condorcore-keyring/README.md

# archlinux-keyring

The archlinux-keyring project holds PGP packet material and tooling
(`keyringctl`) to create the distribution keyring for Arch Linux.
The keyring is used by pacman to establish the web of trust for the packagers
of the distribution.

The PGP packets describing the main signing keys can be found below the
[keyring/main](keyring/main) directory, while those of the packagers are located below the
[keyring/packager](keyring/packager) directory.

## Requirements

The following packages need to be installed to be able to create a PGP keyring
from the provided data structure and to install it:

Build:

* make
* findutils
* pkgconf
* systemd

Runtime:

* python
* sequoia-sq

Optional:

* hopenpgp-tools (verify)
* sq-keyring-linter (verify)
* git (ci)

## Usage

### Build

Build all PGP artifacts (keyring, ownertrust, revoked files) to the build directory
```bash
./keyringctl build
```

### Import

Import a new packager key by deriving the username from the filename.
```bash
./keyringctl import <username>.asc
```

Alternatively import a file or directory and override the username
```bash
./keyringctl import --name <username> <file_or_directory...>
```

Updates to existing keys will automatically derive the username from the known fingerprint.
```bash
./keyringctl import <file_or_directory...>
```

Main key imports support the same options plus a mandatory `--main`
```bash
./keyringctl import --main <username>.asc
```

### Export

Export the whole keyring including main and packager to stdout
```bash
./keyringctl export
```

Limit to specific certs using an output file
```bash
./keyringctl export <username_or_fingerprint_or_directory...> --output <filename>
```

### List

List all certificates in the keyring
```bash
./keyringctl list
```

Only show a specific main key
```bash
./keyringctl list --main <username_or_fingerprint...>
```

### Inspect

Inspect all certificates in the keyring
```bash
./keyringctl inspect
```

Only inspect a specific main key
```bash
./keyringctl inspect --main <username_or_fingerprint_or_directory...>
```

### Verify

Verify certificates against modern expectations and assumptions
```bash
./keyringctl verify <username_or_fingerprint_or_directory...>
```

## Installation

To install archlinux-keyring system-wide use the included `Makefile`:

```bash
make install
```

## Contribute

Read our [contributing guide](CONTRIBUTING.md) to learn more about guidelines and
how to provide fixes or improvements for the code base.

## Releases

[Releases of
archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags)
are exclusively created by [keyring maintainers](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/project_members?with_inherited_permissions=exclude).

The tags are signed with one of the following legitimate keys:

```
Christian Hesse <eworm@archlinux.org>
02FD 1C7A 934E 6145 4584  9F19 A623 4074 498E 9CEE

David Runge <dvzrv@archlinux.org>
991F 6E3F 0765 CF62 9588  8586 139B 09DA 5BF0 D338

Pierre Schmitz <pierre@archlinux.org>
4AA4 767B BC9C 4B1D 18AE  28B7 7F2D 434B 9741 E8AC

Florian Pritz <bluewind@archlinux.org>
CFA6 AF15 E5C7 4149 FC1D  8C08 6D16 55C1 4CE1 C13E

Giancarlo Razzolini <grazzolini@archlinux.org>
ECCA C84C 1BA0 8A6C C8E6  3FBB F22F B1D7 8A77 AEAB

Levente Polyak <anthraxx@archlinux.org>
E240 B57E 2C46 30BA 768E  2F26 FC1B 547C 8D81 72C8

Morten Linderud <foxboron@archlinux.org>
C100 3466 7663 4E80 C940  FB9E 9C02 FF41 9FEC BE16
```

To verify a tag, first import the relevant PGP keys:

```bash
gpg --auto-key-locate wkd --search-keys <email-from-above>
```

Afterwards a tag can be verified from a clone of this repository. Please note
that one **must** check the used key of the signature against the legitimate
keys listed above:

```bash
git verify-tag <tag>
```

