Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • strit/archlinux-keyring
  • hashworks/archlinux-keyring
  • mh4ckt3mh4ckt1c4s/archlinux-keyring
  • ptr1337/archlinux-keyring
  • anonfunc/archlinux-keyring
  • bertptrs/archlinux-keyring
  • ainola/archlinux-keyring
  • carsme/archlinux-keyring
  • kgizdov/arch-linux-keyring
  • foutrelis/archlinux-keyring
  • polyzen/archlinux-keyring
  • lahwaacz/archlinux-keyring
  • tcanabrava/archlinux-keyring
  • tpkessler/archlinux-keyring
  • muflone/archlinux-keyring
  • serebit/archlinux-keyring
  • idevolder/archlinux-keyring
  • heftig/archlinux-keyring
  • daurnimator/archlinux-keyring
  • alerque/archlinux-keyring
  • wiktor/archlinux-keyring
  • torxed/archlinux-keyring
  • gromit/archlinux-keyring
  • ram-z/archlinux-keyring
  • antiz/archlinux-keyring
  • bgyorgy/archlinux-keyring
  • jleclanche/archlinux-keyring
  • jelle/archlinux-keyring
  • rgacogne/archlinux-keyring
  • ar84eg321/archlinux-keyring
  • foxboron/archlinux-keyring
  • archlinux/archlinux-keyring
32 results
Show changes
Commits on Source (507)
407 additional commits have been omitted to prevent performance issues.
Hide whitespace changes
Inline Side-by-side
Showing
with 295 additions and 200 deletions
.editorconfig
View file @ 4c0c7a60
...@@ -3,6 +3,14 @@ root = true ...@@ -3,6 +3,14 @@ root = true
[*] [*]
end_of_line = lf end_of_line = lf
charset = utf-8 charset = utf-8
indent_style = space
indent_size = 4
insert_final_newline = true
trim_trailing_whitespace = true
[Makefile]
end_of_line = lf
charset = utf-8
indent_style = tab indent_style = tab
indent_size = 4 indent_size = 4
insert_final_newline = true insert_final_newline = true
......
.gitlab-ci.yml
View file @ 4c0c7a60
...@@ -3,11 +3,13 @@ image: archlinux:latest ...@@ -3,11 +3,13 @@ image: archlinux:latest
stages: stages:
- test - test
- wkd
lint: lint:
stage: test stage: test
needs: [] needs: []
before_script: before_script:
- pacman-key --init
- pacman -Syu --needed --noconfirm make flake8 mypy python-black python-isort - pacman -Syu --needed --noconfirm make flake8 mypy python-black python-isort
script: script:
- make lint - make lint
...@@ -23,9 +25,14 @@ test: ...@@ -23,9 +25,14 @@ test:
stage: test stage: test
needs: [] needs: []
before_script: before_script:
- pacman -Syu --needed --noconfirm make python sequoia-sq python-coverage python-pytest python-tomli - pacman-key --init
- pacman -Syu --needed --noconfirm make python sequoia-sq python-coverage python-pytest python-tomli wkd-exporter
script: script:
- make test - make test
- make wkd
- make wkd WKD_FQDN=master-key.archlinux.org
- make wkd_inspect
- make wkd_inspect WKD_FQDN=master-key.archlinux.org
only: only:
changes: changes:
- keyringctl - keyringctl
...@@ -33,29 +40,30 @@ test: ...@@ -33,29 +40,30 @@ test:
- tests/* - tests/*
- .gitlab-ci.yml - .gitlab-ci.yml
- Makefile - Makefile
coverage: '/TOTAL.*\s([.\d]+)%/'
artifacts: artifacts:
when: always when: always
reports: reports:
coverage_report:
coverage_format: cobertura
path: build/coverage.xml
junit: build/junit-report.xml junit: build/junit-report.xml
cobertura: build/coverage.xml
build_install: build_install:
stage: test stage: test
needs: [] needs: []
before_script: before_script:
- pacman -Syu --needed --noconfirm make python sequoia-sq - pacman-key --init
- pacman -Syu --needed --noconfirm make pkgconf python sequoia-sq systemd
script: script:
- make - make
- make install PREFIX=/usr - make install PREFIX=/usr
- pacman-key --init
- pacman-key --populate archlinux
- pacman-key --updatedb
- pacman -Syu
keyring_check: keyring_check:
stage: test stage: test
needs: [] needs: []
before_script: before_script:
- pacman-key --init
- pacman -Syu --needed --noconfirm make python sequoia-sq git - pacman -Syu --needed --noconfirm make python sequoia-sq git
script: script:
- ./keyringctl check - ./keyringctl check
...@@ -68,3 +76,23 @@ keyring_check: ...@@ -68,3 +76,23 @@ keyring_check:
- tests/* - tests/*
- .gitlab-ci.yml - .gitlab-ci.yml
- Makefile - Makefile
pages:
stage: wkd
needs: []
tags:
- secure
before_script:
- pacman-key --init
- pacman -Syu --needed --noconfirm make python sequoia-sq wkd-exporter
script:
- make wkd
- make wkd WKD_FQDN=master-key.archlinux.org
- make wkd_inspect
- make wkd_inspect WKD_FQDN=master-key.archlinux.org
- cp -r build/wkd/ public
artifacts:
paths:
- public
rules:
- if: $CI_PROJECT_PATH == "archlinux/archlinux-keyring" && $CI_COMMIT_TAG
.gitlab/CODEOWNERS 0 → 100644
View file @ 4c0c7a60
* @archlinux/teams/main-key-holders
.gitlab/issue_templates/New Main Key.md
View file @ 4c0c7a60
<!-- <!--
This template is used when a new main PGP public key needs to be added to the This template is used when a new main PGP public key needs to be added to the distribution's keyring.
distribution's keyring.
