|
|
## Requirements
|
|
|
- A valid revocation certificate for the key or access to the private key
|
|
|
|
|
|
## Workflow
|
|
|
|
|
|
1. Announce resignation and/or revocation on the respective mailing list ([arch-dev-public@lists.archlinux.org](mailto:arch-dev-public@lists.archlinux.org) for developers, [aur-general@lists.archlinux.org](/archlinux/archlinux-keyring/-/wikis/aur-general@lists.archlinux.org) for trusted users) in an email signed with the packager signing key.
|
|
|
2. Revoke key locally
|
|
|
- *Optional*: Create a revocation certificate if none exists already (requires full access to the private key)
|
|
|
- `gpg --output revoke.asc --gen-revoke <key ID>`
|
|
|
- Import revocation certificate `gpg --import revoke.asc`
|
|
|
- *Optional*: Revoke sub key (e.g. because a hardware token used for a subkey - and only that subkey - was lost)
|
|
|
- `gpg --edit key <key ID>`
|
|
|
- Select the appropriate sub key(s) using `key <number>`, selected sub keys are marked with an asterisk (`*`)
|
|
|
- Use `revkey` and follow the steps outlined above to provide details about the revocation
|
|
|
- Save the updated key using `save`, confirming changes
|
|
|
- *Optional*: Revoke a user ID (e.g. when a `@archlinux.org` user ID is used on a personal key and after revocation the personal key remains active)
|
|
|
- `gpg --edit-key <key ID>`
|
|
|
- Select the appropriate user ID(s) using `uid <number>`, selected user IDs are marked with an asterisk (`*`)
|
|
|
- Use `revuid` and follow the steps outlined above to provide details about the revocation
|
|
|
- Save the updated key using `save`, confirming changes
|
|
|
3. Update the public key in the distribution keyring
|
|
|
- Open an issue in the [archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring) repository using the "Remove Packager Key" template
|
|
|
4. Publish updated public key via WKD
|
|
|
- Trigger a new deployment of the public keys via [WKD](https://gitlab.archlinux.org/archlinux/wkd/)
|
|
|
5. Revoke the public key on the keyserver infrastructure
|
|
|
- `gpg --keyserver search.keyserver.net --send-key <key ID>` |
|
|
\ No newline at end of file |