update-keys:
Add SPDX license identifier for GPL-3.0-or-later.

We need web of trust to download the master key signatures...
So enable it.

... containing username and keyid

Eli Schwartz authored Aug 05, 2019 and Christian Hesse committed Aug 06, 2019

Using popd at the very end of a shell script is unnecessary, because, as
the very last command, there is nothing to restore state for.
Immediately after, the shell subprocess is ended, and processes don't
control the cwd of the parent process. Changing the cwd for the last
microsecond of the shell process, during which no commands are run, is
a mildly expensive no-op.

By the same measure, if popd is never used, pushd is not needed to
record the old cwd. So simply use 'cd'.
Signed-off-by: Christian Hesse <mail@eworm.de>

Eli Schwartz authored Aug 05, 2019 and Christian Hesse committed Aug 06, 2019

This option only affects --export, and we always use armored keys.
Signed-off-by: Christian Hesse <mail@eworm.de>

Eli Schwartz authored Aug 05, 2019 and Christian Hesse committed Aug 06, 2019

This has the same effect, but causes only the exported version of the
key to be cleaned. Cleaning the internal copy doesn't matter.
Signed-off-by: Christian Hesse <mail@eworm.de>

Eli Schwartz authored Aug 05, 2019 and Christian Hesse committed Aug 06, 2019

It is easier than passing around a dozen options on the command line.
Signed-off-by: Christian Hesse <mail@eworm.de>

Eli Schwartz authored Aug 05, 2019 and Christian Hesse committed Aug 06, 2019

Embedding quotes in a string doesn't work, it just causes KEYSERVER to
not be quoted at all.
Signed-off-by: Christian Hesse <mail@eworm.de>

* use --refresh-keys if key is available, not --recv-keys
* refresh/receive in one go

This makes sure we do not loose signatures depending on key server used.

Intermittent errors (due to broker network connectivity, key server
failure, whatever ...) could result in an incomplete keyring. So exit
immediately on error.

We need the key and most recent self signature.
Signed-off-by: Christian Hesse <mail@eworm.de>

There's no need to have images in pacman keyring...
Signed-off-by: Christian Hesse <mail@eworm.de>

- add keys of new Trusted Users: zorin, shibumi, archangegabriel
- revoke keys of ex-TUs: flexiondotorg, dicebot
- revoke Dan's master key
Signed-off-by: Bartłomiej Piotrowski <bpiotrowski@archlinux.org>

Use the file packager-revoked-keyids to revoke certain keys.

This reverts commit 9f3a1ace.

Keep signatures until pacman 4.0.3 hits [core].

We also remove unused signatures from the keys to keep the history more readable

The update script creates key files for master keys and all developers with fully trusted keys.

* The keyid lists are retreived from archweb
* The update script can be run to refresh all keys