It is used by users with a valid packager key. It is used by users with a valid packager key.
NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes NOTE: All comment sections with a MODIFY note need to be edited.
in the "Checks" section labeled as "Owner of new key" need to be checked by the All checkboxes in the "Checks" section labeled as "Owner of new key" need to be checked by the owner of the new key.
owner of the new key.
--> -->
/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
/assign @archlinux/teams/main-key-holders
/label ~"new main key" /label ~"new main key"
/title New main key of <!-- MODIFY: Add new main key holder's username --> /title New main key of <!-- MODIFY: Add new main key holder's username -->
<!--
Please do not remove the above quick actions, which automatically label the <!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
issue and assign relevant users.
-->
# Add a new main key # Add a new main key
...@@ -24,44 +21,37 @@ issue and assign relevant users. ...@@ -24,44 +21,37 @@ issue and assign relevant users.
- Revocation Certificate Holder: <!-- MODIFY: Add the @-prefixed username of the revocation certificate holder --> - Revocation Certificate Holder: <!-- MODIFY: Add the @-prefixed username of the revocation certificate holder -->
<!-- <!--
MODIFY: Attach the above information of the details section as a clearsigned MODIFY: Attach the above information of the details section as a clearsigned document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket using a valid packager key of the user:
document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket
using a valid packager key of the user:
* Select the above text, copy/paste it into a file (e.g. `details.txt`). * Select the above text, copy/paste it into a file (e.g. `details.txt`).
* Make sure to sign with the root certificate of the packager key (not any of * Make sure to sign with the root certificate of the packager key (not any of the subkeys!): `gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
the subkeys!):
`gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
* Upload `details.txt` as attachment to this ticket. * Upload `details.txt` as attachment to this ticket.
--> -->
## Checks ## Checks
**NOTE**: The below check boxes **must be** checked before the accompanying **NOTE**: The below check boxes **must be** checked before the accompanying merge request to add the new main key can be merged.
merge request to add the new main key can be merged.
### Owner of new key ### Owner of new key
- [ ] The [workflow for adding a new main - [ ] The [workflow for adding a new main key] has been followed
key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-main-key) - [ ] The key pair has been validated according to the [best practices]
has been followed - [ ] The data in the [Details] section is attached to this issue as a clearsigned document
- [ ] The key pair has been validated according to the [best - [ ] The revocation certificate has been sent in an encrypted message to the revocation certificate holder
practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair) - [ ] The public key has been uploaded to the `keyserver.ubuntu.com` and `keys.openpgp.org` keyservers, and the `archlinux.org` UID has been verified on the `keys.openpgp.org` keyserver.
- [ ] The data in the [Details](#details) section is attached to this issue as Optionally the key can also be uploaded to the `pgp.mit.edu` keyserver, but this is no longer mandatory as it's frequently flaky.
a clearsigned document
- [ ] The revocation certificate has been sent in an encrypted message to the
revocation certificate holder
- [ ] The public key has been uploaded to the pgp.mit.edu and keyserver.ubuntu.com
- [ ] A merge request to add the new public key has been created - [ ] A merge request to add the new public key has been created
### Revocation Certificate Holder ### Revocation Certificate Holder
- [ ] The revocation certificate has been [verified - [ ] The revocation certificate has been [verified as working] and confirmed in a comment to this issue
as working](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/verify-a-revocation-certificate)
and confirmed in a comment to this issue
- [ ] The revocation certificate has been backed up on a dedicated encrypted backup storage medium - [ ] The revocation certificate has been backed up on a dedicated encrypted backup storage medium
### Main key holders ### Main key holders
- [ ] The data in the [Details](#details) section is correct and signed with a - [ ] The data in the [Details](#details) section is correct and signed with a valid and trusted packager key, which is already part of `archlinux-keyring`
valid and trusted packager key, which is already part of `archlinux-keyring`
[workflow for adding a new main key]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-main-key
[best practices]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair
[Details]: #details
[verified as working]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/verify-a-revocation-certificate
.gitlab/issue_templates/New Packager Key.md
View file @ 4c0c7a60
<!-- <!--
This template is used when a new packager PGP public key needs to be added to This template is used when a new packager PGP public key needs to be added to the distribution's keyring.
the distribution's keyring. It is either used by the sponsor of a new packager or by an existing packager when adding a new key for themself.
It is either used by the sponsor of a new packager or by an existing packager
when adding a new key for themself.
NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes NOTE: All comment sections with a MODIFY note need to be edited.
in the "Checks" section labeled as "Owner of new key" need to be checked by the All checkboxes in the "Checks" section labeled as "Owner of new key" need to be checked by the owner of the new key or by a sponsor of a new packager.
owner of the new key or by a sponsor of a new packager.
--> -->
/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
/assign @archlinux/teams/main-key-holders
/label ~"new packager key" /label ~"new packager key"
/title New packager key of <!-- MODIFY: Add new packager key holder's username --> /title New packager key of <!-- MODIFY: Add new packager key holder's username -->
<!--
Please do not remove the above quick actions, which automatically label the <!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
issue and assign relevant users.
-->
# Add a new packager key # Add a new packager key
...@@ -25,23 +21,15 @@ issue and assign relevant users. ...@@ -25,23 +21,15 @@ issue and assign relevant users.
