.editorconfig

@@ -3,6 +3,14 @@ root = true
 [*]
 end_of_line = lf
 charset = utf-8
+indent_style = space
+indent_size = 4
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[Makefile]
+end_of_line = lf
+charset = utf-8
 indent_style = tab
 indent_size = 4
 insert_final_newline = true

.gitlab-ci.yml

@@ -3,11 +3,13 @@ image: archlinux:latest
 
 stages:
   - test
+  - wkd
 
 lint:
   stage: test
   needs: []
   before_script:
+    - pacman-key --init
     - pacman -Syu --needed --noconfirm make flake8 mypy python-black python-isort
   script:
     - make lint
@@ -23,9 +25,14 @@ test:
   stage: test
   needs: []
   before_script:
-    - pacman -Syu --needed --noconfirm make python sequoia-sq python-coverage python-pytest python-tomli
+    - pacman-key --init
+    - pacman -Syu --needed --noconfirm make python sequoia-sq python-coverage python-pytest python-tomli wkd-exporter
   script:
     - make test
+    - make wkd
+    - make wkd WKD_FQDN=master-key.archlinux.org
+    - make wkd_inspect
+    - make wkd_inspect WKD_FQDN=master-key.archlinux.org
   only:
     changes:
       - keyringctl
@@ -33,29 +40,30 @@ test:
       - tests/*
       - .gitlab-ci.yml
       - Makefile
+  coverage: '/TOTAL.*\s([.\d]+)%/'
   artifacts:
     when: always
     reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: build/coverage.xml
       junit: build/junit-report.xml
-      cobertura: build/coverage.xml
 
 build_install:
   stage: test
   needs: []
   before_script:
-    - pacman -Syu --needed --noconfirm make python sequoia-sq
+    - pacman-key --init
+    - pacman -Syu --needed --noconfirm make pkgconf python sequoia-sq systemd
   script:
     - make
     - make install PREFIX=/usr
-    - pacman-key --init
-    - pacman-key --populate archlinux
-    - pacman-key --updatedb
-    - pacman -Syu
 
 keyring_check:
   stage: test
   needs: []
   before_script:
+    - pacman-key --init
     - pacman -Syu --needed --noconfirm make python sequoia-sq git
   script:
     - ./keyringctl check
@@ -68,3 +76,23 @@ keyring_check:
       - tests/*
       - .gitlab-ci.yml
       - Makefile
+
+pages:
+  stage: wkd
+  needs: []
+  tags:
+    - secure
+  before_script:
+    - pacman-key --init
+    - pacman -Syu --needed --noconfirm make python sequoia-sq wkd-exporter
+  script:
+    - make wkd
+    - make wkd WKD_FQDN=master-key.archlinux.org
+    - make wkd_inspect
+    - make wkd_inspect WKD_FQDN=master-key.archlinux.org
+    - cp -r build/wkd/ public
+  artifacts:
+    paths:
+      - public
+  rules:
+    - if: $CI_PROJECT_PATH == "archlinux/archlinux-keyring" && $CI_COMMIT_TAG

.gitlab/CODEOWNERS

+* @archlinux/teams/main-key-holders

.gitlab/issue_templates/New Main Key.md

 <!--
-This template is used when a new main PGP public key needs to be added to the
-distribution's keyring.
+This template is used when a new main PGP public key needs to be added to the distribution's keyring.
 It is used by users with a valid packager key.
 
-NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
-in the "Checks" section labeled as "Owner of new key" need to be checked by the
-owner of the new key.
+NOTE: All comment sections with a MODIFY note need to be edited.
+      All checkboxes in the "Checks" section labeled as "Owner of new key" need to be checked by the owner of the new key.
 -->
-/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
+
+/assign @archlinux/teams/main-key-holders
 /label ~"new main key"
 /title New main key of <!-- MODIFY: Add new main key holder's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users.
--->
+
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
 
 # Add a new main key
 
@@ -24,44 +21,37 @@ issue and assign relevant users.
 - Revocation Certificate Holder: <!-- MODIFY: Add the @-prefixed username of the revocation certificate holder -->
 
 <!--
-MODIFY: Attach the above information of the details section as a clearsigned
-document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket
-using a valid packager key of the user:
+MODIFY: Attach the above information of the details section as a clearsigned document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket using a valid packager key of the user:
 
 * Select the above text, copy/paste it into a file (e.g. `details.txt`).
-* Make sure to sign with the root certificate of the packager key (not any of
-  the subkeys!):
-  `gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
+* Make sure to sign with the root certificate of the packager key (not any of the subkeys!): `gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
 * Upload `details.txt` as attachment to this ticket.
 -->
 
 ## Checks
 
-**NOTE**: The below check boxes **must be** checked before the accompanying
-merge request to add the new main key can be merged.
+**NOTE**: The below check boxes **must be** checked before the accompanying merge request to add the new main key can be merged.
 