## License

Archlinux-keyring is licensed under the terms of the **GPL-3.0-or-later** (see
[LICENSE](LICENSE)).
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`# archlinux-keyring`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`The archlinux-keyring project holds PGP packet material and tooling`
			(`keyringctl`) to create the distribution keyring for Arch Linux.
			`The keyring is used by pacman to establish the web of trust for the packagers`
			`of the distribution.`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`The PGP packets describing the main signing keys can be found below the`
feature(keyringctl): move main/packager folders to isolated keyring dir This helps to structure the layout of the repository better by having one root folder that contains the actual decomposed keyring structure. 2021-10-19 18:41:04 -05:00			`[keyring/main](keyring/main) directory, while those of the packagers are located below the`
			`[keyring/packager](keyring/packager) directory.`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`## Requirements`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`The following packages need to be installed to be able to create a PGP keyring`
			`from the provided data structure and to install it:`
README: Document the revocation of a packager key Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-10-03 13:17:40 -05:00
fix(make): use proper dependency tracking for the build output Declare the whole keyring data as well as the code as input dependency for the build target. This way we can properly depend on the build target for installation without forcing rebuilding on every invocation. A rebuild will be triggered if either the keyring or the source code creating the build output changes. The directories are added to the source dependencies on purpose to guarantee that changes like deleted files will result in a rebuild. The mtime of the build directory is force updated on every run to allow make to track the output artifacts mtime compared against the dependencies. 2021-11-26 16:40:11 -06:00			`Build:`
README: fix formatting Gitlab gets this right, but let's fix it for other markdown implementations. 2022-01-11 06:19:24 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`* make`
fix(make): use proper dependency tracking for the build output Declare the whole keyring data as well as the code as input dependency for the build target. This way we can properly depend on the build target for installation without forcing rebuilding on every invocation. A rebuild will be triggered if either the keyring or the source code creating the build output changes. The directories are added to the source dependencies on purpose to guarantee that changes like deleted files will result in a rebuild. The mtime of the build directory is force updated on every run to allow make to track the output artifacts mtime compared against the dependencies. 2021-11-26 16:40:11 -06:00			`* findutils`
Add additional build dependencies pkgconf and systemd README.md: As we are dynamically deriving the target systemd system unit dir, we require pkgconf and systemd during build time. 2022-07-28 06:09:38 -05:00			`* pkgconf`
			`* systemd`
fix(make): use proper dependency tracking for the build output Declare the whole keyring data as well as the code as input dependency for the build target. This way we can properly depend on the build target for installation without forcing rebuilding on every invocation. A rebuild will be triggered if either the keyring or the source code creating the build output changes. The directories are added to the source dependencies on purpose to guarantee that changes like deleted files will result in a rebuild. The mtime of the build directory is force updated on every run to allow make to track the output artifacts mtime compared against the dependencies. 2021-11-26 16:40:11 -06:00
			`Runtime:`
README: fix formatting Gitlab gets this right, but let's fix it for other markdown implementations. 2022-01-11 06:19:24 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`* python`
			`* sequoia-sq`
README: Document the revocation of a packager key Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-10-03 13:17:40 -05:00
feature(keyringctl): add verify command to check certificate expectation This command checks certain expectations using sq and hokey, prints the results to stdout and potentially exists non successfully. 2021-10-24 14:49:55 -05:00			`Optional:`
README: fix formatting Gitlab gets this right, but let's fix it for other markdown implementations. 2022-01-11 06:19:24 -06:00
feature(keyringctl): add verify command to check certificate expectation This command checks certain expectations using sq and hokey, prints the results to stdout and potentially exists non successfully. 2021-10-24 14:49:55 -05:00			`* hopenpgp-tools (verify)`
			`* sq-keyring-linter (verify)`
feature(keyringctl): adding ci command to verify newly added certs Currently only newly added certificates will be checked against the expectations as existing keys are not all fully compatible with those assumptions. New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base, 2021-10-24 15:08:50 -05:00			`* git (ci)`
feature(keyringctl): add verify command to check certificate expectation This command checks certain expectations using sq and hokey, prints the results to stdout and potentially exists non successfully. 2021-10-24 14:49:55 -05:00
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			`## Usage`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
feature(keyringctl): use build command to create final artifacts This allows an easy to use cli which invokes the export function to get the keyring and uses the ownertrust and revoke functions to write all artifacts into a target directory. 2021-10-21 14:04:16 -05:00			`### Build`

			`Build all PGP artifacts (keyring, ownertrust, revoked files) to the build directory`
			```bash
			`./keyringctl build`
			```

chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			`### Import`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			`Import a new packager key by deriving the username from the filename.`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			```bash
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			`./keyringctl import <username>.asc`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			```

chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			`Alternatively import a file or directory and override the username`
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			```bash
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			`./keyringctl import --name <username> <file_or_directory...>`
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			```
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			`Updates to existing keys will automatically derive the username from the known fingerprint.`
			```bash
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			`./keyringctl import <file_or_directory...>`
chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			```
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			Main key imports support the same options plus a mandatory `--main`
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			```bash
			`./keyringctl import --main <username>.asc`
			```
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			`### Export`

			`Export the whole keyring including main and packager to stdout`
			```bash
			`./keyringctl export`
			```

feature(keyringctl): support passing fingerprint as source This helps make the CLI more useful by listing, exporting or inspecting a specific fingerprint. 2021-10-22 20:01:06 -05:00			`Limit to specific certs using an output file`
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			```bash
feature(keyringctl): support passing fingerprint as source This helps make the CLI more useful by listing, exporting or inspecting a specific fingerprint. 2021-10-22 20:01:06 -05:00			`./keyringctl export <username_or_fingerprint_or_directory...> --output <filename>`
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			```

feature(keyringctl): add simple command to list all certificates 2021-10-21 14:13:35 -05:00			`### List`