- Sponsors: <!-- MODIFY: Add the @-prefixed usernames of the sponsors --> - Sponsors: <!-- MODIFY: Add the @-prefixed usernames of the sponsors -->
- Application: <!-- MODIFY: Add link to application, if this is the key of a new packager, else remove --> - Application: <!-- MODIFY: Add link to application, if this is the key of a new packager, else remove -->
- Results: <!-- MODIFY: Add link to results of application, if this is the key of a new packager, else remove --> - Results: <!-- MODIFY: Add link to results of application, if this is the key of a new packager, else remove -->
- Previous Key: <!-- - Previous Key: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MY PREVIOUS ID> | sed -n '2p' | tr -d ' '` here if another packager key exists already, else remove -->
MODIFY: Add the output of `gpg --keyid-format long --list-key <MY PREVIOUS ID> | sed -n '2p' | tr -d ' '` here
if another packager key exists already, else remove
-->
<!-- <!--
MODIFY: Attach the above information of the details section as a clearsigned MODIFY: Attach the above information of the details section as a clearsigned document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket.
document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket. If a previous (valid and trusted) packager key of the user exists, it needs to be used for clearsigning the document.
If a previous (valid and trusted) packager key of the user exists, it needs to If the key of a new packager is added, one of their sponsors needs to clearsign the details section.
be used for clearsigning the document.
If the key of a new packager is added, one of their sponsors needs to clearsign
the details section.
* Select the above text, copy/paste it into a file (e.g. `details.txt`). * Select the above text, copy/paste it into a file (e.g. `details.txt`).
* Make sure to sign with the root certificate of the packager key (not any of * Make sure to sign with the root certificate of the packager key (not any of the subkeys!): `gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
the subkeys!):
`gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
* Upload `details.txt` as attachment to this ticket. * Upload `details.txt` as attachment to this ticket.
--> -->
...@@ -49,27 +37,26 @@ the details section. ...@@ -49,27 +37,26 @@ the details section.
### Owner of new key ### Owner of new key
- [ ] The [workflow for adding a new packager - [ ] The [workflow for adding a new packager key] has been followed
key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-packager-key) - [ ] The key pair contains one user ID with a valid `<username>@archlinux.org` email address used for signing
has been followed - [ ] The key pair has been validated according to the [best practices]
- [ ] The key pair contains one user ID with a valid `<username>@archlinux.org` email address - [ ] The data in the [Details] section is attached to this issue as a clearsigned document
used for signing - [ ] The public key has been uploaded to the `keyserver.ubuntu.com` and `keys.openpgp.org` keyservers, and the `archlinux.org` UID has been verified on the `keys.openpgp.org` keyserver.
- [ ] The key pair has been validated according to the [best Optionally the key can also be uploaded to the `pgp.mit.edu` keyserver, but this is no longer mandatory as it's frequently flaky.
practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
- [ ] The data in the [Details](#details) section is attached to this issue as
a clearsigned document
- [ ] The public key has been uploaded to the pgp.mit.edu and keyserver.ubuntu.com
- [ ] A merge request to add the new public key has been created - [ ] A merge request to add the new public key has been created
### Main key holders ### Main key holders
- [ ] The public key has been signed by all main key holders - [ ] The public key has been signed by all main key holders
- [ ] @anthraxx - [ ] @anthraxx
- [ ] @bluewind - [ ] @artafinde
- [ ] @demize
- [ ] @dvzrv - [ ] @dvzrv
- [ ] @grazzolini
- [ ] @pierre
### Developers of the archlinux-keyring project ### Developers of the archlinux-keyring project
- [ ] The data in the [Details](#details) section is correct and signed with a - [ ] The data in the [Details] section is correct and signed with a valid and trusted packager key, which is already part of `archlinux-keyring`
valid and trusted packager key, which is already part of `archlinux-keyring`
[workflow for adding a new main key]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-main-key
[best practices]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair
[Details]: #details
[verified as working]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/verify-a-revocation-certificate
.gitlab/issue_templates/Remove Main Key.md
View file @ 4c0c7a60
<!-- <!--
This template is used when an existing main PGP public key needs to be removed This template is used when an existing main PGP public key needs to be removed from the distribution's keyring.
from the distribution's keyring. It is used by users with a valid main key or the holder of the revocation certificate of the main key that is about to be removed.
It is used by users with a valid main key or the holder of the revocation
certificate of the main key that is about to be removed. NOTE: All comment sections with a MODIFY note need to be edited.
All checkboxes in the "Check" section labeled as "Main key holders" need to be checked for the accompanying merge request to be merged.
NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
in the "Check" section labeled as "Main key holders" need to be checked for the
accompanying merge request to be merged.
--> -->
/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
/assign @archlinux/teams/main-key-holders
/label ~"remove main key" /label ~"remove main key"
/title Remove main key of <!-- MODIFY: Add main key holder's username --> /title Remove main key of <!-- MODIFY: Add main key holder's username -->
<!--
Please do not remove the above quick actions, which automatically label the <!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
issue and assign relevant users.
-->
# Remove a main key # Remove a main key
...@@ -28,10 +24,8 @@ issue and assign relevant users. ...@@ -28,10 +24,8 @@ issue and assign relevant users.
### Main key holders ### Main key holders
- [ ] There are more than or equal to three valid main keys remaining after - [ ] There are more than or equal to four valid main keys remaining after removal of this key.
removal of this key. - [ ] All packagers have at least three valid main key signatures for their packager key after removal of this key.
