condorcore-keyring/README.md

# archlinux-keyring

The archlinux-keyring project holds PGP packet material and tooling
(`keyringctl`) to create the distribution keyring for Arch Linux.
The keyring is used by pacman to establish the web of trust for the packagers
of the distribution.

The PGP packets describing the main signing keys can be found below the
[keyring/main](keyring/main) directory, while those of the packagers are located below the
[keyring/packager](keyring/packager) directory.

## Requirements

The following packages need to be installed to be able to create a PGP keyring
from the provided data structure and to install it:

* make
* python
* sequoia-sq

Optional:
* hopenpgp-tools (verify)
* sq-keyring-linter (verify)
* git (ci)

## Usage

### Build

Build all PGP artifacts (keyring, ownertrust, revoked files) to the build directory
```bash
./keyringctl build
```

### Import

Import a new packager key by deriving the username from the filename.
```bash
./keyringctl import <username>.asc
```

Alternatively import a file or directory and override the username
```bash
./keyringctl import --name <username> <file_or_directory...>
```

Updates to existing keys will automatically derive the username from the known fingerprint.
```bash
./keyringctl import <file_or_directory...>
```

Main key imports support the same options plus a mandatory `--main`
```bash
./keyringctl import --main <username>.asc
```

### Export

Export the whole keyring including main and packager to stdout
```bash
./keyringctl export
```

Limit to specific certs using an output file
```bash
./keyringctl export <username_or_fingerprint_or_directory...> --output <filename>
```

### List

List all certificates in the keyring
```bash
./keyringctl list
```

Only show a specific main key
```bash
./keyringctl list --main <username_or_fingerprint...>
```

### Inspect

Inspect all certificates in the keyring
```bash
./keyringctl inspect
```

Only inspect a specific main key
```bash
./keyringctl inspect --main <username_or_fingerprint_or_directory...>
```

### Verify

Verify certificates against modern expectations and assumptions
```bash
./keyringctl verify <username_or_fingerprint_or_directory...>
```

## Installation

To install archlinux-keyring system-wide use the included `Makefile`:

```bash
make install
```

## Contribute

Read our [contributing guide](CONTRIBUTING.md) to learn more about guidelines and
how to provide fixes or improvements for the code base.

## Releases

[Releases of
archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags)
are created by its current maintainer [Christian
Hesse](https://gitlab.archlinux.org/eworm). Tags are signed using the PGP key
with the ID `02FD1C7A934E614545849F19A6234074498E9CEE`.

To verify a tag, first import the relevant PGP key:

```bash
gpg --auto-key-locate wkd --search-keys eworm@archlinux.org
```

Afterwards a tag can be verified from a clone of this repository:

```bash
git verify-tag <tag>
```

## License

Archlinux-keyring is licensed under the terms of the **GPL-3.0-or-later** (see
[LICENSE](LICENSE)).
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`# archlinux-keyring`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`The archlinux-keyring project holds PGP packet material and tooling`
			(`keyringctl`) to create the distribution keyring for Arch Linux.
			`The keyring is used by pacman to establish the web of trust for the packagers`
			`of the distribution.`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`The PGP packets describing the main signing keys can be found below the`
feature(keyringctl): move main/packager folders to isolated keyring dir This helps to structure the layout of the repository better by having one root folder that contains the actual decomposed keyring structure. 2021-10-19 18:41:04 -05:00			`[keyring/main](keyring/main) directory, while those of the packagers are located below the`
			`[keyring/packager](keyring/packager) directory.`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`## Requirements`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`The following packages need to be installed to be able to create a PGP keyring`
			`from the provided data structure and to install it:`
README: Document the revocation of a packager key Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-10-03 13:17:40 -05:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`* make`
			`* python`
			`* sequoia-sq`
README: Document the revocation of a packager key Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-10-03 13:17:40 -05:00
feature(keyringctl): add verify command to check certificate expectation This command checks certain expectations using sq and hokey, prints the results to stdout and potentially exists non successfully. 2021-10-24 14:49:55 -05:00			`Optional:`
			`* hopenpgp-tools (verify)`
			`* sq-keyring-linter (verify)`
feature(keyringctl): adding ci command to verify newly added certs Currently only newly added certificates will be checked against the expectations as existing keys are not all fully compatible with those assumptions. New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base, 2021-10-24 15:08:50 -05:00			`* git (ci)`
feature(keyringctl): add verify command to check certificate expectation This command checks certain expectations using sq and hokey, prints the results to stdout and potentially exists non successfully. 2021-10-24 14:49:55 -05:00
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			`## Usage`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
feature(keyringctl): use build command to create final artifacts This allows an easy to use cli which invokes the export function to get the keyring and uses the ownertrust and revoke functions to write all artifacts into a target directory. 2021-10-21 14:04:16 -05:00			`### Build`

