committed
28

29
30
* hopenpgp-tools (verify)
* sq-keyring-linter (verify)
31
* git (ci)
32

33
## Usage
Jelle van der Waa's avatar
Jelle van der Waa committed
34

35
36
37
38
39
40
41
### Build

Build all PGP artifacts (keyring, ownertrust, revoked files) to the build directory
```bash
./keyringctl build
```

42
### Import
43

44
Import a new packager key by deriving the username from the filename.
45
```bash
46
./keyringctl import <username>.asc
47
48
```

49
Alternatively import a file or directory and override the username
50
```bash
51
./keyringctl import --name <username> <file_or_directory...>
52
```
53

54
55
Updates to existing keys will automatically derive the username from the known fingerprint.
```bash
56
./keyringctl import <file_or_directory...>
57
```
58

59
Main key imports support the same options plus a mandatory `--main`
60
61
62
```bash
./keyringctl import --main <username>.asc
```
63

64
65
66
67
68
69
70
### Export

Export the whole keyring including main and packager to stdout
```bash
./keyringctl export
```

71
Limit to specific certs using an output file
72
```bash
73
./keyringctl export <username_or_fingerprint_or_directory...> --output <filename>
74
75
```

76
77
78
79
80
81
82
83
84
### List

List all certificates in the keyring
```bash
./keyringctl list
```

Only show a specific main key
```bash
85
./keyringctl list --main <username_or_fingerprint...>
86
87
```

88
89
90
91
92
93
94
95
96
### Inspect

Inspect all certificates in the keyring
```bash
./keyringctl inspect
```

Only inspect a specific main key
```bash
97
./keyringctl inspect --main <username_or_fingerprint_or_directory...>
98
99
```

100
101
102
103
104
105
106
### Verify

Verify certificates against modern expectations and assumptions
```bash
./keyringctl verify <username_or_fingerprint_or_directory...>
```

107
108
109
110
111
112
113
114
115
## Installation

To install archlinux-keyring system-wide use the included `Makefile`:

```bash
make install
```

## Contribute
116

117
118
Read our [contributing guide](CONTRIBUTING.md) to learn more about guidelines and
how to provide fixes or improvements for the code base.
119
120
121
122
123

## Releases

[Releases of
archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags)
124
are exclusively created by [keyring maintainers](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/project_members?with_inherited_permissions=exclude).
125

126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
The tags are signed with one of the following legitimate keys:

```
Christian Hesse <eworm@archlinux.org>
02FD 1C7A 934E 6145 4584  9F19 A623 4074 498E 9CEE

David Runge <dvzrv@archlinux.org>
C7E7 8494 66FE 2358 3435  8837 7258 734B 41C3 1549

Pierre Schmitz <pierre@archlinux.org>
4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741 E8AC

Florian Pritz <bluewind@archlinux.org>
CFA6 AF15 E5C7 4149 FC1D  8C08 6D16 55C1 4CE1 C13E

Giancarlo Razzolini <grazzolini@archlinux.org>
ECCA C84C 1BA0 8A6C C8E6  3FBB F22F B1D7 8A77 AEAB

Levente Polyak <anthraxx@archlinux.org>
E240 B57E 2C46 30BA 768E  2F26 FC1B 547C 8D81 72C8

Morten Linderud <foxboron@archlinux.org>
C100 3466 7663 4E80 C940  FB9E 9C02 FF41 9FEC BE16
```

To verify a tag, first import the relevant PGP keys:
152
153

```bash
154
gpg --auto-key-locate wkd --search-keys <email-from-above>
155
156
```

157
158
159
Afterwards a tag can be verified from a clone of this repository. Please note
that one **must** check the used key of the signature against the legitimate
keys listed above:
160
161
162
163
164
165
166
167
168

```bash
git verify-tag <tag>
```

## License

Archlinux-keyring is licensed under the terms of the **GPL-3.0-or-later** (see
[LICENSE](LICENSE)).