 ### Owner of new key
 
-- [ ] The [workflow for adding a new main
-  key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-main-key)
-  has been followed
-- [ ] The key pair has been validated according to the [best
-  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
-- [ ] The data in the [Details](#details) section is attached to this issue as
-  a clearsigned document
-- [ ] The revocation certificate has been sent in an encrypted message to the
-  revocation certificate holder
-- [ ] The public key has been uploaded to the pgp.mit.edu and keyserver.ubuntu.com
+- [ ] The [workflow for adding a new main key] has been followed
+- [ ] The key pair has been validated according to the [best practices]
+- [ ] The data in the [Details] section is attached to this issue as a clearsigned document
+- [ ] The revocation certificate has been sent in an encrypted message to the revocation certificate holder
+- [ ] The public key has been uploaded to the `keyserver.ubuntu.com` and `keys.openpgp.org` keyservers, and the `archlinux.org` UID has been verified on the `keys.openpgp.org` keyserver.
+      Optionally the key can also be uploaded to the `pgp.mit.edu` keyserver, but this is no longer mandatory as it's frequently flaky.
 - [ ] A merge request to add the new public key has been created
 
 ### Revocation Certificate Holder
 
-- [ ] The revocation certificate has been [verified
-  as working](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/verify-a-revocation-certificate)
-  and confirmed in a comment to this issue
+- [ ] The revocation certificate has been [verified as working] and confirmed in a comment to this issue
 - [ ] The revocation certificate has been backed up on a dedicated encrypted backup storage medium
 
 ### Main key holders
 
-- [ ] The data in the [Details](#details) section is correct and signed with a
-  valid and trusted packager key, which is already part of `archlinux-keyring`
+- [ ] The data in the [Details](#details) section is correct and signed with a valid and trusted packager key, which is already part of `archlinux-keyring`
+
+[workflow for adding a new main key]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-main-key
+[best practices]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair
+[Details]: #details
+[verified as working]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/verify-a-revocation-certificate

.gitlab/issue_templates/New Packager Key.md

 <!--
-This template is used when a new packager PGP public key needs to be added to
-the distribution's keyring.
-It is either used by the sponsor of a new packager or by an existing packager
-when adding a new key for themself.
+This template is used when a new packager PGP public key needs to be added to the distribution's keyring.
+It is either used by the sponsor of a new packager or by an existing packager when adding a new key for themself.
 
-NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
-in the "Checks" section labeled as "Owner of new key" need to be checked by the
-owner of the new key or by a sponsor of a new packager.
+NOTE: All comment sections with a MODIFY note need to be edited.
+      All checkboxes in the "Checks" section labeled as "Owner of new key" need to be checked by the owner of the new key or by a sponsor of a new packager.
 -->
-/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
+
+/assign @archlinux/teams/main-key-holders
 /label ~"new packager key"
 /title New packager key of <!-- MODIFY: Add new packager key holder's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users.
--->
+
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
 
 # Add a new packager key
 
@@ -25,23 +21,15 @@ issue and assign relevant users.
 - Sponsors: <!-- MODIFY: Add the @-prefixed usernames of the sponsors -->
 - Application: <!-- MODIFY: Add link to application, if this is the key of a new packager, else remove -->
 - Results: <!-- MODIFY: Add link to results of application, if this is the key of a new packager, else remove -->
-- Previous Key: <!--
-  MODIFY: Add the output of `gpg --keyid-format long --list-key <MY PREVIOUS ID> | sed -n '2p' | tr -d ' '` here
-  if another packager key exists already, else remove
-  -->
+- Previous Key: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MY PREVIOUS ID> | sed -n '2p' | tr -d ' '` here if another packager key exists already, else remove -->
 
 <!--
-MODIFY: Attach the above information of the details section as a clearsigned
-document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket.
-If a previous (valid and trusted) packager key of the user exists, it needs to
-be used for clearsigning the document.
-If the key of a new packager is added, one of their sponsors needs to clearsign
-the details section.
+MODIFY: Attach the above information of the details section as a clearsigned document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket.
+If a previous (valid and trusted) packager key of the user exists, it needs to be used for clearsigning the document.
+If the key of a new packager is added, one of their sponsors needs to clearsign the details section.
 
 * Select the above text, copy/paste it into a file (e.g. `details.txt`).
-* Make sure to sign with the root certificate of the packager key (not any of
-  the subkeys!):
-  `gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
+* Make sure to sign with the root certificate of the packager key (not any of the subkeys!): `gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
 * Upload `details.txt` as attachment to this ticket.
 -->
 
@@ -49,27 +37,26 @@ the details section.
 
