condorcore-keyring/README.md

# condorcore-keyring

The archlinux-keyring project holds PGP packet material and tooling
(`keyringctl`) to create the distribution keyring for Arch Linux.
The keyring is used by pacman to establish the web of trust for the packagers
of the distribution.

The PGP packets describing the main signing keys can be found below the
[keyring/main](keyring/main) directory, while those of the packagers are located below the
[keyring/packager](keyring/packager) directory.

## Requirements

The following packages need to be installed to be able to create a PGP keyring
from the provided data structure and to install it:

Build:

* make
* findutils
* pkgconf
* systemd

Runtime:

* python
* sequoia-sq >= 0.31.0

Optional:

* hopenpgp-tools (verify)
* git (ci)

## Usage

### Build

Build all PGP artifacts (keyring, ownertrust, revoked files) to the build directory
```bash
./keyringctl build
```

### Import

Import a new packager key by deriving the username from the filename.
```bash
./keyringctl import <username>.asc
```

Alternatively import a file or directory and override the username
```bash
./keyringctl import --name <username> <file_or_directory...>
```

Updates to existing keys will automatically derive the username from the known fingerprint.
```bash
./keyringctl import <file_or_directory...>
```

Main key imports support the same options plus a mandatory `--main`
```bash
./keyringctl import --main <username>.asc
```

### Export

Export the whole keyring including main and packager to stdout
```bash
./keyringctl export
```

Limit to specific certs using an output file
```bash
./keyringctl export <username_or_fingerprint_or_directory...> --output <filename>
```

### List

List all certificates in the keyring
```bash
./keyringctl list
```

Only show a specific main key
```bash
./keyringctl list --main <username_or_fingerprint...>
```

### Inspect

Inspect all certificates in the keyring
```bash
./keyringctl inspect
```

Only inspect a specific main key
```bash
./keyringctl inspect --main <username_or_fingerprint_or_directory...>
```

### Verify

Verify certificates against modern expectations and assumptions
```bash
./keyringctl verify <username_or_fingerprint_or_directory...>
```

## Installation

To install archlinux-keyring system-wide use the included `Makefile`:

```bash
make install
```

## Contribute

Read our [contributing guide](CONTRIBUTING.md) to learn more about guidelines and
how to provide fixes or improvements for the code base.

## Releases

[Releases of
archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags)
are exclusively created by [keyring maintainers](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/project_members?with_inherited_permissions=exclude).

The tags are signed with one of the following legitimate keys:

```
condorbs master key <contacto@condorbs.net>
5972 44DB EA52 EC6E FE5F 36A4 FDD4 2A59 FD43 C07B

Kevin Muñoz (CyberSecurity Engineer) <kmunoz@condorbs.net>
2B9D 22B4 1F2A F104 2BFC E73A 3CA0 B9DF 1BE7 CE09

Jesus Martin Ortega Martinez (Sysadmin/Backend Developer) <jortega@condorbs.net>
9E64 6BB0 630C 8FD1 8ACD 1554 1B93 E6A7 66CD 229D

```

To verify a tag, first import the relevant PGP keys:

```bash
gpg --auto-key-locate wkd --search-keys <email-from-above>
```

Afterwards a tag can be verified from a clone of this repository. Please note
that one **must** check the used key of the signature against the legitimate
keys listed above:

```bash
git verify-tag <tag>
```

