.editorconfig

@@ -3,6 +3,14 @@ root = true
 [*]
 end_of_line = lf
 charset = utf-8
+indent_style = space
+indent_size = 4
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[Makefile]
+end_of_line = lf
+charset = utf-8
 indent_style = tab
 indent_size = 4
 insert_final_newline = true

.gitattributes

-update-keys	export-ignore
-.gitattributes	export-ignore
-.gitignore	export-ignore
-master-keyids	export-ignore
-packager-keyids	export-ignore
-master		export-ignore
-packager	export-ignore
-.editorconfig	export-ignore
-master-revoked-keyids	export-ignore
-master-revoked	export-ignore
-packager-revoked-keyids	export-ignore
-packager-revoked	export-ignore

.gitlab-ci.yml

@@ -3,11 +3,13 @@ image: archlinux:latest
 
 stages:
   - test
+  - wkd
 
 lint:
   stage: test
   needs: []
   before_script:
+    - pacman-key --init
     - pacman -Syu --needed --noconfirm make flake8 mypy python-black python-isort
   script:
     - make lint
@@ -23,9 +25,14 @@ test:
   stage: test
   needs: []
   before_script:
-    - pacman -Syu --needed --noconfirm make python sequoia-sq python-coverage python-pytest python-tomli
+    - pacman-key --init
+    - pacman -Syu --needed --noconfirm make python sequoia-sq python-coverage python-pytest python-tomli wkd-exporter
   script:
     - make test
+    - make wkd
+    - make wkd WKD_FQDN=master-key.archlinux.org
+    - make wkd_inspect
+    - make wkd_inspect WKD_FQDN=master-key.archlinux.org
   only:
     changes:
       - keyringctl
@@ -33,41 +40,59 @@ test:
       - tests/*
       - .gitlab-ci.yml
       - Makefile
+  coverage: '/TOTAL.*\s([.\d]+)%/'
   artifacts:
     when: always
     reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: build/coverage.xml
       junit: build/junit-report.xml
-      cobertura: build/coverage.xml
 
 build_install:
   stage: test
   needs: []
   before_script:
-    - pacman -Syu --needed --noconfirm make python sequoia-sq
+    - pacman-key --init
+    - pacman -Syu --needed --noconfirm make pkgconf python sequoia-sq systemd
   script:
-    - ./keyringctl import --main master master-revoked
-    - ./keyringctl import packager packager-revoked
     - make
     - make install PREFIX=/usr
-    - pacman-key --init
-    - pacman-key --populate archlinux
-    - pacman-key --updatedb
-    - pacman -Syu
 
 keyring_check:
   stage: test
   needs: []
   before_script:
-    - pacman -Syu --needed --noconfirm make python sequoia-sq
+    - pacman-key --init
+    - pacman -Syu --needed --noconfirm make python sequoia-sq git
   script:
-    - ./keyringctl import --main master master-revoked
-    - ./keyringctl import packager packager-revoked
     - ./keyringctl check
+    - ./keyringctl ci
   only:
     changes:
-      - keyring
+      - keyring/**/*
       - keyringctl
       - libkeyringctl/*
       - tests/*
       - .gitlab-ci.yml
       - Makefile
+
+pages:
+  stage: wkd
+  needs: []
+  tags:
+    - secure
+  before_script:
+    - pacman-key --init
+    - pacman -Syu --needed --noconfirm make python sequoia-sq wkd-exporter
+  script:
+    - make wkd
+    - make wkd WKD_FQDN=master-key.archlinux.org
+    - make wkd_inspect
+    - make wkd_inspect WKD_FQDN=master-key.archlinux.org
+    - cp -r build/wkd/ public
+  artifacts:
+    paths:
+      - public
+  rules:
+    - if: $CI_PROJECT_PATH == "archlinux/archlinux-keyring" && $CI_COMMIT_TAG

