|
|
## Requirements
|
|
|
|
|
|
- Verify, that the public key as identified by the PGP key ID follows the [best practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
|
|
|
- Only consider `@archlinux.org` UIDs
|
|
|
|
|
|
## Workflow
|
|
|
|
|
|
1. Send a generated token (e.g. a random string) to the UID as identified by the PGP key ID in an encrypted e-mail
|
|
|
2. Wait for the holder of the UID to respond with an encrypted e-mail holding the [clearsigned](https://www.gnupg.org/gph/en/manual/x135.html) token, using their UID
|
|
|
3. Verify the authenticity of the clearsigned token by matching the output of `gpg --verify <clearsigned token>` with that of `gpg --keyid-format long --list-keys <UID>` |
|
|
\ No newline at end of file |