 ### Owner of new key
 
-- [ ] The [workflow for adding a new packager
-  key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-packager-key)
-  has been followed
-- [ ] The key pair contains one user ID with a valid `<username>@archlinux.org` email address
-  used for signing
-- [ ] The key pair has been validated according to the [best
-  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
-- [ ] The data in the [Details](#details) section is attached to this issue as
-  a clearsigned document
-- [ ] The public key has been uploaded to the pgp.mit.edu and keyserver.ubuntu.com
+- [ ] The [workflow for adding a new packager key] has been followed
+- [ ] The key pair contains one user ID with a valid `<username>@archlinux.org` email address used for signing
+- [ ] The key pair has been validated according to the [best practices]
+- [ ] The data in the [Details] section is attached to this issue as a clearsigned document
+- [ ] The public key has been uploaded to the `keyserver.ubuntu.com` and `keys.openpgp.org` keyservers, and the `archlinux.org` UID has been verified on the `keys.openpgp.org` keyserver.
+      Optionally the key can also be uploaded to the `pgp.mit.edu` keyserver, but this is no longer mandatory as it's frequently flaky.
 - [ ] A merge request to add the new public key has been created
 
 ### Main key holders
 
 - [ ] The public key has been signed by all main key holders
   - [ ] @anthraxx
-  - [ ] @bluewind
+  - [ ] @artafinde
+  - [ ] @demize
   - [ ] @dvzrv
-  - [ ] @grazzolini
-  - [ ] @pierre
 
 ### Developers of the archlinux-keyring project
-- [ ] The data in the [Details](#details) section is correct and signed with a
-  valid and trusted packager key, which is already part of `archlinux-keyring`
+- [ ] The data in the [Details] section is correct and signed with a valid and trusted packager key, which is already part of `archlinux-keyring`
+
+[workflow for adding a new main key]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-main-key
+[best practices]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair
+[Details]: #details
+[verified as working]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/verify-a-revocation-certificate

.gitlab/issue_templates/Remove Main Key.md

 <!--
-This template is used when an existing main PGP public key needs to be removed
-from the distribution's keyring.
-It is used by users with a valid main key or the holder of the revocation
-certificate of the main key that is about to be removed.
-
-NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
-in the "Check" section labeled as "Main key holders" need to be checked for the
-accompanying merge request to be merged.
+This template is used when an existing main PGP public key needs to be removed from the distribution's keyring.
+It is used by users with a valid main key or the holder of the revocation certificate of the main key that is about to be removed.
+
+NOTE: All comment sections with a MODIFY note need to be edited.
+      All checkboxes in the "Check" section labeled as "Main key holders" need to be checked for the accompanying merge request to be merged.
 -->
-/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
+
+/assign @archlinux/teams/main-key-holders
 /label ~"remove main key"
 /title Remove main key of <!-- MODIFY: Add main key holder's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users.
--->
+
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
 
 # Remove a main key
 
@@ -28,10 +24,8 @@ issue and assign relevant users.
 
 ### Main key holders
 
-- [ ] There are more than or equal to three valid main keys remaining after
-  removal of this key.
-- [ ] All packagers have at least three valid main key signatures for their
-  packager key after removal of this key.
-- [ ] A merge request to [remove the main public
-  key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/remove-a-main-key)
-  has been created
+- [ ] There are more than or equal to four valid main keys remaining after removal of this key.
+- [ ] All packagers have at least three valid main key signatures for their packager key after removal of this key.
+- [ ] A merge request to [remove the main public key] has been created
+
+[remove the main public key]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/remove-a-main-key 

.gitlab/issue_templates/Remove Packager Key.md

 <!--
-This template is used when an existing packager PGP public key needs to be
-removed from the distribution's keyring.
+This template is used when an existing packager PGP public key needs to be removed from the distribution's keyring.
 It is used by users with a valid main key or a valid packager key.
 
 NOTE: All comment sections with a MODIFY note need to be edited.
 -->
-/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
+
+/assign @archlinux/teams/main-key-holders
 /label ~"remove packager key"
 /title Remove packager key of <!-- MODIFY: Add packager key holder's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users.
--->
+
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
 
 # Remove a packager key
 
@@ -23,21 +21,17 @@ issue and assign relevant users.
 
 ## Checks
 
-**NOTE**: The below check box **must be** checked before the main key holders
-can start to revoke the key.
+**NOTE**: The below check box **must be** checked before the main key holders can start to revoke the key.
 
-- [ ] There are [no packages left in any of the official
-  repositories](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Find-packages-signed-by-a-key),
-  that are signed by the key or any of its subkeys, which is about to be
-  removed.
+- [ ] There are [no packages left in any of the official repositories], that are signed by the key or any of its subkeys, which is about to be removed.
 