.gitlab/CODEOWNERS

+* @archlinux/teams/main-key-holders

.gitlab/check-keyids-change

-#!/bin/bash
-set -eo pipefail
-
-if [[ -z "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" ]]; then
-	echo "CI_MERGE_REQUEST_DIFF_BASE_SHA is not set"
-	exit 1
-fi
-
-GNUPGHOME="$(mktemp -d --tmpdir archlinux-keyring-XXXXXXXXX)"
-export GNUPGHOME
-trap 'rm -rf $GNUPGHOME' EXIT INT TERM QUIT
-
-for NEW_KEY in $(git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- master-keyids packager-keyids | grep -oP '^\+(\K[A-Z0-9]{40})'); do
-	echo "Receive gpg key ${NEW_KEY} ..."
-	gpg --recv "${NEW_KEY}"
-
-	echo "Export gpg key ${NEW_KEY} ..."
-	gpg --export "${NEW_KEY}" > "${GNUPGHOME}/${NEW_KEY}"
-
-	echo "Lint gpg key ${NEW_KEY} via hokey..."
-	hokey lint < "${GNUPGHOME}/${NEW_KEY}"
-	echo "Lint gpg key ${NEW_KEY} via sq-keyring-linter..."
-	sq-keyring-linter "${GNUPGHOME}/${NEW_KEY}"
-done
-
-for REMOVED_KEY in $(git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- packager-keyids | grep -oP '^\-(\K[A-Z0-9]{40})'); do
-	echo "Check if removed packager key ${REMOVED_KEY} is added to revoked keys..."
-	git diff --color=never "${CI_MERGE_REQUEST_DIFF_BASE_SHA}" -- packager-revoked-keyids | grep -E "^\+${REMOVED_KEY}\s"
-
-	echo "Receive gpg key ${REMOVED_KEY} ..."
-	gpg --recv "${REMOVED_KEY}"
-
-	SHORT_KEYID="${REMOVED_KEY:24:16}"
-	echo "Check if key ${SHORT_KEYID} is still used by a package..."
-	if pacman -Sii | grep -m1 "${SHORT_KEYID}"; then
-		exit 1
-	fi
-done

.gitlab/issue_templates/New Main Key.md

 <!--
-This template is used when a new main PGP public key needs to be added to the
-distribution's keyring.
+This template is used when a new main PGP public key needs to be added to the distribution's keyring.
 It is used by users with a valid packager key.
+
+NOTE: All comment sections with a MODIFY note need to be edited.
+      All checkboxes in the "Checks" section labeled as "Owner of new key" need to be checked by the owner of the new key.
 -->
-/assign @allan @anthraxx @bluewind @dvzrv @pierre
+
+/assign @archlinux/teams/main-key-holders
 /label ~"new main key"
 /title New main key of <!-- MODIFY: Add new main key holder's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users.
--->
+
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
 
 # Add a new main key
 
 ## Details
 
 - Username: <!-- MODIFY: Add the @-prefixed username -->
-- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the new PGP public key here -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MY UID> | sed -n '2p' | tr -d ' '` here -->
 - Revocation Certificate Holder: <!-- MODIFY: Add the @-prefixed username of the revocation certificate holder -->
 
 <!--
-NOTE: Attach the above information as a clearsigned document to this ticket
-using a valid packager key of the user.
-https://www.gnupg.org/gph/en/manual/x135.html
+MODIFY: Attach the above information of the details section as a clearsigned document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket using a valid packager key of the user:
+
+* Select the above text, copy/paste it into a file (e.g. `details.txt`).
+* Make sure to sign with the root certificate of the packager key (not any of the subkeys!): `gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
+* Upload `details.txt` as attachment to this ticket.
 -->
 
 ## Checks
 
-### New key owner
-
-- [ ] The [workflow for adding a new main
-  key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-main-key)
-  has been followed
-- [ ] The key pair has been validated according to the [best
-  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
-- [ ] The data in the [Details](#details) section is attached to this issue as
-  a clearsigned document
-- [ ] The revocation certificate has been sent in an encrypted message to the
-  revocation certificate holder
-- [ ] The public key has been uploaded to the SKS infrastructure
+**NOTE**: The below check boxes **must be** checked before the accompanying merge request to add the new main key can be merged.
 
-### Keyring maintainer
+### Owner of new key
 
-- [ ] The key pair has been validated according to the [best
-  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
-- [ ] The data in the [Details](#details) section is correct and signed with a
-  valid and trusted packager key, which is part of `pacman-key`
+- [ ] The [workflow for adding a new main key] has been followed
+- [ ] The key pair has been validated according to the [best practices]
+- [ ] The data in the [Details] section is attached to this issue as a clearsigned document
+- [ ] The revocation certificate has been sent in an encrypted message to the revocation certificate holder
+- [ ] The public key has been uploaded to the `keyserver.ubuntu.com` and `keys.openpgp.org` keyservers, and the `archlinux.org` UID has been verified on the `keys.openpgp.org` keyserver.
+      Optionally the key can also be uploaded to the `pgp.mit.edu` keyserver, but this is no longer mandatory as it's frequently flaky.
+- [ ] A merge request to add the new public key has been created
 
 ### Revocation Certificate Holder
 
-- [ ] The revocation certificate has been [verified
-  as working](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/verify-a-revocation-certificate)
-  and confirmed in a comment to this issue
-- [ ] The revocation certificate has been backed up in a dedicated encrypted backup storage
+- [ ] The revocation certificate has been [verified as working] and confirmed in a comment to this issue
+- [ ] The revocation certificate has been backed up on a dedicated encrypted backup storage medium
+
+### Main key holders
+
+- [ ] The data in the [Details](#details) section is correct and signed with a valid and trusted packager key, which is already part of `archlinux-keyring`
+
+[workflow for adding a new main key]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-main-key
+[best practices]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair
+[Details]: #details
+[verified as working]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/verify-a-revocation-certificate

