Requirements
- A valid revocation certificate for the key or access to the private key in the case that the key itself will be revoked
Workflow
You may retire (main key signatures are revoked) or revoke (you revoke your key and it can not be used for any further actions) your key.
If you intend to retire from packaging altogether, announce this on the respective mailing list (arch-dev-public@lists.archlinux.org for developers, aur-general@lists.archlinux.org for trusted users) in an email signed with the packager signing key.
Key Retirement
Open an issue using the "Remove Packager Key" template.
Key Revocation
- Revoke key locally
-
Optional: Create a revocation certificate if none exists already (requires full access to the private key)
gpg --output revoke.asc --gen-revoke <key ID>
- Import revocation certificate
gpg --import revoke.asc
-
Optional: Revoke sub key (e.g. because a hardware token used for a subkey - and only that subkey - was lost)
gpg --edit key <key ID>
- Select the appropriate sub key(s) using
key <number>
, selected sub keys are marked with an asterisk (*
) - Use
revkey
and follow the steps outlined above to provide details about the revocation - Save the updated key using
save
, confirming changes
-
Optional: Revoke a user ID (e.g. when a
@archlinux.org
user ID is used on a personal key and after revocation the personal key remains active)gpg --edit-key <key ID>
- Select the appropriate user ID(s) using
uid <number>
, selected user IDs are marked with an asterisk (*
) - Use
revuid
and follow the steps outlined above to provide details about the revocation - Save the updated key using
save
, confirming changes
-
Optional: Create a revocation certificate if none exists already (requires full access to the private key)
- Import the revocation certificate using
gpg --import <revocation_cert>
- Update the public key in archlinux-keyring:
- Open an issue using the "Remove Packager Key" template
- Import the revocation certificate into the keyring directory:
./keyringctl import <(gpg --export <PGP key ID>)
- Create a merge request using the "Remove Packager Key" template, which adds the altered PGP packets
- Publish updated public key via WKD
- Trigger a new deployment of the public keys via WKD
- Revoke the public key on the keyserver infrastructure
gpg --keyserver search.keyserver.net --send-key <key ID>