## License

Archlinux-keyring is licensed under the terms of the **GPL-3.0-or-later** (see
[LICENSE](LICENSE)).
update Readme 2023-09-04 07:45:00 -06:00			`# condorcore-keyring`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`The archlinux-keyring project holds PGP packet material and tooling`
			(`keyringctl`) to create the distribution keyring for Arch Linux.
			`The keyring is used by pacman to establish the web of trust for the packagers`
			`of the distribution.`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`The PGP packets describing the main signing keys can be found below the`
feature(keyringctl): move main/packager folders to isolated keyring dir This helps to structure the layout of the repository better by having one root folder that contains the actual decomposed keyring structure. 2021-10-19 18:41:04 -05:00			`[keyring/main](keyring/main) directory, while those of the packagers are located below the`
			`[keyring/packager](keyring/packager) directory.`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`## Requirements`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`The following packages need to be installed to be able to create a PGP keyring`
			`from the provided data structure and to install it:`
README: Document the revocation of a packager key Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-10-03 13:17:40 -05:00
fix(make): use proper dependency tracking for the build output Declare the whole keyring data as well as the code as input dependency for the build target. This way we can properly depend on the build target for installation without forcing rebuilding on every invocation. A rebuild will be triggered if either the keyring or the source code creating the build output changes. The directories are added to the source dependencies on purpose to guarantee that changes like deleted files will result in a rebuild. The mtime of the build directory is force updated on every run to allow make to track the output artifacts mtime compared against the dependencies. 2021-11-26 16:40:11 -06:00			`Build:`
README: fix formatting Gitlab gets this right, but let's fix it for other markdown implementations. 2022-01-11 06:19:24 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`* make`
fix(make): use proper dependency tracking for the build output Declare the whole keyring data as well as the code as input dependency for the build target. This way we can properly depend on the build target for installation without forcing rebuilding on every invocation. A rebuild will be triggered if either the keyring or the source code creating the build output changes. The directories are added to the source dependencies on purpose to guarantee that changes like deleted files will result in a rebuild. The mtime of the build directory is force updated on every run to allow make to track the output artifacts mtime compared against the dependencies. 2021-11-26 16:40:11 -06:00			`* findutils`
Add additional build dependencies pkgconf and systemd README.md: As we are dynamically deriving the target systemd system unit dir, we require pkgconf and systemd during build time. 2022-07-28 06:09:38 -05:00			`* pkgconf`
			`* systemd`
fix(make): use proper dependency tracking for the build output Declare the whole keyring data as well as the code as input dependency for the build target. This way we can properly depend on the build target for installation without forcing rebuilding on every invocation. A rebuild will be triggered if either the keyring or the source code creating the build output changes. The directories are added to the source dependencies on purpose to guarantee that changes like deleted files will result in a rebuild. The mtime of the build directory is force updated on every run to allow make to track the output artifacts mtime compared against the dependencies. 2021-11-26 16:40:11 -06:00
			`Runtime:`
README: fix formatting Gitlab gets this right, but let's fix it for other markdown implementations. 2022-01-11 06:19:24 -06:00
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			`* python`
feat: Replace sq-keyring-linter with sq >= 0.31.0 2023-07-09 07:33:22 -06:00			`* sequoia-sq >= 0.31.0`
README: Document the revocation of a packager key Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-10-03 13:17:40 -05:00
feature(keyringctl): add verify command to check certificate expectation This command checks certain expectations using sq and hokey, prints the results to stdout and potentially exists non successfully. 2021-10-24 14:49:55 -05:00			`Optional:`
README: fix formatting Gitlab gets this right, but let's fix it for other markdown implementations. 2022-01-11 06:19:24 -06:00
feature(keyringctl): add verify command to check certificate expectation This command checks certain expectations using sq and hokey, prints the results to stdout and potentially exists non successfully. 2021-10-24 14:49:55 -05:00			`* hopenpgp-tools (verify)`
feature(keyringctl): adding ci command to verify newly added certs Currently only newly added certificates will be checked against the expectations as existing keys are not all fully compatible with those assumptions. New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base, 2021-10-24 15:08:50 -05:00			`* git (ci)`
feature(keyringctl): add verify command to check certificate expectation This command checks certain expectations using sq and hokey, prints the results to stdout and potentially exists non successfully. 2021-10-24 14:49:55 -05:00
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			`## Usage`
Add README Include a readme with steps how to add/remove/update a key in the keyring and how to release a new keyring version. Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl> 2018-03-22 04:15:59 -06:00
feature(keyringctl): use build command to create final artifacts This allows an easy to use cli which invokes the export function to get the keyring and uses the ownertrust and revoke functions to write all artifacts into a target directory. 2021-10-21 14:04:16 -05:00			`### Build`

			`Build all PGP artifacts (keyring, ownertrust, revoked files) to the build directory`
			```bash
			`./keyringctl build`
			```

chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			`### Import`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			`Import a new packager key by deriving the username from the filename.`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			```bash
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			`./keyringctl import <username>.asc`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			```

chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			`Alternatively import a file or directory and override the username`
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			```bash
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			`./keyringctl import --name <username> <file_or_directory...>`
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			```
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			`Updates to existing keys will automatically derive the username from the known fingerprint.`
			```bash
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			`./keyringctl import <file_or_directory...>`
chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			```
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
chore(doc): improve import usage section exmaples 2021-10-21 13:17:09 -05:00			Main key imports support the same options plus a mandatory `--main`
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			```bash
			`./keyringctl import --main <username>.asc`
			```
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			`### Export`