.gitlab/issue_templates/New Packager Key.md

 <!--
-This template is used when a new packager PGP public key needs to be added to
-the distribution's keyring.
-It is either used by the sponsor of a new packager or by an existing packager
-when adding a new key for themself.
+This template is used when a new packager PGP public key needs to be added to the distribution's keyring.
+It is either used by the sponsor of a new packager or by an existing packager when adding a new key for themself.
+
+NOTE: All comment sections with a MODIFY note need to be edited.
+      All checkboxes in the "Checks" section labeled as "Owner of new key" need to be checked by the owner of the new key or by a sponsor of a new packager.
 -->
-/assign @allan @anthraxx @bluewind @dvzrv @pierre
+
+/assign @archlinux/teams/main-key-holders
 /label ~"new packager key"
 /title New packager key of <!-- MODIFY: Add new packager key holder's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users.
--->
+
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
 
 # Add a new packager key
 
 ## Details
 
 - Username: <!-- MODIFY: Add the @-prefixed username -->
-- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the new PGP public key here -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MY UID> | sed -n '2p' | tr -d ' '` here -->
 - Sponsors: <!-- MODIFY: Add the @-prefixed usernames of the sponsors -->
 - Application: <!-- MODIFY: Add link to application, if this is the key of a new packager, else remove -->
 - Results: <!-- MODIFY: Add link to results of application, if this is the key of a new packager, else remove -->
+- Previous Key: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MY PREVIOUS ID> | sed -n '2p' | tr -d ' '` here if another packager key exists already, else remove -->
 
 <!--
-NOTE: Attach the above information as a clearsigned document to this ticket.
-https://www.gnupg.org/gph/en/manual/x135.html
+MODIFY: Attach the above information of the details section as a clearsigned document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket.
+If a previous (valid and trusted) packager key of the user exists, it needs to be used for clearsigning the document.
+If the key of a new packager is added, one of their sponsors needs to clearsign the details section.
 
-If this is the key of a new packager, one of their sponsors needs to do the
-signature.
-If this is a new key of an already existing packager, the packager themself
-needs to do the signature.
+* Select the above text, copy/paste it into a file (e.g. `details.txt`).
+* Make sure to sign with the root certificate of the packager key (not any of the subkeys!): `gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
+* Upload `details.txt` as attachment to this ticket.
 -->
 
 ## Checks
 
-### New key owner
+### Owner of new key
 
-- [ ] The [workflow for adding a new packager
-  key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-packager-key)
-  has been followed
-- [ ] The key pair contains one user ID with a valid `<username>@archlinux.org` email address
-  used for signing
-- [ ] The key pair has been validated according to the [best
-  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
-- [ ] The data in the [Details](#details) section is attached to this issue as
-  a clearsigned document
-- [ ] The public key has been uploaded to the SKS infrastructure
+- [ ] The [workflow for adding a new packager key] has been followed
+- [ ] The key pair contains one user ID with a valid `<username>@archlinux.org` email address used for signing
+- [ ] The key pair has been validated according to the [best practices]
+- [ ] The data in the [Details] section is attached to this issue as a clearsigned document
+- [ ] The public key has been uploaded to the `keyserver.ubuntu.com` and `keys.openpgp.org` keyservers, and the `archlinux.org` UID has been verified on the `keys.openpgp.org` keyserver.
+      Optionally the key can also be uploaded to the `pgp.mit.edu` keyserver, but this is no longer mandatory as it's frequently flaky.
+- [ ] A merge request to add the new public key has been created
 
 ### Main key holders
 
-- [ ] The public key has been validated according to the [best
-  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
 - [ ] The public key has been signed by all main key holders
-  - [ ] @allan
   - [ ] @anthraxx
-  - [ ] @bluewind
+  - [ ] @artafinde
+  - [ ] @demize
   - [ ] @dvzrv
-  - [ ] @pierre
 
-### Keyring maintainer
+### Developers of the archlinux-keyring project
+- [ ] The data in the [Details] section is correct and signed with a valid and trusted packager key, which is already part of `archlinux-keyring`
 
-- [ ] The public key contains one user ID with a valid
-  `<username>@archlinux.org` email address used for signing
-- [ ] The public key has been validated according to the [best
-  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
-- [ ] The data in the [Details](#details) section is correct and signed with a
-  valid and trusted packager key, which is part of `pacman-key`
+[workflow for adding a new main key]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-main-key
+[best practices]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair
+[Details]: #details
+[verified as working]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/verify-a-revocation-certificate