 ### Main key holders
 
-All main key holders should revoke their signature(s) for the given key in a
-merge request to this repository using `keyringctl`.
+All main key holders should revoke their signature(s) for the given key in a merge request to this repository using `keyringctl`.
 
 - [ ] @anthraxx
-- [ ] @bluewind
+- [ ] @artafinde
+- [ ] @demize
 - [ ] @dvzrv
-- [ ] @grazzolini
-- [ ] @pierre
+
+[no packages left in any of the official repositories]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Find-packages-signed-by-a-key

.gitlab/merge_request_templates/New Main Key.md

 <!--
-This template is used when a new main PGP public key needs to be added to the
-distribution's keyring.
-It is used by users with a valid packager key after all steps in an
-accompanying issue (opened with the template "New Main Key") have been
-fulfilled.
+This template is used when a new main PGP public key needs to be added to the distribution's keyring.
+It is used by users with a valid packager key after all steps in an accompanying issue (opened with the template "New Main Key") have been fulfilled.
 -->
-/assign_reviewer @allan @anthraxx @bluewind @dvzrv @pierre
+
 /label ~"new main key"
 /title Add main key of <!-- MODIFY: Add the main key holder's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users.
--->
+
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
 
 # Add a new main key
 
@@ -30,5 +25,6 @@ Closes <!-- MODIFY: Add #-prefixed issue number, that will be closed by merging
 
 ### Main key holders
 
-- [ ] The public key has been validated according to the [best
-  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
+- [ ] The public key has been validated according to the [best practices]
+
+[best practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)

.gitlab/merge_request_templates/New Packager Key.md

 <!--
-This template is used when a new packager PGP public key needs to be added to
-the distribution's keyring.
-It is either used by the sponsor of a new packager or by an existing packager
-when adding a new key for themself after all steps in an accompanying issue
-(opened with the template "New Packager Key") have been fulfilled..
+This template is used when a new packager PGP public key needs to be added to the distribution's keyring.
+It is either used by the sponsor of a new packager or by an existing packager when adding a new key for themself after all steps in an accompanying issue (opened with the template "New Packager Key") have been fulfilled.
 -->
-/assign_reviewer @allan @anthraxx @bluewind @dvzrv @pierre
+
 /label ~"new packager key"
 /title Add packager key of <!-- MODIFY: Add the packager key holder's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users.
--->
+
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
 
 # Add a new packager key
 
@@ -28,5 +23,6 @@ Related issue: <!-- MODIFY: Add #-prefixed issue number -->
 
 ### Main key holders
 
-- [ ] The public key has been validated according to the [best
-  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
+- [ ] The public key has been validated according to the [best practices]
+
+[best practices]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair

.gitlab/merge_request_templates/Remove Main Key.md

 <!--
-This template is used when an existing main PGP public key needs to be removed
-from the distribution's keyring.
-It is used by users with a valid main key after all steps in an accompanying
-issue (opened with the template "Remove Main Key") have been fulfilled.
+This template is used when an existing main PGP public key needs to be removed from the distribution's keyring.
+It is used by users with a valid main key after all steps in an accompanying issue (opened with the template "Remove Main Key") have been fulfilled.
 -->
-/assign_reviewer @allan @anthraxx @bluewind @dvzrv @pierre
 /label ~"remove main key"
 /title Remove main key of <!-- MODIFY: Add the main key holder's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users.
--->
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
 
 # Remove a main key
 
@@ -25,7 +19,5 @@ Related issue: <!-- MODIFY: Add #-prefixed issue number -->
 
 ### Keyring maintainer
 
-- [ ] There are more than or equal to three valid main keys remaining after
-  removal of this key.
-- [ ] All packagers have at least three valid main key signatures for their
-  packager key after removal of this key.
+- [ ] There are more than or equal to three valid main keys remaining after removal of this key.
+- [ ] All packagers have at least three valid main key signatures for their packager key after removal of this key.

.gitlab/merge_request_templates/Remove Packager Key.md

 <!--
-This template is used when an existing packager PGP public key needs to be
-removed from the distribution's keyring.
-It is used by users with a valid main key or a valid packager key after all
-steps in an accompanying issue (opened with the template "Remove Packager Key")
-have been fulfilled.
+This template is used when an existing packager PGP public key needs to be removed from the distribution's keyring.
+It is used by users with a valid main key or a valid packager key after all steps in an accompanying issue (opened with the template "Remove Packager Key") have been fulfilled.
 -->
-/assign_reviewer @allan @anthraxx @bluewind @dvzrv @pierre
+
 /label ~"remove packager key"
 /title Remove packager key of <!-- MODIFY: Add the packager's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users as reviewers.
--->
+
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users as reviewers. -->
 
 # Remove a packager key
 
@@ -26,5 +21,4 @@ Related issue: <!-- MODIFY: Add #-prefixed issue number -->
 
 ### Keyring maintainer
 
-- [ ] There are no packages left in any of the official repositories, that are
-  signed by the key which is about to be removed.
+- [ ] There are no packages left in any of the official repositories, that are signed by the key which is about to be removed.