			`Build all PGP artifacts (keyring, ownertrust, revoked files) to the build directory`
			```bash
			`./keyringctl build`
			```

chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			`### Import`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			`Import a new packager key by deriving the username from the filename.`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			```bash
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			`./keyringctl import <username>.asc`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			```

chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			`Alternatively import a file or directory and override the username`
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			```bash
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			`./keyringctl import --name <username> <file_or_directory...>`
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			```
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			`Updates to existing keys will automatically derive the username from the known fingerprint.`
			```bash
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			`./keyringctl import <file_or_directory...>`
chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			```
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			Main key imports support the same options plus a mandatory `--main`
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			```bash
			`./keyringctl import --main <username>.asc`
			```
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			`### Export`

			`Export the whole keyring including main and packager to stdout`
			```bash
			`./keyringctl export`
			```

feature(keyringctl): support passing fingerprint as source This helps make the CLI more useful by listing, exporting or inspecting a specific fingerprint. 2021-10-22 20:01:06 -05:00			`Limit to specific certs using an output file`
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			```bash
feature(keyringctl): support passing fingerprint as source This helps make the CLI more useful by listing, exporting or inspecting a specific fingerprint. 2021-10-22 20:01:06 -05:00			`./keyringctl export <username_or_fingerprint_or_directory...> --output <filename>`
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			```

feature(keyringctl): add simple command to list all certificates 2021-10-21 14:13:35 -05:00			`### List`

			`List all certificates in the keyring`
			```bash
			`./keyringctl list`
			```

			`Only show a specific main key`
			```bash
feature(keyringctl): support passing fingerprint as source This helps make the CLI more useful by listing, exporting or inspecting a specific fingerprint. 2021-10-22 20:01:06 -05:00			`./keyringctl list --main <username_or_fingerprint...>`
feature(keyringctl): add simple command to list all certificates 2021-10-21 14:13:35 -05:00			```

feature(keyringctl): add inspect command to pretty print certificates This command prints a new and pretty representation of the certificate data to visualize the keyring and its signatures. 2021-10-21 14:51:02 -05:00			`### Inspect`

			`Inspect all certificates in the keyring`
			```bash
			`./keyringctl inspect`
			```

			`Only inspect a specific main key`
			```bash
feature(keyringctl): support passing fingerprint as source This helps make the CLI more useful by listing, exporting or inspecting a specific fingerprint. 2021-10-22 20:01:06 -05:00			`./keyringctl inspect --main <username_or_fingerprint_or_directory...>`
feature(keyringctl): add inspect command to pretty print certificates This command prints a new and pretty representation of the certificate data to visualize the keyring and its signatures. 2021-10-21 14:51:02 -05:00			```

feature(keyringctl): add verify command to check certificate expectation This command checks certain expectations using sq and hokey, prints the results to stdout and potentially exists non successfully. 2021-10-24 14:49:55 -05:00			`### Verify`

			`Verify certificates against modern expectations and assumptions`
			```bash
			`./keyringctl verify <username_or_fingerprint_or_directory...>`
			```

fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			`## Installation`

			To install archlinux-keyring system-wide use the included `Makefile`:

			```bash
			`make install`
			```

			`## Contribute`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			`Read our [contributing guide](CONTRIBUTING.md) to learn more about guidelines and`
			`how to provide fixes or improvements for the code base.`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
			`## Releases`

			`[Releases of`
			`archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags)`
			`are created by its current maintainer [Christian`
			`Hesse](https://gitlab.archlinux.org/eworm). Tags are signed using the PGP key`
			with the ID `02FD1C7A934E614545849F19A6234074498E9CEE`.

			`To verify a tag, first import the relevant PGP key:`

			```bash
			`gpg --auto-key-locate wkd --search-keys eworm@archlinux.org`
			```

			`Afterwards a tag can be verified from a clone of this repository:`

			```bash
			`git verify-tag <tag>`
			```

			`## License`

			`Archlinux-keyring is licensed under the terms of the GPL-3.0-or-later (see`
			`[LICENSE](LICENSE)).`