- [ ] All packagers have at least three valid main key signatures for their - [ ] A merge request to [remove the main public key] has been created
packager key after removal of this key.
- [ ] A merge request to [remove the main public [remove the main public key]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/remove-a-main-key
key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/remove-a-main-key)
has been created
.gitlab/issue_templates/Remove Packager Key.md
View file @ 4c0c7a60
<!-- <!--
This template is used when an existing packager PGP public key needs to be This template is used when an existing packager PGP public key needs to be removed from the distribution's keyring.
removed from the distribution's keyring.
It is used by users with a valid main key or a valid packager key. It is used by users with a valid main key or a valid packager key.
NOTE: All comment sections with a MODIFY note need to be edited. NOTE: All comment sections with a MODIFY note need to be edited.
--> -->
/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
/assign @archlinux/teams/main-key-holders
/label ~"remove packager key" /label ~"remove packager key"
/title Remove packager key of <!-- MODIFY: Add packager key holder's username --> /title Remove packager key of <!-- MODIFY: Add packager key holder's username -->
<!--
Please do not remove the above quick actions, which automatically label the <!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
issue and assign relevant users.
-->
# Remove a packager key # Remove a packager key
...@@ -23,21 +21,17 @@ issue and assign relevant users. ...@@ -23,21 +21,17 @@ issue and assign relevant users.
## Checks ## Checks
**NOTE**: The below check box **must be** checked before the main key holders **NOTE**: The below check box **must be** checked before the main key holders can start to revoke the key.
can start to revoke the key.
- [ ] There are [no packages left in any of the official - [ ] There are [no packages left in any of the official repositories], that are signed by the key or any of its subkeys, which is about to be removed.
repositories](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Find-packages-signed-by-a-key),
that are signed by the key or any of its subkeys, which is about to be
removed.
### Main key holders ### Main key holders
All main key holders should revoke their signature(s) for the given key in a All main key holders should revoke their signature(s) for the given key in a merge request to this repository using `keyringctl`.
merge request to this repository using `keyringctl`.
- [ ] @anthraxx - [ ] @anthraxx
- [ ] @bluewind - [ ] @artafinde
- [ ] @demize
- [ ] @dvzrv - [ ] @dvzrv
- [ ] @grazzolini
- [ ] @pierre [no packages left in any of the official repositories]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Find-packages-signed-by-a-key
.gitlab/merge_request_templates/New Main Key.md
View file @ 4c0c7a60
<!-- <!--
This template is used when a new main PGP public key needs to be added to the This template is used when a new main PGP public key needs to be added to the distribution's keyring.
distribution's keyring. It is used by users with a valid packager key after all steps in an accompanying issue (opened with the template "New Main Key") have been fulfilled.
It is used by users with a valid packager key after all steps in an
accompanying issue (opened with the template "New Main Key") have been
fulfilled.
--> -->
/assign_reviewer @allan @anthraxx @bluewind @dvzrv @pierre
/label ~"new main key" /label ~"new main key"
/title Add main key of <!-- MODIFY: Add the main key holder's username --> /title Add main key of <!-- MODIFY: Add the main key holder's username -->
<!--
Please do not remove the above quick actions, which automatically label the <!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
issue and assign relevant users.
-->
# Add a new main key # Add a new main key
...@@ -30,5 +25,6 @@ Closes <!-- MODIFY: Add #-prefixed issue number, that will be closed by merging ...@@ -30,5 +25,6 @@ Closes <!-- MODIFY: Add #-prefixed issue number, that will be closed by merging
### Main key holders ### Main key holders
- [ ] The public key has been validated according to the [best - [ ] The public key has been validated according to the [best practices]
practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
[best practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
.gitlab/merge_request_templates/New Packager Key.md
View file @ 4c0c7a60
<!-- <!--
This template is used when a new packager PGP public key needs to be added to This template is used when a new packager PGP public key needs to be added to the distribution's keyring.
the distribution's keyring. It is either used by the sponsor of a new packager or by an existing packager when adding a new key for themself after all steps in an accompanying issue (opened with the template "New Packager Key") have been fulfilled.
It is either used by the sponsor of a new packager or by an existing packager
when adding a new key for themself after all steps in an accompanying issue
(opened with the template "New Packager Key") have been fulfilled..
--> -->
/assign_reviewer @allan @anthraxx @bluewind @dvzrv @pierre
/label ~"new packager key" /label ~"new packager key"
/title Add packager key of <!-- MODIFY: Add the packager key holder's username --> /title Add packager key of <!-- MODIFY: Add the packager key holder's username -->
<!--
Please do not remove the above quick actions, which automatically label the <!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
issue and assign relevant users.
-->
# Add a new packager key # Add a new packager key
...@@ -28,5 +23,6 @@ Related issue: <!-- MODIFY: Add #-prefixed issue number --> ...@@ -28,5 +23,6 @@ Related issue: <!-- MODIFY: Add #-prefixed issue number -->
### Main key holders ### Main key holders
- [ ] The public key has been validated according to the [best - [ ] The public key has been validated according to the [best practices]
practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
[best practices]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair
.gitlab/merge_request_templates/Remove Main Key.md
View file @ 4c0c7a60
<!-- <!--
This template is used when an existing main PGP public key needs to be removed This template is used when an existing main PGP public key needs to be removed from the distribution's keyring.
from the distribution's keyring. It is used by users with a valid main key after all steps in an accompanying issue (opened with the template "Remove Main Key") have been fulfilled.