.gitlab/issue_templates/Remove Main Key.md

 <!--
-This template is used when an existing main PGP public key needs to be removed
-from the distribution's keyring.
-It is used by users with a valid main key.
+This template is used when an existing main PGP public key needs to be removed from the distribution's keyring.
+It is used by users with a valid main key or the holder of the revocation certificate of the main key that is about to be removed.
+
+NOTE: All comment sections with a MODIFY note need to be edited.
+      All checkboxes in the "Check" section labeled as "Main key holders" need to be checked for the accompanying merge request to be merged.
 -->
-/assign @allan @anthraxx @bluewind @dvzrv @pierre
+
+/assign @archlinux/teams/main-key-holders
 /label ~"remove main key"
 /title Remove main key of <!-- MODIFY: Add main key holder's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users.
--->
+
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
 
 # Remove a main key
 
 ## Details
 
 - Username: <!-- MODIFY: Add the @-prefixed username -->
-- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the PGP public key here -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MAIN KEY UID> | sed -n '2p' | tr -d ' '` here -->
 - Resignation: <!-- MODIFY: Link to resignation of key holder -->
 
 ## Checks
 
 ### Main key holders
 
-- [ ] There are more than or equal to three valid main keys remaining after
-  removal of this key.
-- [ ] All packagers have at least three valid main key signatures for their
-  packager key after removal of this key.
-
-### Keyring maintainer
+- [ ] There are more than or equal to four valid main keys remaining after removal of this key.
+- [ ] All packagers have at least three valid main key signatures for their packager key after removal of this key.
+- [ ] A merge request to [remove the main public key] has been created
 
-- [ ] The key has been revoked by either the revocation certificate holder or
-  the main key holder.
+[remove the main public key]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/remove-a-main-key 

.gitlab/issue_templates/Remove Packager Key.md

 <!--
-This template is used when an existing packager PGP public key needs to be
-removed from the distribution's keyring.
+This template is used when an existing packager PGP public key needs to be removed from the distribution's keyring.
 It is used by users with a valid main key or a valid packager key.
+
+NOTE: All comment sections with a MODIFY note need to be edited.
 -->
-/assign @allan @anthraxx @bluewind @dvzrv @pierre
+
+/assign @archlinux/teams/main-key-holders
 /label ~"remove packager key"
 /title Remove packager key of <!-- MODIFY: Add packager key holder's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users.
--->
+
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
 
 # Remove a packager key
 
 ## Details
 
 - Username: <!-- MODIFY: Add the @-prefixed username -->
-- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the PGP public key here -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <PACKAGER KEY UID> | sed -n '2p' | tr -d ' '` here -->
 - Resignation: <!-- MODIFY: Link to resignation of key holder -->
 
 ## Checks
 
-- [ ] There are no packages left in any of the official repositories, that are
-  signed by the key, that is about to be removed.
+**NOTE**: The below check box **must be** checked before the main key holders can start to revoke the key.
+
+- [ ] There are [no packages left in any of the official repositories], that are signed by the key or any of its subkeys, which is about to be removed.
 
 ### Main key holders
 
-- [ ] All main key holders have revoked their signature for the key and
-  published the result on the SKS infrastructure
-  - [ ] @allan
-  - [ ] @anthraxx
-  - [ ] @bluewind
-  - [ ] @dvzrv
-  - [ ] @pierre
+All main key holders should revoke their signature(s) for the given key in a merge request to this repository using `keyringctl`.
+
+- [ ] @anthraxx
+- [ ] @artafinde
+- [ ] @demize
+- [ ] @dvzrv
+
+[no packages left in any of the official repositories]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Find-packages-signed-by-a-key

.gitlab/merge_request_templates/New Main Key.md

 <!--
-This template is used when a new main PGP public key needs to be added to the
-distribution's keyring.
-It is used by users with a valid packager key after all steps in an
-accompanying issue (opened with the template "New Main Key") have been
-fulfilled.
+This template is used when a new main PGP public key needs to be added to the distribution's keyring.
+It is used by users with a valid packager key after all steps in an accompanying issue (opened with the template "New Main Key") have been fulfilled.
 -->
-/assign_reviewer @allan @anthraxx @bluewind @dvzrv @pierre
+
 /label ~"new main key"
 /title Add main key of <!-- MODIFY: Add the main key holder's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users.
--->
+
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
 
 # Add a new main key
 
@@ -30,5 +25,6 @@ Closes <!-- MODIFY: Add #-prefixed issue number, that will be closed by merging
 
 ### Main key holders
 
-- [ ] The public key has been validated according to the [best
-  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
+- [ ] The public key has been validated according to the [best practices]
+
+[best practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)

