|
|
## Requirements
|
|
|
|
|
|
- Verify the UID, that is about to be signed
|
|
|
- Only sign `@archlinux.org` UIDs (we want to be able to rely purely on WKD that is under control of Arch Linux's infrastructure to ensure packager keys do not rely on 3rd party availability)
|
|
|
- Backup detached UID signatures (this is required to avoid not being able to revoke signatures of resigned packagers, if they never applied the detached UID signature and the signer did not store a backup)
|
|
|
|
|
|
Existing tooling:
|
|
|
- [pius](https://archlinux.org/packages/community/any/pius/)
|
|
|
- [signing-party](https://archlinux.org/packages/community/x86_64/signing-party/)
|
|
|
|
|
|
## Workflow
|
|
|
|
|
|
1. Import the public key: `gpg --import <UID.asc>`
|
|
|
2. Sign the public key: `gpg --sign-key --ask-cert-level <UID>`
|
|
|
3. Export the signed public key: `gpg --output <signed_UID.asc> --export <UID>`
|
|
|
4. Send the signed public key to the owner of the UID in an encrypted mail
|
|
|
5. Create a backup of the signed UID |
|
|
\ No newline at end of file |