It is used by users with a valid main key after all steps in an accompanying
issue (opened with the template "Remove Main Key") have been fulfilled.
--> -->
/assign_reviewer @allan @anthraxx @bluewind @dvzrv @pierre
/label ~"remove main key" /label ~"remove main key"
/title Remove main key of <!-- MODIFY: Add the main key holder's username --> /title Remove main key of <!-- MODIFY: Add the main key holder's username -->
<!-- <!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
Please do not remove the above quick actions, which automatically label the
issue and assign relevant users.
-->
# Remove a main key # Remove a main key
...@@ -25,7 +19,5 @@ Related issue: <!-- MODIFY: Add #-prefixed issue number --> ...@@ -25,7 +19,5 @@ Related issue: <!-- MODIFY: Add #-prefixed issue number -->
### Keyring maintainer ### Keyring maintainer
- [ ] There are more than or equal to three valid main keys remaining after - [ ] There are more than or equal to three valid main keys remaining after removal of this key.
removal of this key. - [ ] All packagers have at least three valid main key signatures for their packager key after removal of this key.
- [ ] All packagers have at least three valid main key signatures for their
packager key after removal of this key.
.gitlab/merge_request_templates/Remove Packager Key.md
View file @ 4c0c7a60
<!-- <!--
This template is used when an existing packager PGP public key needs to be This template is used when an existing packager PGP public key needs to be removed from the distribution's keyring.
removed from the distribution's keyring. It is used by users with a valid main key or a valid packager key after all steps in an accompanying issue (opened with the template "Remove Packager Key") have been fulfilled.
It is used by users with a valid main key or a valid packager key after all
steps in an accompanying issue (opened with the template "Remove Packager Key")
have been fulfilled.
--> -->
/assign_reviewer @allan @anthraxx @bluewind @dvzrv @pierre
/label ~"remove packager key" /label ~"remove packager key"
/title Remove packager key of <!-- MODIFY: Add the packager's username --> /title Remove packager key of <!-- MODIFY: Add the packager's username -->
<!--
Please do not remove the above quick actions, which automatically label the <!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users as reviewers. -->
issue and assign relevant users as reviewers.
-->
# Remove a packager key # Remove a packager key
...@@ -26,5 +21,4 @@ Related issue: <!-- MODIFY: Add #-prefixed issue number --> ...@@ -26,5 +21,4 @@ Related issue: <!-- MODIFY: Add #-prefixed issue number -->
### Keyring maintainer ### Keyring maintainer
- [ ] There are no packages left in any of the official repositories, that are - [ ] There are no packages left in any of the official repositories, that are signed by the key which is about to be removed.
signed by the key which is about to be removed.
CONTRIBUTING.md
View file @ 4c0c7a60
...@@ -21,9 +21,6 @@ mailing list](https://lists.archlinux.org/listinfo/arch-projects) and in ...@@ -21,9 +21,6 @@ mailing list](https://lists.archlinux.org/listinfo/arch-projects) and in
[#archlinux-projects](ircs://irc.libera.chat/archlinux-projects) on [Libera [#archlinux-projects](ircs://irc.libera.chat/archlinux-projects) on [Libera
Chat](https://libera.chat/). Chat](https://libera.chat/).
All past and present authors of archlinux-keyring are listed in
[AUTHORS](AUTHORS.md).
## Requirements ## Requirements
The following additional packages need to be installed to be able to lint The following additional packages need to be installed to be able to lint
...@@ -61,3 +58,9 @@ To run keyring integrity and consistency checks ...@@ -61,3 +58,9 @@ To run keyring integrity and consistency checks
```bash ```bash
make check make check
``` ```
## Web Key Directory
Only tagged releases are built and exposed via WKD. This helps to ensure, that
inconsistent state of the keyring is not exposed to the enduser, which may make
use of it instantaneously.
Makefile
View file @ 4c0c7a60
SHELL = /bin/bash
PREFIX ?= /usr/local PREFIX ?= /usr/local
KEYRING_TARGET_DIR=$(DESTDIR)$(PREFIX)/share/pacman/keyrings/ BUILD_DIR ?= build
KEYRING_FILES=$(wildcard build/*.gpg) $(wildcard build/*-revoked) $(wildcard build/*-trusted) KEYRING_TARGET_DIR ?= $(PREFIX)/share/pacman/keyrings/
RELEASE ?=
SCRIPT_TARGET_DIR ?= $(PREFIX)/bin
SYSTEMD_SYSTEM_UNIT_DIR ?= $(shell pkgconf --variable systemd_system_unit_dir systemd)
WKD_FQDN ?= archlinux.org
WKD_BUILD_DIR ?= $(BUILD_DIR)/wkd/.well-known/
KEYRING_FILE=archlinux.gpg
KEYRING_REVOKED_FILE=archlinux-revoked
KEYRING_TRUSTED_FILE=archlinux-trusted
PROJECT=archlinux-keyring
WKD_SYNC_SCRIPT=archlinux-keyring-wkd-sync
WKD_SYNC_SERVICE_IN=archlinux-keyring-wkd-sync.service.in
WKD_SYNC_SERVICE=archlinux-keyring-wkd-sync.service
WKD_SYNC_TIMER=archlinux-keyring-wkd-sync.timer
SYSTEMD_TIMER_DIR=$(SYSTEMD_SYSTEM_UNIT_DIR)/timers.target.wants/
SOURCES := $(shell find keyring) $(shell find libkeyringctl -name '*.py' -or -type d) keyringctl SOURCES := $(shell find keyring) $(shell find libkeyringctl -name '*.py' -or -type d) keyringctl
all: build all: build
...@@ -26,14 +41,46 @@ test: ...@@ -26,14 +41,46 @@ test:
build: $(SOURCES) build: $(SOURCES)
./keyringctl -v build ./keyringctl -v build
wkd: build
wkd-exporter --append --domain $(WKD_FQDN) $(WKD_BUILD_DIR) < $(BUILD_DIR)/$(KEYRING_FILE)
wkd_inspect: wkd
for file in $(WKD_BUILD_DIR)/openpgpkey/$(WKD_FQDN)/hu/*; do sq inspect --certifications $$file; done
wkd_sync_service: wkd_sync/$(WKD_SYNC_SERVICE_IN)
sed -e 's|SCRIPT_TARGET_DIR|$(SCRIPT_TARGET_DIR)|' wkd_sync/$(WKD_SYNC_SERVICE_IN) > $(BUILD_DIR)/$(WKD_SYNC_SERVICE)
clean: clean:
rm -rf build rm -rf $(BUILD_DIR) $(WKD_BUILD_DIR)
release: clean build
$(if $(RELEASE),,$(error RELEASE was not specified!))