.gitlab/merge_request_templates/New Packager Key.md

 <!--
-This template is used when a new packager PGP public key needs to be added to
-the distribution's keyring.
-It is either used by the sponsor of a new packager or by an existing packager
-when adding a new key for themself after all steps in an accompanying issue
-(opened with the template "New Packager Key") have been fulfilled..
+This template is used when a new packager PGP public key needs to be added to the distribution's keyring.
+It is either used by the sponsor of a new packager or by an existing packager when adding a new key for themself after all steps in an accompanying issue (opened with the template "New Packager Key") have been fulfilled.
 -->
-/assign_reviewer @allan @anthraxx @bluewind @dvzrv @pierre
+
 /label ~"new packager key"
 /title Add packager key of <!-- MODIFY: Add the packager key holder's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users.
--->
+
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
 
 # Add a new packager key
 
@@ -28,5 +23,6 @@ Related issue: <!-- MODIFY: Add #-prefixed issue number -->
 
 ### Main key holders
 
-- [ ] The public key has been validated according to the [best
-  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
+- [ ] The public key has been validated according to the [best practices]
+
+[best practices]: https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair

.gitlab/merge_request_templates/Remove Main Key.md

 <!--
-This template is used when an existing main PGP public key needs to be removed
-from the distribution's keyring.
-It is used by users with a valid main key after all steps in an accompanying
-issue (opened with the template "Remove Main Key") have been fulfilled.
+This template is used when an existing main PGP public key needs to be removed from the distribution's keyring.
+It is used by users with a valid main key after all steps in an accompanying issue (opened with the template "Remove Main Key") have been fulfilled.
 -->
-/assign_reviewer @allan @anthraxx @bluewind @dvzrv @pierre
 /label ~"remove main key"
 /title Remove main key of <!-- MODIFY: Add the main key holder's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users.
--->
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users. -->
 
 # Remove a main key
 
@@ -25,7 +19,5 @@ Related issue: <!-- MODIFY: Add #-prefixed issue number -->
 
 ### Keyring maintainer
 
-- [ ] There are more than or equal to three valid main keys remaining after
-  removal of this key.
-- [ ] All packagers have at least three valid main key signatures for their
-  packager key after removal of this key.
+- [ ] There are more than or equal to three valid main keys remaining after removal of this key.
+- [ ] All packagers have at least three valid main key signatures for their packager key after removal of this key.

.gitlab/merge_request_templates/Remove Packager Key.md

 <!--
-This template is used when an existing packager PGP public key needs to be
-removed from the distribution's keyring.
-It is used by users with a valid main key or a valid packager key after all
-steps in an accompanying issue (opened with the template "Remove Packager Key")
-have been fulfilled.
+This template is used when an existing packager PGP public key needs to be removed from the distribution's keyring.
+It is used by users with a valid main key or a valid packager key after all steps in an accompanying issue (opened with the template "Remove Packager Key") have been fulfilled.
 -->
-/assign_reviewer @allan @anthraxx @bluewind @dvzrv @pierre
+
 /label ~"remove packager key"
 /title Remove packager key of <!-- MODIFY: Add the packager's username -->
-<!--
-Please do not remove the above quick actions, which automatically label the
-issue and assign relevant users as reviewers.
--->
+
+<!-- Please do not remove the above quick actions, which automatically label the issue and assign relevant users as reviewers. -->
 
 # Remove a packager key
 
@@ -26,5 +21,4 @@ Related issue: <!-- MODIFY: Add #-prefixed issue number -->
 
 ### Keyring maintainer
 
-- [ ] There are no packages left in any of the official repositories, that are
-  signed by the key which is about to be removed.
+- [ ] There are no packages left in any of the official repositories, that are signed by the key which is about to be removed.

CONTRIBUTING.md

@@ -21,9 +21,6 @@ mailing list](https://lists.archlinux.org/listinfo/arch-projects) and in
 [#archlinux-projects](ircs://irc.libera.chat/archlinux-projects) on [Libera
 Chat](https://libera.chat/).
 
-All past and present authors of archlinux-keyring are listed in
-[AUTHORS](AUTHORS.md).
-
 ## Requirements
 
 The following additional packages need to be installed to be able to lint
@@ -61,3 +58,9 @@ To run keyring integrity and consistency checks
 ```bash
 make check
 ```
+
+## Web Key Directory
+
+Only tagged releases are built and exposed via WKD. This helps to ensure, that
+inconsistent state of the keyring is not exposed to the enduser, which may make
+use of it instantaneously.

