This is the signature for svenstaro from grazzolini master key
Signature for #164 (closed)
Merge request reports
Activity
assigned to @grazzolini
-
This merge request adds a new authentication subkey to svenstaro's packager key. While that is fine in general, I would split it out into a separate commit to make it clearer what is going on. The two affected files are
-
keyring/packager/svenstaro/8FC15A064950A99DD1BD14DD39E4B877E62EB915/subkey/327CFF10608E28E227C70FA906CE87D3992984B5/327CFF10608E28E227C70FA906CE87D3992984B5.asc
and -
keyring/packager/svenstaro/8FC15A064950A99DD1BD14DD39E4B877E62EB915/subkey/327CFF10608E28E227C70FA906CE87D3992984B5/certification/8FC15A064950A99DD1BD14DD39E4B877E62EB915.asc
.
-
-
You signed all user IDs of svenstaro's keys. According to the Sign a packager key workflow, we only want to sign
@archlinux.org
UIDs going forward for a number of reasons:- We can only distribute keys with an
@archlinux.org
UID using our WKD anyway. - Main key signatures are "technical" signatures: instead of verifying a person's identity, they assert their affiliation with Arch Linux, so signing only the
@archlinux.org
UID feels more appropriate. - In the past, we had the problem that different main key holders signed different UIDs, leading to marginal trust issues after a main key revocation because while at least three master keyholders had signed a packager key, not a single UID had three valid signatures any more. Since GnuPG calculates trust by UID, we don't want to deal with the complexities of signing multiple different UIDs.
- Last but not least, properly verifying a user ID according to the Sign a packager key workflow requires sending out multiple verification tokens to every single UID (or alternatively, sending back the main key signatures separated by UID, letting the packager apply them instead of creating a MR). This makes the verification process unnecessarily complex for both sides.
I would therefore remove the signatures on the two other UIDs from this MR:
keyring/packager/svenstaro/8FC15A064950A99DD1BD14DD39E4B877E62EB915/uid/Sven-Hendrik_Haase__sh@lutzhaase.com_20620e65/certification/159F3A43AEB246C5746C033814BC4F30B3B92EBA.asc
keyring/packager/svenstaro/8FC15A064950A99DD1BD14DD39E4B877E62EB915/uid/Sven-Hendrik_Haase__svenstaro@gmail.com_3760aac3/certification/159F3A43AEB246C5746C033814BC4F30B3B92EBA.asc
- We can only distribute keys with an
-
added new signatures label
added 1 commit
- d1276ba4 - This is the signature for svenstaro from grazzolini master key.