... | @@ -6,9 +6,9 @@ |
... | @@ -6,9 +6,9 @@ |
|
|
|
|
|
## Workflow
|
|
## Workflow
|
|
1. Make sure to read the respective requirements and reach out to fellow team members if something is unclear
|
|
1. Make sure to read the respective requirements and reach out to fellow team members if something is unclear
|
|
2. If not already set up, request an `archlinux.org` email address by opening a ticket in the [infrastructure repository](https://gitlab.archlinux.org/archlinux/infrastructure/)
|
|
1. If not already set up, request an `archlinux.org` email address by opening a ticket in the [infrastructure repository](https://gitlab.archlinux.org/archlinux/infrastructure/)
|
|
- Validate you can send and receive mails
|
|
- Validate you can send and receive mails
|
|
3. Generate the key pair
|
|
1. Generate the key pair
|
|
- Boot into a live medium
|
|
- Boot into a live medium
|
|
- Generate a key pair (and revocation certificate) according to the requirements
|
|
- Generate a key pair (and revocation certificate) according to the requirements
|
|
- `gpg --full-gen-key --expert`
|
|
- `gpg --full-gen-key --expert`
|
... | @@ -23,11 +23,11 @@ |
... | @@ -23,11 +23,11 @@ |
|
- Enter real name: `<first name> <last name>`
|
|
- Enter real name: `<first name> <last name>`
|
|
- Enter email address: `<user name>@archlinux.org`
|
|
- Enter email address: `<user name>@archlinux.org`
|
|
- Enter strong password for key pair
|
|
- Enter strong password for key pair
|
|
4. Backup the key pair and automatically generated revocation certificate according to the requirements
|
|
1. Backup the key pair and automatically generated revocation certificate according to the requirements
|
|
- `gpg --output /mnt/encrypted_backup/secret.key --armor --export-secret-keys`
|
|
- `gpg --output /mnt/encrypted_backup/secret.key --armor --export-secret-keys`
|
|
- `gpg --output /mnt/encrypted_backup/public.asc --armor --export`
|
|
- `gpg --output /mnt/encrypted_backup/public.asc --armor --export`
|
|
- `cp /root/.gnupg/openpgp-revocs.d/*.rev /mnt/encrypted_backup/`
|
|
- `cp /root/.gnupg/openpgp-revocs.d/*.rev /mnt/encrypted_backup/`
|
|
5. Move the key pair to the hardware token (deletes key from local keychain!)
|
|
1. Move the key pair to the hardware token (deletes key from local keychain!)
|
|
- `gpg --edit-key --expert <key ID>`
|
|
- `gpg --edit-key --expert <key ID>`
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
- Select "Signature key"
|
|
- Select "Signature key"
|
... | @@ -39,5 +39,9 @@ |
... | @@ -39,5 +39,9 @@ |
|
- Enter `keytocard` and acknowledge with `y`
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
- Select "Authentication key"
|
|
- Select "Authentication key"
|
|
- Enter `quit` and acknowledge with `y`
|
|
- Enter `quit` and acknowledge with `y`
|
|
6. Upload public key to keyserver infrastructure
|
|
1. Upload public key to keyserver infrastructure
|
|
- `gpg --keyserver keyserver.ubuntu.com --send-key <key ID>`
|
|
- `gpg --keyserver keyserver.ubuntu.com --send-key <key ID>`
|
|
|
|
1. Add new public key to [archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring):
|
|
|
|
- [Open an issue](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/new) using the "New Packager Key" template
|
|
|
|
- Import public key into keyring directory: `./keyringctl import --name <username> <(gpg --export <key ID>)`
|
|
|
|
- [Create a merge request](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/merge_requests/new) using the "New Packager Key" template |
|
|
|
\ No newline at end of file |