Makefile

+SHELL = /bin/bash
 PREFIX ?= /usr/local
-KEYRING_TARGET_DIR=$(DESTDIR)$(PREFIX)/share/pacman/keyrings/
-KEYRING_FILES=$(wildcard build/*.gpg) $(wildcard build/*-revoked) $(wildcard build/*-trusted)
+BUILD_DIR ?= build
+KEYRING_TARGET_DIR ?= $(PREFIX)/share/pacman/keyrings/
+RELEASE ?=
+SCRIPT_TARGET_DIR ?= $(PREFIX)/bin
+SYSTEMD_SYSTEM_UNIT_DIR ?= $(shell pkgconf --variable systemd_system_unit_dir systemd)
+WKD_FQDN ?= archlinux.org
+WKD_BUILD_DIR ?= $(BUILD_DIR)/wkd/.well-known/
+KEYRING_FILE=archlinux.gpg
+KEYRING_REVOKED_FILE=archlinux-revoked
+KEYRING_TRUSTED_FILE=archlinux-trusted
+PROJECT=archlinux-keyring
+WKD_SYNC_SCRIPT=archlinux-keyring-wkd-sync
+WKD_SYNC_SERVICE_IN=archlinux-keyring-wkd-sync.service.in
+WKD_SYNC_SERVICE=archlinux-keyring-wkd-sync.service
+WKD_SYNC_TIMER=archlinux-keyring-wkd-sync.timer
+SYSTEMD_TIMER_DIR=$(SYSTEMD_SYSTEM_UNIT_DIR)/timers.target.wants/
 SOURCES := $(shell find keyring) $(shell find libkeyringctl -name '*.py' -or -type d) keyringctl
 
 all: build
@@ -26,14 +41,46 @@ test:
 build: $(SOURCES)
 	./keyringctl -v build
 
+wkd: build
+	wkd-exporter --append --domain $(WKD_FQDN) $(WKD_BUILD_DIR) < $(BUILD_DIR)/$(KEYRING_FILE)
+
+wkd_inspect: wkd
+	for file in $(WKD_BUILD_DIR)/openpgpkey/$(WKD_FQDN)/hu/*; do sq inspect --certifications $$file; done
+
+wkd_sync_service: wkd_sync/$(WKD_SYNC_SERVICE_IN)
+	sed -e 's|SCRIPT_TARGET_DIR|$(SCRIPT_TARGET_DIR)|' wkd_sync/$(WKD_SYNC_SERVICE_IN) > $(BUILD_DIR)/$(WKD_SYNC_SERVICE)
+
 clean:
-	rm -rf build
+	rm -rf $(BUILD_DIR) $(WKD_BUILD_DIR)
+
+release: clean build
+	$(if $(RELEASE),,$(error RELEASE was not specified!))
+	@glab auth status -h gitlab.archlinux.org
+	@git tag -s $(RELEASE) -m "release version $(RELEASE)"
+	@git push origin refs/tags/$(RELEASE)
+	@mkdir -p $(BUILD_DIR)/$(PROJECT)-$(RELEASE)/
+	@cp $(BUILD_DIR)/{$(KEYRING_FILE),$(KEYRING_REVOKED_FILE),$(KEYRING_TRUSTED_FILE)} $(BUILD_DIR)/$(PROJECT)-$(RELEASE)/
+	@tar cvfz $(BUILD_DIR)/$(PROJECT)-$(RELEASE).tar.gz -C $(BUILD_DIR)/ $(PROJECT)-$(RELEASE)/
+	@gpg -o $(BUILD_DIR)/$(PROJECT)-$(RELEASE).tar.gz.sig --default-key "$(shell git config --local --get user.signingkey)" -s $(BUILD_DIR)/$(PROJECT)-$(RELEASE).tar.gz
+	# NOTE: we specify GITLAB_HOST, because otherwise glab YOLO uses whatever is specified by the `host` key in its config and silently breaks all links...
+	GITLAB_HOST=gitlab.archlinux.org glab release create $(RELEASE) ./build/$(PROJECT)-$(RELEASE).tar.gz* --name=$(RELEASE) --notes="release version $(RELEASE)"
 
-install: build
-	install -vDm 755 $(KEYRING_FILES) -t $(KEYRING_TARGET_DIR)
+install: build wkd_sync_service
+	install -vDm 644 build/{$(KEYRING_FILE),$(KEYRING_REVOKED_FILE),$(KEYRING_TRUSTED_FILE)} -t $(DESTDIR)$(KEYRING_TARGET_DIR)
+	install -vDm 755 wkd_sync/$(WKD_SYNC_SCRIPT) -t $(DESTDIR)$(SCRIPT_TARGET_DIR)
+	install -vDm 644 build/$(WKD_SYNC_SERVICE) -t $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
+	install -vDm 644 wkd_sync/$(WKD_SYNC_TIMER) -t $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
+	install -vdm 755 $(DESTDIR)$(SYSTEMD_TIMER_DIR)
+	ln -fsv ../$(WKD_SYNC_TIMER) $(DESTDIR)$(SYSTEMD_TIMER_DIR)/$(WKD_SYNC_TIMER)
 