CONTRIBUTING.md

@@ -21,9 +21,6 @@ mailing list](https://lists.archlinux.org/listinfo/arch-projects) and in
 [#archlinux-projects](ircs://irc.libera.chat/archlinux-projects) on [Libera
 Chat](https://libera.chat/).
 
-All past and present authors of archlinux-keyring are listed in
-[AUTHORS](AUTHORS.md).
-
 ## Requirements
 
 The following additional packages need to be installed to be able to lint
@@ -61,3 +58,9 @@ To run keyring integrity and consistency checks
 ```bash
 make check
 ```
+
+## Web Key Directory
+
+Only tagged releases are built and exposed via WKD. This helps to ensure, that
+inconsistent state of the keyring is not exposed to the enduser, which may make
+use of it instantaneously.

Makefile

+SHELL = /bin/bash
 PREFIX ?= /usr/local
-KEYRING_TARGET_DIR=$(DESTDIR)$(PREFIX)/share/pacman/keyrings/
-KEYRING_FILES=$(wildcard build/*.gpg) $(wildcard build/*-revoked) $(wildcard build/*-trusted)
+BUILD_DIR ?= build
+KEYRING_TARGET_DIR ?= $(PREFIX)/share/pacman/keyrings/
+RELEASE ?=
+SCRIPT_TARGET_DIR ?= $(PREFIX)/bin
+SYSTEMD_SYSTEM_UNIT_DIR ?= $(shell pkgconf --variable systemd_system_unit_dir systemd)
+WKD_FQDN ?= archlinux.org
+WKD_BUILD_DIR ?= $(BUILD_DIR)/wkd/.well-known/
+KEYRING_FILE=archlinux.gpg
+KEYRING_REVOKED_FILE=archlinux-revoked
+KEYRING_TRUSTED_FILE=archlinux-trusted
+PROJECT=archlinux-keyring
+WKD_SYNC_SCRIPT=archlinux-keyring-wkd-sync
+WKD_SYNC_SERVICE_IN=archlinux-keyring-wkd-sync.service.in
+WKD_SYNC_SERVICE=archlinux-keyring-wkd-sync.service
+WKD_SYNC_TIMER=archlinux-keyring-wkd-sync.timer
+SYSTEMD_TIMER_DIR=$(SYSTEMD_SYSTEM_UNIT_DIR)/timers.target.wants/
 SOURCES := $(shell find keyring) $(shell find libkeyringctl -name '*.py' -or -type d) keyringctl
 
 all: build
@@ -26,14 +41,46 @@ test:
 build: $(SOURCES)
 	./keyringctl -v build
 
+wkd: build
+	wkd-exporter --append --domain $(WKD_FQDN) $(WKD_BUILD_DIR) < $(BUILD_DIR)/$(KEYRING_FILE)
+
+wkd_inspect: wkd
+	for file in $(WKD_BUILD_DIR)/openpgpkey/$(WKD_FQDN)/hu/*; do sq inspect --certifications $$file; done
+
+wkd_sync_service: wkd_sync/$(WKD_SYNC_SERVICE_IN)
+	sed -e 's|SCRIPT_TARGET_DIR|$(SCRIPT_TARGET_DIR)|' wkd_sync/$(WKD_SYNC_SERVICE_IN) > $(BUILD_DIR)/$(WKD_SYNC_SERVICE)
+
 clean:
-	rm -rf build
+	rm -rf $(BUILD_DIR) $(WKD_BUILD_DIR)
+
+release: clean build
+	$(if $(RELEASE),,$(error RELEASE was not specified!))
+	@glab auth status -h gitlab.archlinux.org
+	@git tag -s $(RELEASE) -m "release version $(RELEASE)"
+	@git push origin refs/tags/$(RELEASE)
+	@mkdir -p $(BUILD_DIR)/$(PROJECT)-$(RELEASE)/
+	@cp $(BUILD_DIR)/{$(KEYRING_FILE),$(KEYRING_REVOKED_FILE),$(KEYRING_TRUSTED_FILE)} $(BUILD_DIR)/$(PROJECT)-$(RELEASE)/
+	@tar cvfz $(BUILD_DIR)/$(PROJECT)-$(RELEASE).tar.gz -C $(BUILD_DIR)/ $(PROJECT)-$(RELEASE)/
+	@gpg -o $(BUILD_DIR)/$(PROJECT)-$(RELEASE).tar.gz.sig --default-key "$(shell git config --local --get user.signingkey)" -s $(BUILD_DIR)/$(PROJECT)-$(RELEASE).tar.gz
+	# NOTE: we specify GITLAB_HOST, because otherwise glab YOLO uses whatever is specified by the `host` key in its config and silently breaks all links...
+	GITLAB_HOST=gitlab.archlinux.org glab release create $(RELEASE) ./build/$(PROJECT)-$(RELEASE).tar.gz* --name=$(RELEASE) --notes="release version $(RELEASE)"
 