@glab auth status -h gitlab.archlinux.org
@git tag -s $(RELEASE) -m "release version $(RELEASE)"
@git push origin refs/tags/$(RELEASE)
@mkdir -p $(BUILD_DIR)/$(PROJECT)-$(RELEASE)/
@cp $(BUILD_DIR)/{$(KEYRING_FILE),$(KEYRING_REVOKED_FILE),$(KEYRING_TRUSTED_FILE)} $(BUILD_DIR)/$(PROJECT)-$(RELEASE)/
@tar cvfz $(BUILD_DIR)/$(PROJECT)-$(RELEASE).tar.gz -C $(BUILD_DIR)/ $(PROJECT)-$(RELEASE)/
@gpg -o $(BUILD_DIR)/$(PROJECT)-$(RELEASE).tar.gz.sig --default-key "$(shell git config --local --get user.signingkey)" -s $(BUILD_DIR)/$(PROJECT)-$(RELEASE).tar.gz
# NOTE: we specify GITLAB_HOST, because otherwise glab YOLO uses whatever is specified by the `host` key in its config and silently breaks all links...
GITLAB_HOST=gitlab.archlinux.org glab release create $(RELEASE) ./build/$(PROJECT)-$(RELEASE).tar.gz* --name=$(RELEASE) --notes="release version $(RELEASE)"
install: build install: build wkd_sync_service
install -vDm 755 $(KEYRING_FILES) -t $(KEYRING_TARGET_DIR) install -vDm 644 build/{$(KEYRING_FILE),$(KEYRING_REVOKED_FILE),$(KEYRING_TRUSTED_FILE)} -t $(DESTDIR)$(KEYRING_TARGET_DIR)
install -vDm 755 wkd_sync/$(WKD_SYNC_SCRIPT) -t $(DESTDIR)$(SCRIPT_TARGET_DIR)
install -vDm 644 build/$(WKD_SYNC_SERVICE) -t $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
install -vDm 644 wkd_sync/$(WKD_SYNC_TIMER) -t $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
install -vdm 755 $(DESTDIR)$(SYSTEMD_TIMER_DIR)
ln -fsv ../$(WKD_SYNC_TIMER) $(DESTDIR)$(SYSTEMD_TIMER_DIR)/$(WKD_SYNC_TIMER)
uninstall: uninstall:
rm -f $(KEYRING_TARGET_DIR)/archlinux{.gpg,-trusted,-revoked} rm -fv $(DESTDIR)$(KEYRING_TARGET_DIR)/{$(KEYRING_FILE),$(KEYRING_REVOKED_FILE),$(KEYRING_TRUSTED_FILE)}
rmdir -p --ignore-fail-on-non-empty $(KEYRING_TARGET_DIR) rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(KEYRING_TARGET_DIR)
rm -v $(DESTDIR)$(SCRIPT_TARGET_DIR)/$(WKD_SYNC_SCRIPT)
rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(SCRIPT_TARGET_DIR)
rm -v $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)/{$(WKD_SYNC_SERVICE),$(WKD_SYNC_TIMER)}
rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
rm -v $(DESTDIR)$(SYSTEMD_TIMER_DIR)/$(WKD_SYNC_TIMER)
rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(SYSTEMD_TIMER_DIR)
.PHONY: all lint fmt check test clean install uninstall .PHONY: all build lint fmt check test clean install release uninstall wkd wkd_inspect
README.md
View file @ 4c0c7a60
...@@ -18,16 +18,17 @@ Build: ...@@ -18,16 +18,17 @@ Build:
* make * make
* findutils * findutils
* pkgconf
* systemd
Runtime: Runtime:
* python * python
* sequoia-sq * sequoia-sq >= 0.31.0
Optional: Optional:
* hopenpgp-tools (verify) * hopenpgp-tools (verify)
* sq-keyring-linter (verify)
* git (ci) * git (ci)
## Usage ## Usage
...@@ -121,17 +122,39 @@ how to provide fixes or improvements for the code base. ...@@ -121,17 +122,39 @@ how to provide fixes or improvements for the code base.
[Releases of [Releases of
archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags) archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags)
are created by its current maintainer [Christian are exclusively created by [keyring maintainers](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/project_members?with_inherited_permissions=exclude).