 uninstall:
-	rm -f $(KEYRING_TARGET_DIR)/archlinux{.gpg,-trusted,-revoked}
-	rmdir -p --ignore-fail-on-non-empty $(KEYRING_TARGET_DIR)
+	rm -fv $(DESTDIR)$(KEYRING_TARGET_DIR)/{$(KEYRING_FILE),$(KEYRING_REVOKED_FILE),$(KEYRING_TRUSTED_FILE)}
+	rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(KEYRING_TARGET_DIR)
+	rm -v $(DESTDIR)$(SCRIPT_TARGET_DIR)/$(WKD_SYNC_SCRIPT)
+	rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(SCRIPT_TARGET_DIR)
+	rm -v $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)/{$(WKD_SYNC_SERVICE),$(WKD_SYNC_TIMER)}
+	rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
+	rm -v $(DESTDIR)$(SYSTEMD_TIMER_DIR)/$(WKD_SYNC_TIMER)
+	rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(SYSTEMD_TIMER_DIR)
 
-.PHONY: all lint fmt check test clean install uninstall
+.PHONY: all build lint fmt check test clean install release uninstall wkd wkd_inspect

README.md

@@ -15,16 +15,20 @@ The following packages need to be installed to be able to create a PGP keyring
 from the provided data structure and to install it:
 
 Build:
+
 * make
 * findutils
+* pkgconf
+* systemd
 
 Runtime:
+
 * python
-* sequoia-sq
+* sequoia-sq >= 0.31.0
 
 Optional:
+
 * hopenpgp-tools (verify)
-* sq-keyring-linter (verify)
 * git (ci)
 
 ## Usage
@@ -118,17 +122,39 @@ how to provide fixes or improvements for the code base.
 
 [Releases of
 archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags)
-are created by its current maintainer [Christian
-Hesse](https://gitlab.archlinux.org/eworm). Tags are signed using the PGP key
-with the ID `02FD1C7A934E614545849F19A6234074498E9CEE`.
+are exclusively created by [keyring maintainers](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/project_members?with_inherited_permissions=exclude).
+
+The tags are signed with one of the following legitimate keys:
+
+```
+Christian Hesse <eworm@archlinux.org>
+02FD 1C7A 934E 6145 4584  9F19 A623 4074 498E 9CEE
+
+David Runge <dvzrv@archlinux.org>
+991F 6E3F 0765 CF62 9588  8586 139B 09DA 5BF0 D338
+
+Johannes Löthberg <demize@archlinux.org>
+5134 EF9E AF65 F95B 6BB1  608E 50FB 9B27 3A9D 0BB5
+
+Leonidas Spyropoulos <artafinde@archlinux.org>
+B4B7 5962 5D46 3343 0B74  8770 59E4 3E10 6B24 7368
+
+Levente Polyak <anthraxx@archlinux.org>
+E240 B57E 2C46 30BA 768E  2F26 FC1B 547C 8D81 72C8
+
+Morten Linderud <foxboron@archlinux.org>
+C100 3466 7663 4E80 C940  FB9E 9C02 FF41 9FEC BE16
+```
 
-To verify a tag, first import the relevant PGP key:
+To verify a tag, first import the relevant PGP keys:
 
 ```bash
-gpg --auto-key-locate wkd --search-keys eworm@archlinux.org
+gpg --auto-key-locate wkd --search-keys <email-from-above>
 ```
 