			`List all certificates in the keyring`
			```bash
			`./keyringctl list`
			```

			`Only show a specific main key`
			```bash
feature(keyringctl): support passing fingerprint as source This helps make the CLI more useful by listing, exporting or inspecting a specific fingerprint. 2021-10-22 20:01:06 -05:00			`./keyringctl list --main <username_or_fingerprint...>`
feature(keyringctl): add simple command to list all certificates 2021-10-21 14:13:35 -05:00			```

feature(keyringctl): add inspect command to pretty print certificates This command prints a new and pretty representation of the certificate data to visualize the keyring and its signatures. 2021-10-21 14:51:02 -05:00			`### Inspect`

			`Inspect all certificates in the keyring`
			```bash
			`./keyringctl inspect`
			```

			`Only inspect a specific main key`
			```bash
feature(keyringctl): support passing fingerprint as source This helps make the CLI more useful by listing, exporting or inspecting a specific fingerprint. 2021-10-22 20:01:06 -05:00			`./keyringctl inspect --main <username_or_fingerprint_or_directory...>`
feature(keyringctl): add inspect command to pretty print certificates This command prints a new and pretty representation of the certificate data to visualize the keyring and its signatures. 2021-10-21 14:51:02 -05:00			```

feature(keyringctl): add verify command to check certificate expectation This command checks certain expectations using sq and hokey, prints the results to stdout and potentially exists non successfully. 2021-10-24 14:49:55 -05:00			`### Verify`

			`Verify certificates against modern expectations and assumptions`
			```bash
			`./keyringctl verify <username_or_fingerprint_or_directory...>`
			```

fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			`## Installation`

			To install archlinux-keyring system-wide use the included `Makefile`:

			```bash
			`make install`
			```

			`## Contribute`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			`Read our [contributing guide](CONTRIBUTING.md) to learn more about guidelines and`
			`how to provide fixes or improvements for the code base.`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
			`## Releases`

			`[Releases of`
			`archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags)`
readme: add list of all keyring maintainers that could issue releases This declares a list of all legitimate keys. 2022-04-24 15:07:00 -05:00			`are exclusively created by [keyring maintainers](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/project_members?with_inherited_permissions=exclude).`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
readme: add list of all keyring maintainers that could issue releases This declares a list of all legitimate keys. 2022-04-24 15:07:00 -05:00			`The tags are signed with one of the following legitimate keys:`

			```
			`Christian Hesse <eworm@archlinux.org>`
			`02FD 1C7A 934E 6145 4584 9F19 A623 4074 498E 9CEE`

			`David Runge <dvzrv@archlinux.org>`
Switch advertized key for dvzrv Switch advertized key from C7E7849466FE2358343588377258734B41C31549 to 991F6E3F0765CF6295888586139B09DA5BF0D338, as the latter superseded the former. 2023-05-29 03:40:52 -06:00			`991F 6E3F 0765 CF62 9588 8586 139B 09DA 5BF0 D338`
readme: add list of all keyring maintainers that could issue releases This declares a list of all legitimate keys. 2022-04-24 15:07:00 -05:00
			`Pierre Schmitz <pierre@archlinux.org>`
			`4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC`

			`Florian Pritz <bluewind@archlinux.org>`
			`CFA6 AF15 E5C7 4149 FC1D 8C08 6D16 55C1 4CE1 C13E`

			`Giancarlo Razzolini <grazzolini@archlinux.org>`
			`ECCA C84C 1BA0 8A6C C8E6 3FBB F22F B1D7 8A77 AEAB`

			`Levente Polyak <anthraxx@archlinux.org>`
			`E240 B57E 2C46 30BA 768E 2F26 FC1B 547C 8D81 72C8`

			`Morten Linderud <foxboron@archlinux.org>`
			`C100 3466 7663 4E80 C940 FB9E 9C02 FF41 9FEC BE16`
			```

			`To verify a tag, first import the relevant PGP keys:`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
			```bash
readme: add list of all keyring maintainers that could issue releases This declares a list of all legitimate keys. 2022-04-24 15:07:00 -05:00			`gpg --auto-key-locate wkd --search-keys <email-from-above>`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			```

readme: add list of all keyring maintainers that could issue releases This declares a list of all legitimate keys. 2022-04-24 15:07:00 -05:00			`Afterwards a tag can be verified from a clone of this repository. Please note`
			`that one must check the used key of the signature against the legitimate`
			`keys listed above:`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
			```bash
			`git verify-tag <tag>`
			```

			`## License`

			`Archlinux-keyring is licensed under the terms of the GPL-3.0-or-later (see`
			`[LICENSE](LICENSE)).`