Hesse](https://gitlab.archlinux.org/eworm). Tags are signed using the PGP key
with the ID `02FD1C7A934E614545849F19A6234074498E9CEE`.
To verify a tag, first import the relevant PGP key: The tags are signed with one of the following legitimate keys:
```
Christian Hesse <eworm@archlinux.org>
02FD 1C7A 934E 6145 4584 9F19 A623 4074 498E 9CEE
David Runge <dvzrv@archlinux.org>
991F 6E3F 0765 CF62 9588 8586 139B 09DA 5BF0 D338
Johannes Löthberg <demize@archlinux.org>
5134 EF9E AF65 F95B 6BB1 608E 50FB 9B27 3A9D 0BB5
Leonidas Spyropoulos <artafinde@archlinux.org>
B4B7 5962 5D46 3343 0B74 8770 59E4 3E10 6B24 7368
Levente Polyak <anthraxx@archlinux.org>
E240 B57E 2C46 30BA 768E 2F26 FC1B 547C 8D81 72C8
Morten Linderud <foxboron@archlinux.org>
C100 3466 7663 4E80 C940 FB9E 9C02 FF41 9FEC BE16
```
To verify a tag, first import the relevant PGP keys:
```bash ```bash
gpg --auto-key-locate wkd --search-keys eworm@archlinux.org gpg --auto-key-locate wkd --search-keys <email-from-above>
``` ```
Afterwards a tag can be verified from a clone of this repository: Afterwards a tag can be verified from a clone of this repository. Please note
that one **must** check the used key of the signature against the legitimate
keys listed above:
```bash ```bash
git verify-tag <tag> git verify-tag <tag>
......
keyring/main/allan/AB19265E5D7D20687D303246BA1DFB64FFF979E7/revocation/AB19265E5D7D20687D303246BA1DFB64FFF979E7.asc 0 → 100644
View file @ 4c0c7a60
-----BEGIN PGP SIGNATURE-----
wsGTBCABCgA9FiEEqxkmXl19IGh9MDJGuh37ZP/5eecFAmJ6P8kfHQNSZXRpcmVk
IEFyY2ggTGludXggbWFzdGVyIGtleQAKCRC6Hftk//l5505TD/9WswoM18miX34A
fQqx3QyiFWfGsInACJ6GN62t8zXJJVSv1TWE8XdNmy5YwSAOL0MXA+uggt0b/H9s
elO03DoDjk7yI4bxncGobHaUNB4m8ugHbrpE/af5+BKdnhoN7v+z3VL4fxHZ8sHp
wOoorA3JlJbsivG6k7KFB9NtfI1WKm5uv4Po2UgEF5hfpfCJycvU5ccsxmVe9Qm8
PCrkXzlMxIJYNsj8nFemA6oeruJFUOXkok055vQiW9Qt2myHmw852DbNX0RSg6lv
qbktDkq5EQxlOgrysqtrfQdlLX4TBtDIZrX7pY+hfMPRoAKHUGubuUL6Q1qc/4Ek
mpnku4UtKN9KxY4rMjUCvUAO8ziuUvIWbL5JIIXZkJRezWpBwnkIM1/ctOf/XlJh
cdXJca64zuNYsj4R8zSBOCrPwOyDCOFDXQzzYwlUII+hYdXOLbbWbdIOjCjKRzf5
EwI43Hme6k2dmEarNjAX+1Rqn/GG6U/qJizqlOh3tf3Rywt2mZ1aGv/JmvuO4eAf
AldPloW+y9XdaOeOvBOMfGDjAlP0HikmamBS6ECg/RRCF3VPm0fXupqlRE01fMDA
8jIIPwTRBLT2n3JQ8coJwKBgNaCv7ANFa8Z3oIE2+NO8M6Jqk4H5HXbSS2tEYtRv
0jMG8BCx6ig1tjK6MVkPHRuirAslmw==
=ThEv
-----END PGP SIGNATURE-----
keyring/main/allan/AB19265E5D7D20687D303246BA1DFB64FFF979E7/uid/Allan_McRae__Arch_Linux_Master_Key___allan@master-key.archlinux.org_55cec68c/certification/AB19265E5D7D20687D303246BA1DFB64FFF979E7.asc
View file @ 4c0c7a60
-----BEGIN PGP SIGNATURE----- -----BEGIN PGP SIGNATURE-----
wsGPBBMBAgAiBQJO1V4QAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRC6 wsGOBBMBCgA4FiEEqxkmXl19IGh9MDJGuh37ZP/5eecFAl+gsrgCGwMFCwkIBwIG
Hftk//l55xYhBKsZJl5dfSBofTAyRrod+2T/+XnnymUP/3mM0MXCq6Nk/QnGEV2Z FQoJCAsCBBYCAwECHgECF4AACgkQuh37ZP/5eefRSw/8CZsWkHIHGsJVRlKPbw3g
