New packager key of morganamilo

Add a new packager key

Details

• Username: @morganamilo
• PGP key ID: F850562FCDA369F80D33000AE48D0A8326DE47C5
• Sponsors: @kpcyrd @dvzrv
• Application: https://lists.archlinux.org/pipermail/aur-general/2021-June/036337.html
• Results: https://lists.archlinux.org/pipermail/aur-general/2021-July/036399.html

message.asc

Checks

New key owner

• The workflow for adding a new packager key has been followed
• The key pair contains one user ID with a valid <username>@archlinux.org email address used for signing
• The key pair has been validated according to the best practices
• The data in the Details section is attached to this issue as a clearsigned document
• The public key has been uploaded to the SKS infrastructure Ubuntu keyserver

Main key holders

• The public key has been validated according to the best practices
• The public key has been signed by all main key holders
  • @anthraxx
  • @bluewind
  • @diabonas
  • @dvzrv
  • @demize
  • @pierre

Keyring maintainer

• The public key contains one user ID with a valid <username>@archlinux.org email address used for signing
• The public key has been validated according to the best practices
• The data in the Details section is correct and signed with a valid and trusted packager key, which is part of pacman-key

added new packager key label

assigned to @allan, @anthraxx, @bluewind, @dvzrv, and @pierre

marked the checklist item The data in the Details section is attached to this issue as as completed

mentioned in issue infrastructure#374 (closed)

@morganamilo can you please provide a clearsigned text (signed by your other key 7E3305BE1B62E81C9D5D4A4D6FE9E7996B0B082E) stating that F850562FCDA369F80D33000AE48D0A8326DE47C5 is (also) your key? :)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

F850562FCDA369F80D33000AE48D0A8326DE47C5 is also my key
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEfjMFvhti6BydXUpNb+nnmWsLCC4FAmD758cACgkQb+nnmWsL
CC5eDwf+ILaEJhMD9hDNwYwSh0ylPdNUetmd9o/2GTSbaoNDmbQIplwtKw9zQAA4
K94BY8OGDImppJvcvLJ0zJxLpeOHfS5XUbgPdHc+ZiuaWgOT7/XsrXjKwIgqlsu9
Se9eiXhScUXCIohTmYYPtybrFj8qPeKcp8EsrrmbFLaV50/X0ydnOhlhW7+FUyKH
3vw6xQD5wD/ofO7KgI08lT5IphdP9MAkYjhscJBgp1OAQ9e2wQmW+hWWCvEgRG0O
J2lR9iLt+ELYK2RnQ3zeiVl5hCr09BgznX8Nfbbr4Ujz3W/Wk3/HudwfqYfTAwvd
0E5A8uWH7QqldNXBTqp8HcHVpbTchw==
=Sx4q
-----END PGP SIGNATURE-----

Signed: E48D0A8326DE47C5.key.3.Morgan_Adamiec__morganamilo_archlinux.org_.asc

marked the checklist item @dvzrv as completed

marked the checklist item The key pair has been validated according to the [best as completed

marked the checklist item The key pair contains one user ID with a valid <username>@archlinux.org email address as completed

marked the checklist item The [workflow for adding a new packager as completed

unassigned @dvzrv

@kpcyrd @dvzrv can one of you please already open the merge request. That way we have CI with some basic checks on the keys. I see @dvzrv has already created a signature without the checkbox "The public key has been validated according to the best practices" being checked as well as the key owner uploading it to a keyserver is not checked either.

Sorry, the key is already uploaded. I just forgot to check that box.

The other checkbox is supposed to be done by the keyring maintainer, but I'm afraid that is not obvious enough (we need to restructure this process a little). FWIW, I have of course made sure the key meets these requirements!

changed the description

marked the checklist item The public key has been uploaded to the SKS infrastructure Ubuntu keyserver as completed

It appears that your key does not contain an encryption subkey (which it should have according to best practice and due to me sending you an encrypted mail):

Key has potential validity: good
Key has fingerprint: F850 562F CDA3 69F8 0D33  000A E48D 0A83 26DE 47C5
Checking to see if key is OpenPGPv4: V4
Checking the strength of your primary asymmetric key: RSA 4096
Checking user-ID- and user-attribute-related items:
  Morgan Adamiec <morganamilo@archlinux.org>:
    Self-sig hash algorithms: [SHA-256]
    Preferred hash algorithms: [SHA-512, SHA-384, SHA-256, SHA-224, SHA-1]
    Key expiration times: []
    Key usage flags: [[sign-data, certify-keys]]
Checking subkeys:
  one of the subkeys is encryption-capable: False

Can you add an encryption subkey?

When running gpg --list-key F850562FCDA369F80D33000AE48D0A8326DE47C5 I get:

pub   rsa4096 2021-07-10 [SC]
      F850562FCDA369F80D33000AE48D0A8326DE47C5
uid           [ultimate] Morgan Adamiec <morgan@grdigital.co.uk>
uid           [ultimate] Morgan Adamiec <morganamilo@archlinux.org>
uid           [ultimate] Morgan Adamiec <morganamilo@gmail.com>
sub   rsa4096 2021-07-10 [E]

Is that last line not an encryption subkey?

No idea where I got an apparently partial key from. Sorry for the noise. I got the full key from a keyserver now.

Signed with key 3348882F6AC6A4C2

marked the checklist item @pierre as completed

unassigned @pierre

Signed, uploaded and attached: F850562FCDA369F80D33000AE48D0A8326DE47C5-signed.asc

unassigned @bluewind

marked the checklist item @bluewind as completed

mentioned in merge request !22 (merged)

@pierre, I could not get your signature... Can you please push again or attach here?

If this situation is anything like mine, you can try extracting it from MIT keyservers which seems to be where Pierre pushes. MIT does not seem to be syncing with anything else right now and downloading keys is pretty hit or miss because both their keyserver and web interface are unstable (not always at the same time either, they have separate issues). You can see my adventures with the same problem here. I was eventually able to download the (my) key from the web interface and gpg --import it and it brought the new signature. I then pushed it to saner keyservers. @morganamilo You might mess around and be able to achieve the same.

These MIT servers are unstable and unreliable as hell... But got it.

I am sorry about the hassle I caused. Are there any keyservers left that are reliable? Maybe we need an alternate workflow then. I'll attach my signatures next time.

I think the lowdown on keyservers right now is that most reliable keyserver link and best web interface is on keyserver.ubuntu.com. It is currently the default used by gpg as distributed in Arch. The biggest drawback is that it does not handle all functions for some key types properly (Curve25519 expiration date extensions?). For the times when those are an issue the pgp.opengpg.org keyserver is solid choice too. It is well behaved as a keyserver and pretty stable, but the web UI is limited. For good measure pgp.surf.nl and pgp.rediris.es seem to be stable too, they are just not in favor as default servers.

unassigned @allan

marked the checklist item The public key has been validated according to the [best as completed

marked the checklist item The public key contains one user ID with a valid as completed

marked the checklist item The public key has been validated according to the [best as completed

marked the checklist item The data in the Details section is correct and signed with a as completed

@anthraxx can you please also sign this key?

changed the description

assigned to @grazzolini

uid attestation request sent

marked this issue as related to #167 (closed)

changed the description

assigned to @diabonas

Verification token sent.

Signed: !141 (merged)

mentioned in issue #179 (closed)

mentioned in issue #181 (closed)

marked this issue as related to #181 (closed)

marked the checklist item @diabonas as completed

unassigned @diabonas

removed the relation with #181 (closed)

removed the relation with #167 (closed)

assigned to @demize and unassigned @grazzolini

mentioned in issue #209

changed the description