-Afterwards a tag can be verified from a clone of this repository:
+Afterwards a tag can be verified from a clone of this repository. Please note
+that one **must** check the used key of the signature against the legitimate
+keys listed above:
 
 ```bash
 git verify-tag <tag>

archlinux-revoked

-27FFC4769E19F096D41D9265A04F9397CDFD6BB0
-44D4A033AC140143927397D47EFD567D4C7EA887
-684148BB25B49E986A4944C55184252D824B18E8
-717026A9D4779FC53940726640F557B731496106
-DBE7D3DD8C81D58D0A13D0E76BC26A17B9B7018A
-50F33E2E5B0C3D900424ABE89BDCF497A4BBCC7F
-4FCF887689C41B09506BE8D5F3E1D5C5D30DB0AD
-40776A5221EF5AD468A4906D42A1DB15EC133BAD
-779CD2942629B7FA04AB8F172E89012331361F01
-1A60DC44245D06FEF90623D6EEEEE2EEEE2EEEEE
-5A2257D19FF7E1E0E415968CE62F853100F0D0F0
-F3691687D867B81B51CE07D9BBE43771487328A9
-66BD74A036D522F51DD70A3C7F2A16726521E06D
-9515D8A8EAB88E49BB65EDBCE6B456CAF15447D5
-BC1FBE4D2826A0B51E47ED62E2539214C6C11350
-E7210A59715F6940CF9A4E36A001876699AD6E84
-5696C003B0854206450C8E5BE613C09CB4440678
-A5CA9D5515DC2CA73DF748CA5C2E46A0F53A76ED
-40440DC037C05620984379A6761FAD69BA06C6A9
-63F395DE2D6398BBE458F281F2DBB4931985A992
-487EACC08557AD082088DABA1EB2638FF56C0C53
-5559BC1A32B8F76B3FCCD9555FA5E5544F010D48
-5357F3B111688D88C1D88119FCF2CB179205AC90
-07DFD3A0BC213FA12EDC217559B3122E2FA915EC
-5E7585ADFF106BFFBBA319DC654B877A0864983E
-F648622B1715468FD654F45CB7310AE5F04569AE
-4D913AECD81726D9A6C74F0ADA6426DD215B37AD
-F5A361A3A13554B85E57DDDAAF7EF7873CFD4BB6
-8F76BEEA0289F9E1D3E229C05F946DED983D4366
-7FA647CD89891DEDC060287BB9113D1ED21E1A55
-D4DE5ABDE2A7287644EAC7E36D1A9E70E19DAA50
-81D7F8241DB38BC759C80FCE3A726C6170E80477
-D921CABED130A5690EF1896E81AF739EC0711BF1
-8840BD07FC24CB7CE394A07CCF7037A4F27FB7DA
-76B4192E902C0A52642C63C273B8ED52F1D357C1
-0B20CA1931F5DA3A70D0F8D2EA6836E1AB441196
-34C5D94FE7E7913E86DC427E7FB1A3800C84C0A5
-65EEFE022108E2B708CBFCF7F9E712E59AF5F22A
-FB871F0131FEA4FB5A9192B4C8880A6406361833
-8CF934E339CAD8ABF342E822E711306E3C4F88BC
-39F880E50E49A4D11341E8F939E4F17F295AFBF4
-B1F2C889CB2CCB2ADA36D963097D629E437520BD
-4A8B17E20B88ACA61860009B5CED81B7C2E5C0D2
-BFA1ECFEF1524EE4099CDE971F0CD4921ECAA030

archlinux-trusted

-AB19265E5D7D20687D303246BA1DFB64FFF979E7:4:
-D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C:4:
-DDB867B92AA789C165EEFA799B729B06A680C281:4:
-2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E:4:
-91FFE0700E80619CEB73235CA88E23E377514E00:4:
-0E8B644079F599DFC1DDC3973348882F6AC6A4C2:4:

keyring/main/allan/AB19265E5D7D20687D303246BA1DFB64FFF979E7/revocation/AB19265E5D7D20687D303246BA1DFB64FFF979E7.asc

+-----BEGIN PGP SIGNATURE-----
+
+wsGTBCABCgA9FiEEqxkmXl19IGh9MDJGuh37ZP/5eecFAmJ6P8kfHQNSZXRpcmVk
+IEFyY2ggTGludXggbWFzdGVyIGtleQAKCRC6Hftk//l5505TD/9WswoM18miX34A
+fQqx3QyiFWfGsInACJ6GN62t8zXJJVSv1TWE8XdNmy5YwSAOL0MXA+uggt0b/H9s
+elO03DoDjk7yI4bxncGobHaUNB4m8ugHbrpE/af5+BKdnhoN7v+z3VL4fxHZ8sHp
+wOoorA3JlJbsivG6k7KFB9NtfI1WKm5uv4Po2UgEF5hfpfCJycvU5ccsxmVe9Qm8
+PCrkXzlMxIJYNsj8nFemA6oeruJFUOXkok055vQiW9Qt2myHmw852DbNX0RSg6lv
+qbktDkq5EQxlOgrysqtrfQdlLX4TBtDIZrX7pY+hfMPRoAKHUGubuUL6Q1qc/4Ek
+mpnku4UtKN9KxY4rMjUCvUAO8ziuUvIWbL5JIIXZkJRezWpBwnkIM1/ctOf/XlJh
+cdXJca64zuNYsj4R8zSBOCrPwOyDCOFDXQzzYwlUII+hYdXOLbbWbdIOjCjKRzf5
+EwI43Hme6k2dmEarNjAX+1Rqn/GG6U/qJizqlOh3tf3Rywt2mZ1aGv/JmvuO4eAf
+AldPloW+y9XdaOeOvBOMfGDjAlP0HikmamBS6ECg/RRCF3VPm0fXupqlRE01fMDA
+8jIIPwTRBLT2n3JQ8coJwKBgNaCv7ANFa8Z3oIE2+NO8M6Jqk4H5HXbSS2tEYtRv
+0jMG8BCx6ig1tjK6MVkPHRuirAslmw==
+=ThEv
+-----END PGP SIGNATURE-----