Skip to content
Snippets Groups Projects

This is the signature for svenstaro from grazzolini master key

Merged Giancarlo Razzolini requested to merge grazzolini-signature-svenstaro into master
1 unresolved thread

Signature for #164 (closed)

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Giancarlo Razzolini approved this merge request

    approved this merge request

      • This merge request adds a new authentication subkey to svenstaro's packager key. While that is fine in general, I would split it out into a separate commit to make it clearer what is going on. The two affected files are

        • keyring/packager/svenstaro/8FC15A064950A99DD1BD14DD39E4B877E62EB915/subkey/327CFF10608E28E227C70FA906CE87D3992984B5/327CFF10608E28E227C70FA906CE87D3992984B5.asc and
        • keyring/packager/svenstaro/8FC15A064950A99DD1BD14DD39E4B877E62EB915/subkey/327CFF10608E28E227C70FA906CE87D3992984B5/certification/8FC15A064950A99DD1BD14DD39E4B877E62EB915.asc.
      • You signed all user IDs of svenstaro's keys. According to the Sign a packager key workflow, we only want to sign @archlinux.org UIDs going forward for a number of reasons:

        • We can only distribute keys with an @archlinux.org UID using our WKD anyway.
        • Main key signatures are "technical" signatures: instead of verifying a person's identity, they assert their affiliation with Arch Linux, so signing only the @archlinux.org UID feels more appropriate.
        • In the past, we had the problem that different main key holders signed different UIDs, leading to marginal trust issues after a main key revocation because while at least three master keyholders had signed a packager key, not a single UID had three valid signatures any more. Since GnuPG calculates trust by UID, we don't want to deal with the complexities of signing multiple different UIDs.
        • Last but not least, properly verifying a user ID according to the Sign a packager key workflow requires sending out multiple verification tokens to every single UID (or alternatively, sending back the main key signatures separated by UID, letting the packager apply them instead of creating a MR). This makes the verification process unnecessarily complex for both sides.

        I would therefore remove the signatures on the two other UIDs from this MR:

        • keyring/packager/svenstaro/8FC15A064950A99DD1BD14DD39E4B877E62EB915/uid/Sven-Hendrik_Haase__sh@lutzhaase.com_20620e65/certification/159F3A43AEB246C5746C033814BC4F30B3B92EBA.asc
        • keyring/packager/svenstaro/8FC15A064950A99DD1BD14DD39E4B877E62EB915/uid/Sven-Hendrik_Haase__svenstaro@gmail.com_3760aac3/certification/159F3A43AEB246C5746C033814BC4F30B3B92EBA.asc
    • You're correct, let me remove the other two signatures. The verification happened, the clearsigned token was sent to Sven last weekend and I got the reply and verified.

    • Please register or sign in to reply
  • added 1 commit

    • d1276ba4 - This is the signature for svenstaro from grazzolini master key.

    Compare with previous version

  • Jonas Witschel approved this merge request

    approved this merge request

  • Christian Hesse approved this merge request

    approved this merge request

Please register or sign in to reply
Loading