As the SKS infrastructure is offline for good, we need to switch to
keyserver.ubuntu.com for the time being.

The Ubuntu keyservers to not support EC keys, thus we have to ignore
failure when refreshing keys.

update-keys:
Add SPDX license identifier for GPL-3.0-or-later.

We need web of trust to download the master key signatures...
So enable it.

... containing username and keyid

Eli Schwartz authored 5 years ago and Christian Hesse committed 5 years ago

Using popd at the very end of a shell script is unnecessary, because, as
the very last command, there is nothing to restore state for.
Immediately after, the shell subprocess is ended, and processes don't
control the cwd of the parent process. Changing the cwd for the last
microsecond of the shell process, during which no commands are run, is
a mildly expensive no-op.

By the same measure, if popd is never used, pushd is not needed to
record the old cwd. So simply use 'cd'.

Signed-off-by: Christian Hesse <mail@eworm.de>

Eli Schwartz authored 5 years ago and Christian Hesse committed 5 years ago

This option only affects --export, and we always use armored keys.

Signed-off-by: Christian Hesse <mail@eworm.de>

Eli Schwartz authored 5 years ago and Christian Hesse committed 5 years ago

This has the same effect, but causes only the exported version of the
key to be cleaned. Cleaning the internal copy doesn't matter.

Signed-off-by: Christian Hesse <mail@eworm.de>

Eli Schwartz authored 5 years ago and Christian Hesse committed 5 years ago

It is easier than passing around a dozen options on the command line.

Signed-off-by: Christian Hesse <mail@eworm.de>

Eli Schwartz authored 5 years ago and Christian Hesse committed 5 years ago

Embedding quotes in a string doesn't work, it just causes KEYSERVER to
not be quoted at all.

Signed-off-by: Christian Hesse <mail@eworm.de>

* use --refresh-keys if key is available, not --recv-keys
* refresh/receive in one go

This makes sure we do not loose signatures depending on key server used.

Intermittent errors (due to broker network connectivity, key server
failure, whatever ...) could result in an incomplete keyring. So exit
immediately on error.

We need the key and most recent self signature.

Signed-off-by: Christian Hesse <mail@eworm.de>

There's no need to have images in pacman keyring...

Signed-off-by: Christian Hesse <mail@eworm.de>

- add keys of new Trusted Users: zorin, shibumi, archangegabriel
- revoke keys of ex-TUs: flexiondotorg, dicebot
- revoke Dan's master key

Signed-off-by: Bartłomiej Piotrowski <bpiotrowski@archlinux.org>

Use the file packager-revoked-keyids to revoke certain keys.

This reverts commit 9f3a1ace.

Keep signatures until pacman 4.0.3 hits [core].

We also remove unused signatures from the keys to keep the history more readable

The update script creates key files for master keys and all developers with fully trusted keys.

* The keyid lists are retreived from archweb
* The update script can be run to refresh all keys