-install: build
-	install -vDm 755 $(KEYRING_FILES) -t $(KEYRING_TARGET_DIR)
+install: build wkd_sync_service
+	install -vDm 644 build/{$(KEYRING_FILE),$(KEYRING_REVOKED_FILE),$(KEYRING_TRUSTED_FILE)} -t $(DESTDIR)$(KEYRING_TARGET_DIR)
+	install -vDm 755 wkd_sync/$(WKD_SYNC_SCRIPT) -t $(DESTDIR)$(SCRIPT_TARGET_DIR)
+	install -vDm 644 build/$(WKD_SYNC_SERVICE) -t $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
+	install -vDm 644 wkd_sync/$(WKD_SYNC_TIMER) -t $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
+	install -vdm 755 $(DESTDIR)$(SYSTEMD_TIMER_DIR)
+	ln -fsv ../$(WKD_SYNC_TIMER) $(DESTDIR)$(SYSTEMD_TIMER_DIR)/$(WKD_SYNC_TIMER)
 
 uninstall:
-	rm -f $(KEYRING_TARGET_DIR)/archlinux{.gpg,-trusted,-revoked}
-	rmdir -p --ignore-fail-on-non-empty $(KEYRING_TARGET_DIR)
+	rm -fv $(DESTDIR)$(KEYRING_TARGET_DIR)/{$(KEYRING_FILE),$(KEYRING_REVOKED_FILE),$(KEYRING_TRUSTED_FILE)}
+	rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(KEYRING_TARGET_DIR)
+	rm -v $(DESTDIR)$(SCRIPT_TARGET_DIR)/$(WKD_SYNC_SCRIPT)
+	rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(SCRIPT_TARGET_DIR)
+	rm -v $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)/{$(WKD_SYNC_SERVICE),$(WKD_SYNC_TIMER)}
+	rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
+	rm -v $(DESTDIR)$(SYSTEMD_TIMER_DIR)/$(WKD_SYNC_TIMER)
+	rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(SYSTEMD_TIMER_DIR)
 
-.PHONY: all lint fmt check test clean install uninstall
+.PHONY: all build lint fmt check test clean install release uninstall wkd wkd_inspect

README.md

@@ -18,16 +18,17 @@ Build:
 
 * make
 * findutils
+* pkgconf
+* systemd
 
 Runtime:
 
 * python
-* sequoia-sq
+* sequoia-sq >= 0.31.0
 
 Optional:
 
 * hopenpgp-tools (verify)
-* sq-keyring-linter (verify)
 * git (ci)
 
 ## Usage
@@ -121,17 +122,39 @@ how to provide fixes or improvements for the code base.
 
 [Releases of
 archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags)
-are created by its current maintainer [Christian
-Hesse](https://gitlab.archlinux.org/eworm). Tags are signed using the PGP key
-with the ID `02FD1C7A934E614545849F19A6234074498E9CEE`.
+are exclusively created by [keyring maintainers](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/project_members?with_inherited_permissions=exclude).
 
-To verify a tag, first import the relevant PGP key:
+The tags are signed with one of the following legitimate keys:
+
+```
+Christian Hesse <eworm@archlinux.org>
+02FD 1C7A 934E 6145 4584  9F19 A623 4074 498E 9CEE
+
+David Runge <dvzrv@archlinux.org>
+991F 6E3F 0765 CF62 9588  8586 139B 09DA 5BF0 D338
+
+Johannes Löthberg <demize@archlinux.org>
+5134 EF9E AF65 F95B 6BB1  608E 50FB 9B27 3A9D 0BB5
+
+Leonidas Spyropoulos <artafinde@archlinux.org>
+B4B7 5962 5D46 3343 0B74  8770 59E4 3E10 6B24 7368
+
+Levente Polyak <anthraxx@archlinux.org>
+E240 B57E 2C46 30BA 768E  2F26 FC1B 547C 8D81 72C8
+
+Morten Linderud <foxboron@archlinux.org>
+C100 3466 7663 4E80 C940  FB9E 9C02 FF41 9FEC BE16
+```
+
+To verify a tag, first import the relevant PGP keys:
 
 ```bash
-gpg --auto-key-locate wkd --search-keys eworm@archlinux.org
+gpg --auto-key-locate wkd --search-keys <email-from-above>
 ```
 
