Skip to content
Snippets Groups Projects

Store PGP keys for source file signatures alongside PKGBUILDs

Merged Store PGP keys for source file signatures alongside PKGBUILDs
(removed):gpg-keys into master
All threads resolved!
Merged Allan McRae requested to merge (removed):gpg-keys into master
All threads resolved!
Compare
and
1 file
+ 74
0
Compare changes
  • Side-by-side
  • Inline
rfcs/0011-store-source-signing-keys.rst 0 → 100644
+ 74
0
=============================================================
Store PGP keys for source file signatures alongside PKGBUILDs
=============================================================
- Date proposed: 2022-03-20
- RFC MR: https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/11
Summary
-------
Store the PGP signing keys listed in a PKGBUILDs `validpgpkeys` array alongside
the PKGBUILD in our VCS.
Motivation
----------
The PGP keyserver infrastructure has become increasingly brittle over recent
years. This can make helping with updates or rebuilds of packages difficult
due to lack of access to the valid signing key. Having the signing key exported
alongside the PKGBUILD would allow for anybody to import the key into their
keyring and verify the source.
Specification
-------------
All keys used by upstream developers for signing source files will be stored
in alongside the PKGBUILD in the VCS. A naive script for populating this directory
(assuming keys are available in the local keyring) in our current SVN
infrastructure is:
::
cd trunk
source PKGBUILD
mkdir keys
for keyid in ${validpgpkeys[@]}; do
gpg --export $keyid > keys/$keyid.asc
done
Then, any packager working on the package (e.g. for a rebuild) can readily
populate their keyring using:
::
cd trunk
gpg --import keys/*.asc
Drawbacks
---------
Adding the key to the source directory initially requires extra work from
packagers, although reduces work for subsequent packagers. We can automate
this with a simple script added to devtools.
Unresolved Questions
--------------------
- Will dbscripts enforce that signing keys are provided?
- Will the signing keys be copied from the trunk to repo directories? This
becomes a non-issue with proposed future git layout where tags are used for
release management.
- offload-build uploads a tarball generated by `makepkg --source` so will not
upload the keys directory. Should this be fixed in makepkg or devtools?
- infrastructure to periodically validate keys to catch revoked and expired
keys could be added in the future. This is outside the scope of this RFC.
Alternatives Considered
-----------------------
Arch could host their own keyserver, containing all keys needed for verifying
source files used in the distro. It is unclear how such a keyserver would be
populated while avoiding arbitrary uploads from outside.