Ou/uu7uIMwRzq2jpNLoqKKJNHOcxk19GItRPKfcoY9BkprhM1DK7hYiD6RayKBmK 10ZuIUcqGKV/jqDq/XkiAvqiBQ0Ls0Lw4F5oWMe0ixRYpHrep9RgJAda60jUirCd
mWwolaayfdjYxyNlNl/4aKuIXP8OJYfh1ltXFox9c630hytnzHiKMLpdRSbm3COT CqwMeRMQLFKvQH32NlB8KAASx/fVZLh2OyRIRLpz0hxFNVXOAMpwuR33IOemNoNl
uT6sPI6Kkij8cOi2520p+27KsYy9HsWBeNV5X4JTQBbl7q+RcF7UCe0e1POGcOta e49lD3qsZBrZmVsNWzWqgtxPRAvyJ26tECXymNPxpGp/XLM+okpHXhRAMee2e2s5
qz7RBt5RXO4hKnY8kqiCya+lXfDE/BExI7CNSKgkZjSRsTEiqnFY97chJrqRaLDZ K4+3ptjA/p65FDqmDUKK5w44nTD+9sGkkEwouXNtkbh2VLx4upBpjFb6nk4m4481
jy9EXL3VVJJuEEk92LttKAfwN3zI69VU26b819tP5/W+7cG4N7sIhRovDxCiNPdn N4XxYB1+JUwy1OeW+qA+y/F3190aIy0HOGknUO0qRPxQEbAmyqFVTSfUwcuc/Bkr
Uq3yPwhEfjWfrUrTRbEHKloIHDH3mkfKPF0PX8QUXZQmyHrJ7KerFDxw5ZpK6gkv ZoTfVCH9E4f2mCOUZMk6if4hx87dTMs8REfiBq+YuPudc4X5Zn6RnXpc6x5joEcj
OU9mBGTKB4ijlL6fMuLzTo8SJsI33mdH+eRp1pLvnfEjDZUfSGX2P7R6WV2Sn4dg TN3ytZmQU9GQFQILm9HPBpZZDn8lEoQ5Fgn/apce46E20pLvtZue1P/Zn9ASFHoE
QSV/JCfna6lbYrVazVhuqQFtZzchOJbBzhd9XVJbGH625Qa7iBTX123kv0O7Lvnn 1stCFgy8I2YNN1Bv0eqXb7QO9j2/bbOFKqTN25DJW2Iz2SyzHL80QLttjA20WOoS
uWtFKqivoOBx5aROLGVxZy8+VzQh2xbUT9V2eKxR5o8vG0vTTD4uHmC4SVVK6QMG 9BRrWGmCO0wRhdU+fvhtMaVhyCJ9dFbVt61/VCGgGiKX2cYnG9FI5VS010AyQ/iv
+ghAxs3NftNYNxLpUeyHmAxc75afxZrSj58XOQyl3IAuypVuY+aVTnMGwxQWTe5q FIhdxXdsntr4zad4fNS8obP6drNmb2l92az/fhB2DOApWigGsvpGxvMii1A4u437
K8s2+Xjq9e3ErSAB/4ZSBi+Q vcJvlaWGcQgV1BRTEJS4Vdk=
=+Lwt =pO51
-----END PGP SIGNATURE----- -----END PGP SIGNATURE-----
keyring/main/artafinde/3572FA2A1B067F22C58AF155F8B821B42A6FDCD7/3572FA2A1B067F22C58AF155F8B821B42A6FDCD7.asc 0 → 100644
View file @ 4c0c7a60
-----BEGIN PGP PUBLIC KEY BLOCK-----
xjMEZSgloxYJKwYBBAHaRw8BAQdAtfrKHiBv1TUCI1OguzSl17lqNyLcqqp46eAm
44mVuPk=
=USQG
-----END PGP PUBLIC KEY BLOCK-----
keyring/main/artafinde/3572FA2A1B067F22C58AF155F8B821B42A6FDCD7/subkey/C745D2C2B0A4AB7637E5ED0744089C792846BB8A/C745D2C2B0A4AB7637E5ED0744089C792846BB8A.asc 0 → 100644
View file @ 4c0c7a60
-----BEGIN PGP ARMORED FILE-----
zjgEZSgloxIKKwYBBAGXVQEFAQEHQKIhElgw8NbNxOjxv3gUcymCVZaCxCpw4ptI
/kUu3ZgkAwEIBw==
=wPrh
-----END PGP ARMORED FILE-----
keyring/main/artafinde/3572FA2A1B067F22C58AF155F8B821B42A6FDCD7/subkey/C745D2C2B0A4AB7637E5ED0744089C792846BB8A/certification/3572FA2A1B067F22C58AF155F8B821B42A6FDCD7.asc 0 → 100644
View file @ 4c0c7a60
-----BEGIN PGP SIGNATURE-----
wngEGBYIACAWIQQ1cvoqGwZ/IsWK8VX4uCG0Km/c1wUCZSglowIbDAAKCRD4uCG0
Km/c14PfAQC485mzpvaK3x5Ao1oWTUvBiuSdUeCVEC6TDB40arEtzQEArAYbnAJP
L/bfDrMFU8eLZVHZel7UA+ig+eWQJCReAQs=
=RHSS
-----END PGP SIGNATURE-----
keyring/main/artafinde/3572FA2A1B067F22C58AF155F8B821B42A6FDCD7/uid/Leonidas_Spyropoulos__Arch_Linux_Master_Key___artafinde@master-key.archlinux.org_d3bd61ac/Leonidas_Spyropoulos__Arch_Linux_Master_Key___artafinde@master-key.archlinux.org_d3bd61ac.asc 0 → 100644
View file @ 4c0c7a60
-----BEGIN PGP ARMORED FILE-----
zVFMZW9uaWRhcyBTcHlyb3BvdWxvcyAoQXJjaCBMaW51eCBNYXN0ZXIgS2V5KSA8
YXJ0YWZpbmRlQG1hc3Rlci1rZXkuYXJjaGxpbnV4Lm9yZz4=
=abF3
-----END PGP ARMORED FILE-----