-Afterwards a tag can be verified from a clone of this repository:
+Afterwards a tag can be verified from a clone of this repository. Please note
+that one **must** check the used key of the signature against the legitimate
+keys listed above:
 
 ```bash
 git verify-tag <tag>

keyring/main/allan/AB19265E5D7D20687D303246BA1DFB64FFF979E7/revocation/AB19265E5D7D20687D303246BA1DFB64FFF979E7.asc

+-----BEGIN PGP SIGNATURE-----
+
+wsGTBCABCgA9FiEEqxkmXl19IGh9MDJGuh37ZP/5eecFAmJ6P8kfHQNSZXRpcmVk
+IEFyY2ggTGludXggbWFzdGVyIGtleQAKCRC6Hftk//l5505TD/9WswoM18miX34A
+fQqx3QyiFWfGsInACJ6GN62t8zXJJVSv1TWE8XdNmy5YwSAOL0MXA+uggt0b/H9s
+elO03DoDjk7yI4bxncGobHaUNB4m8ugHbrpE/af5+BKdnhoN7v+z3VL4fxHZ8sHp
+wOoorA3JlJbsivG6k7KFB9NtfI1WKm5uv4Po2UgEF5hfpfCJycvU5ccsxmVe9Qm8
+PCrkXzlMxIJYNsj8nFemA6oeruJFUOXkok055vQiW9Qt2myHmw852DbNX0RSg6lv
+qbktDkq5EQxlOgrysqtrfQdlLX4TBtDIZrX7pY+hfMPRoAKHUGubuUL6Q1qc/4Ek
+mpnku4UtKN9KxY4rMjUCvUAO8ziuUvIWbL5JIIXZkJRezWpBwnkIM1/ctOf/XlJh
+cdXJca64zuNYsj4R8zSBOCrPwOyDCOFDXQzzYwlUII+hYdXOLbbWbdIOjCjKRzf5
+EwI43Hme6k2dmEarNjAX+1Rqn/GG6U/qJizqlOh3tf3Rywt2mZ1aGv/JmvuO4eAf
+AldPloW+y9XdaOeOvBOMfGDjAlP0HikmamBS6ECg/RRCF3VPm0fXupqlRE01fMDA
+8jIIPwTRBLT2n3JQ8coJwKBgNaCv7ANFa8Z3oIE2+NO8M6Jqk4H5HXbSS2tEYtRv
+0jMG8BCx6ig1tjK6MVkPHRuirAslmw==
+=ThEv
+-----END PGP SIGNATURE-----

keyring/main/allan/AB19265E5D7D20687D303246BA1DFB64FFF979E7/uid/Allan_McRae__Arch_Linux_Master_Key___allan@master-key.archlinux.org_55cec68c/certification/AB19265E5D7D20687D303246BA1DFB64FFF979E7.asc

 -----BEGIN PGP SIGNATURE-----
 
-wsGPBBMBAgAiBQJO1V4QAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRC6
-Hftk//l55xYhBKsZJl5dfSBofTAyRrod+2T/+XnnymUP/3mM0MXCq6Nk/QnGEV2Z
-Ou/uu7uIMwRzq2jpNLoqKKJNHOcxk19GItRPKfcoY9BkprhM1DK7hYiD6RayKBmK
-mWwolaayfdjYxyNlNl/4aKuIXP8OJYfh1ltXFox9c630hytnzHiKMLpdRSbm3COT
-uT6sPI6Kkij8cOi2520p+27KsYy9HsWBeNV5X4JTQBbl7q+RcF7UCe0e1POGcOta
-qz7RBt5RXO4hKnY8kqiCya+lXfDE/BExI7CNSKgkZjSRsTEiqnFY97chJrqRaLDZ
-jy9EXL3VVJJuEEk92LttKAfwN3zI69VU26b819tP5/W+7cG4N7sIhRovDxCiNPdn
-Uq3yPwhEfjWfrUrTRbEHKloIHDH3mkfKPF0PX8QUXZQmyHrJ7KerFDxw5ZpK6gkv
-OU9mBGTKB4ijlL6fMuLzTo8SJsI33mdH+eRp1pLvnfEjDZUfSGX2P7R6WV2Sn4dg
-QSV/JCfna6lbYrVazVhuqQFtZzchOJbBzhd9XVJbGH625Qa7iBTX123kv0O7Lvnn
-uWtFKqivoOBx5aROLGVxZy8+VzQh2xbUT9V2eKxR5o8vG0vTTD4uHmC4SVVK6QMG
-+ghAxs3NftNYNxLpUeyHmAxc75afxZrSj58XOQyl3IAuypVuY+aVTnMGwxQWTe5q
