Add a new main key

Requirements

• Meet all best practices for key holders
• Meet all best practices for generating a new key pair
• The key pair is generated for a valid <username>@master-key.archlinux.org mail address
• The key pair comment is set to Arch Linux Master Key

Workflow

1. Make sure to read the respective requirements and reach out to fellow team members if something is unclear
2. Request the master-key mail address by opening a ticket in the infrastructure repository
   • Validate you can send and receive mails
3. Generate the key pair
   • Boot into a live medium
   • Set the gnupg config options according to the best practices
   • Generate a key pair (and revocation certificate) according to the requirements
     • gpg --full-gen-key --expert
     • ECC Curve25519
       • Select "ECC and ECC"
       • Select "Curve 25519"
     • RSA
       • Select "RSA and RSA"
       • Set keysize to 4096
       • Set subkey keysize to 4096
     • Select "0 = key does not expire" and acknowledge
     • Enter real name: <first name> <last name>
     • Enter email address: <user name>@master-key.archlinux.org
     • Enter comment: Arch Linux Master Key
     • Acknowledge with O
     • Enter strong password for key pair
   • Validate the key pair according to the best practices and ensure all requirements are met
4. Backup the key pair and automatically generated revocation certificate according to the requirements
   • gpg --output /mnt/encrypted_backup/secret.key --armor --export-secret-keys
   • gpg --output /mnt/encrypted_backup/public.asc --armor --export
   • cp /root/.gnupg/openpgp-revocs.d/*.rev /mnt/encrypted_backup/
5. Move the key pair to the hardware token (deletes key from local keychain!)
   • gpg --edit-key --expert <key ID>
   • Enter keytocard and acknowledge with y
   • Select "Signature key"
   • Move optional subkeys
     • Select an optional encryption key (subkey): key <subkey number>
     • Enter keytocard and acknowledge with y
     • Select "Encryption key"
     • Select an optional authentication key (subkey): key <subkey number>
     • Enter keytocard and acknowledge with y
     • Select "Authentication key"
   • Enter quit and acknowledge with y
6. Send the revocation certificate and the generated public key over an end-to-end encrypted channel to the revocation certificate holder
   • To increase security, it can be feasible to send only a part of the revocation certificate in the encrypted mail and the rest using another (also end-to-end encrypted) side-channel
   • Wait for the revocation certificate holder to verify, that the revocation certificate works
7. Upload public key to keyserver infrastructure
   • gpg --keyserver keyserver.ubuntu.com --send-key <key ID>
8. Add the public key to archlinux-keyring:
   • Open an issue using the "New Main Key" template
   • Import the public key as a new main key: ./keyringctl import --main --name <username> <(gpg --export <key ID>)
   • Create a merge request using the "New Main Key" template to add the PGP packets in the keyring directory
   • Release new version of archlinux-keyring
9. Publish public key via WKD
   • Trigger a new deployment of the public keys via WKD
10. Publish the new key on the website
    • Login as Django Admin on archweb and add a new 'Master key' with the fingerprint, owner and revoker.