Skip to content

Make the keyring the source of truth

The current setup follows an approach that centers itself around the availability of the SKS infrastructure. We add keys by adding their key ID to a file and then retrieve the key files from SKS. Afterwards we use the keyring that has been generated from this to establish our WKD setup.

Given, that WKD is more future proof and SKS very unreliable, we should instead establish ourselves and this repository as the source of truth. In this scenario we would add new keys by adding the respective public key file instead of only adding a key ID. Afterwards we would export the (updated) keys to our WKD setup and to the SKS infrastructure (regularly).

This would mean the following changes in workflow:

  • add new keys by adding a public key file
  • add/update key signatures by adding updated public key files
  • remove keys by adding updated (revoked) public key files

This setup would give us more control over the setup and will allow us to more easily automate e.g. the detection and flagging of soon invalid key pairs.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information