-K8s2+Xjq9e3ErSAB/4ZSBi+Q
-=+Lwt
+wsGOBBMBCgA4FiEEqxkmXl19IGh9MDJGuh37ZP/5eecFAl+gsrgCGwMFCwkIBwIG
+FQoJCAsCBBYCAwECHgECF4AACgkQuh37ZP/5eefRSw/8CZsWkHIHGsJVRlKPbw3g
+10ZuIUcqGKV/jqDq/XkiAvqiBQ0Ls0Lw4F5oWMe0ixRYpHrep9RgJAda60jUirCd
+CqwMeRMQLFKvQH32NlB8KAASx/fVZLh2OyRIRLpz0hxFNVXOAMpwuR33IOemNoNl
+e49lD3qsZBrZmVsNWzWqgtxPRAvyJ26tECXymNPxpGp/XLM+okpHXhRAMee2e2s5
+K4+3ptjA/p65FDqmDUKK5w44nTD+9sGkkEwouXNtkbh2VLx4upBpjFb6nk4m4481
+N4XxYB1+JUwy1OeW+qA+y/F3190aIy0HOGknUO0qRPxQEbAmyqFVTSfUwcuc/Bkr
+ZoTfVCH9E4f2mCOUZMk6if4hx87dTMs8REfiBq+YuPudc4X5Zn6RnXpc6x5joEcj
+TN3ytZmQU9GQFQILm9HPBpZZDn8lEoQ5Fgn/apce46E20pLvtZue1P/Zn9ASFHoE
+1stCFgy8I2YNN1Bv0eqXb7QO9j2/bbOFKqTN25DJW2Iz2SyzHL80QLttjA20WOoS
+9BRrWGmCO0wRhdU+fvhtMaVhyCJ9dFbVt61/VCGgGiKX2cYnG9FI5VS010AyQ/iv
+FIhdxXdsntr4zad4fNS8obP6drNmb2l92az/fhB2DOApWigGsvpGxvMii1A4u437
+vcJvlaWGcQgV1BRTEJS4Vdk=
+=pO51
 -----END PGP SIGNATURE-----

keyring/main/artafinde/3572FA2A1B067F22C58AF155F8B821B42A6FDCD7/3572FA2A1B067F22C58AF155F8B821B42A6FDCD7.asc

+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xjMEZSgloxYJKwYBBAHaRw8BAQdAtfrKHiBv1TUCI1OguzSl17lqNyLcqqp46eAm
+44mVuPk=
+=USQG
+-----END PGP PUBLIC KEY BLOCK-----

keyring/main/artafinde/3572FA2A1B067F22C58AF155F8B821B42A6FDCD7/subkey/C745D2C2B0A4AB7637E5ED0744089C792846BB8A/C745D2C2B0A4AB7637E5ED0744089C792846BB8A.asc

+-----BEGIN PGP ARMORED FILE-----
+
+zjgEZSgloxIKKwYBBAGXVQEFAQEHQKIhElgw8NbNxOjxv3gUcymCVZaCxCpw4ptI
+/kUu3ZgkAwEIBw==
+=wPrh
+-----END PGP ARMORED FILE-----

keyring/main/artafinde/3572FA2A1B067F22C58AF155F8B821B42A6FDCD7/subkey/C745D2C2B0A4AB7637E5ED0744089C792846BB8A/certification/3572FA2A1B067F22C58AF155F8B821B42A6FDCD7.asc

+-----BEGIN PGP SIGNATURE-----
+
+wngEGBYIACAWIQQ1cvoqGwZ/IsWK8VX4uCG0Km/c1wUCZSglowIbDAAKCRD4uCG0
+Km/c14PfAQC485mzpvaK3x5Ao1oWTUvBiuSdUeCVEC6TDB40arEtzQEArAYbnAJP
+L/bfDrMFU8eLZVHZel7UA+ig+eWQJCReAQs=
+=RHSS
+-----END PGP SIGNATURE-----

keyring/main/artafinde/3572FA2A1B067F22C58AF155F8B821B42A6FDCD7/uid/Leonidas_Spyropoulos__Arch_Linux_Master_Key___artafinde@master-key.archlinux.org_d3bd61ac/Leonidas_Spyropoulos__Arch_Linux_Master_Key___artafinde@master-key.archlinux.org_d3bd61ac.asc

+-----BEGIN PGP ARMORED FILE-----
+
+zVFMZW9uaWRhcyBTcHlyb3BvdWxvcyAoQXJjaCBMaW51eCBNYXN0ZXIgS2V5KSA8
+YXJ0YWZpbmRlQG1hc3Rlci1rZXkuYXJjaGxpbnV4Lm9yZz4=
+=abF3
+-----END PGP ARMORED FILE-----