Remove packager key of sudoforge

assigned to @demize, @eworm, @pierre, @bluewind, @diabonas, @anthraxx, and @dvzrv

marked the checklist item There are [no packages left in any of the official as completed

The key doesn't have any signatures from main key holders.

Doesn't the key still need to be removed from the keyring?

Hm, I don't think so. It will eventually expire:

./keyringctl inspect sudoforge

WARNING: sq does not have a stable CLI interface.  Use with caution in scripts.

/run/user/1000/arch-keyringctl-gf15l35a/packet-lb5ongrx.asc: OpenPGP Certificate.

    Fingerprint: FAD824618B562B99CCCE05FB905A8C3700E16349 sudoforge ~ unknown
Public-key algo: EdDSA
Public-key size: 256 bits
  Creation time: 2022-06-09 14:21:11 UTC
Expiration time: 2025-01-31 11:54:07 UTC (creation time + P966DT77576S)
      Key flags: certification

         Subkey: 247C5662524E6EFCF4000027DC32C13A989E0DA2
Public-key algo: EdDSA
Public-key size: 256 bits
  Creation time: 2022-06-09 14:37:07 UTC
Expiration time: 2025-01-31 11:54:17 UTC (creation time + P966DT76630S)
      Key flags: authentication

         Subkey: 6F1794FBCF261ECC05B7F5AD877F9F855FF542E9
Public-key algo: EdDSA
Public-key size: 256 bits
  Creation time: 2022-06-09 14:36:07 UTC
Expiration time: 2025-01-31 11:54:17 UTC (creation time + P966DT76690S)
      Key flags: signing

         Subkey: BEED5A2156B1F10FC63C251668A16F68D747E833
Public-key algo: ECDH
Public-key size: 256 bits
  Creation time: 2022-06-09 14:36:41 UTC
Expiration time: 2025-01-31 11:54:17 UTC (creation time + P966DT76656S)
      Key flags: transport encryption, data-at-rest encryption

         UserID: sudoforge <sudoforge@archlinux.org>

As it is already part of user's pacman keyring, removing it here would unfortunately not have much of an effect.

If @sudoforge was to revoke the key and add the revocation certificate, that would help though!

I still think it's worthwhile to revert 10bbb50a. As you say, it doesn't help with existing pacman keyrings, but for new and even re-populated ones, it does make for a cleaner state.

I guess the revocation would even be better then. It's just questionable when this will happen

i'm currently traveling (and will be for the next ~4 months), without access to the revocation certificate for this key (it's in a secure place back in my home country).

unfortunate timing here. wouldn't we be able to remove it from users' keyrings via the *.install script?

From my perspective there is no immanent hurry. If you could revoke it (and add that updated cert to this repository) once you're home, that'd be ace!

yeah, that won't be a problem once i'm back. just to provide as accurate a timeline as i can, i'm gone until at least the end of may 2023, and at most through the end of july 2023.

@sudoforge just a quick ping checking whether you are back already

@sudoforge Hi! we have entered August now. Can you please revoke your key?

@sudoforge as announced in your private mail to me you should now have access to your key material again. Can you please revoke your key?

Sent yet another reminder email.

Sent yet another reminder email...

closed

reopened

unassigned @pierre

marked the checklist item @anthraxx as completed

marked the checklist item @demize as completed

marked the checklist item @bluewind as completed

marked the checklist item @diabonas as completed

marked the checklist item @dvzrv as completed

marked the checklist item @pierre as completed

@sudoforge please revoke this key, so that it is properly marked on existing and new installations.

unassigned @diabonas

mentioned in commit 4c0c7a60

mentioned in merge request !331 (merged)

closed with merge request !331 (merged)

closed with commit 4c0c7a60

Remove packager key of sudoforge

Remove a packager key

Details

Checks

Main key holders

Child items 0

Activity

Admin message

Remove packager key of sudoforge

Remove a packager key

Details

Checks

Main key holders

Activity