			`Export the whole keyring including main and packager to stdout`
			```bash
			`./keyringctl export`
			```

feature(keyringctl): support passing fingerprint as source This helps make the CLI more useful by listing, exporting or inspecting a specific fingerprint. 2021-10-22 20:01:06 -05:00			`Limit to specific certs using an output file`
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			```bash
feature(keyringctl): support passing fingerprint as source This helps make the CLI more useful by listing, exporting or inspecting a specific fingerprint. 2021-10-22 20:01:06 -05:00			`./keyringctl export <username_or_fingerprint_or_directory...> --output <filename>`
feature(keyringctl): use the export command purely to export keyrings This gives more control over the export command that may be useful to export a single packager to import it into gpg. This will also give more flexibility to chain this function to the future verify stage. By default the command exports the whole keyring directory. 2021-10-21 13:34:48 -05:00			```

feature(keyringctl): add simple command to list all certificates 2021-10-21 14:13:35 -05:00			`### List`

			`List all certificates in the keyring`
			```bash
			`./keyringctl list`
			```

			`Only show a specific main key`
			```bash
feature(keyringctl): support passing fingerprint as source This helps make the CLI more useful by listing, exporting or inspecting a specific fingerprint. 2021-10-22 20:01:06 -05:00			`./keyringctl list --main <username_or_fingerprint...>`
feature(keyringctl): add simple command to list all certificates 2021-10-21 14:13:35 -05:00			```

feature(keyringctl): add inspect command to pretty print certificates This command prints a new and pretty representation of the certificate data to visualize the keyring and its signatures. 2021-10-21 14:51:02 -05:00			`### Inspect`

			`Inspect all certificates in the keyring`
			```bash
			`./keyringctl inspect`
			```

			`Only inspect a specific main key`
			```bash
feature(keyringctl): support passing fingerprint as source This helps make the CLI more useful by listing, exporting or inspecting a specific fingerprint. 2021-10-22 20:01:06 -05:00			`./keyringctl inspect --main <username_or_fingerprint_or_directory...>`
feature(keyringctl): add inspect command to pretty print certificates This command prints a new and pretty representation of the certificate data to visualize the keyring and its signatures. 2021-10-21 14:51:02 -05:00			```

feature(keyringctl): add verify command to check certificate expectation This command checks certain expectations using sq and hokey, prints the results to stdout and potentially exists non successfully. 2021-10-24 14:49:55 -05:00			`### Verify`

			`Verify certificates against modern expectations and assumptions`
			```bash
			`./keyringctl verify <username_or_fingerprint_or_directory...>`
			```

fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			`## Installation`

			To install archlinux-keyring system-wide use the included `Makefile`:

			```bash
			`make install`
			```

			`## Contribute`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
fix(doc): improve splitting topics across README.md and CONTRIBUTING.md 2021-10-20 13:13:48 -05:00			`Read our [contributing guide](CONTRIBUTING.md) to learn more about guidelines and`
			`how to provide fixes or improvements for the code base.`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
			`## Releases`

			`[Releases of`
			`archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags)`
readme: add list of all keyring maintainers that could issue releases This declares a list of all legitimate keys. 2022-04-24 15:07:00 -05:00			`are exclusively created by [keyring maintainers](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/project_members?with_inherited_permissions=exclude).`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
readme: add list of all keyring maintainers that could issue releases This declares a list of all legitimate keys. 2022-04-24 15:07:00 -05:00			`The tags are signed with one of the following legitimate keys:`

			```
update Readme 2023-09-04 07:45:00 -06:00			`condorbs master key <contacto@condorbs.net>`
			`5972 44DB EA52 EC6E FE5F 36A4 FDD4 2A59 FD43 C07B`
readme: add list of all keyring maintainers that could issue releases This declares a list of all legitimate keys. 2022-04-24 15:07:00 -05:00
update Readme 2023-09-04 07:45:00 -06:00			`Kevin Muñoz (CyberSecurity Engineer) <kmunoz@condorbs.net>`
			`2B9D 22B4 1F2A F104 2BFC E73A 3CA0 B9DF 1BE7 CE09`
readme: add list of all keyring maintainers that could issue releases This declares a list of all legitimate keys. 2022-04-24 15:07:00 -05:00
update Readme 2023-09-04 07:45:00 -06:00			`Jesus Martin Ortega Martinez (Sysadmin/Backend Developer) <jortega@condorbs.net>`
			`9E64 6BB0 630C 8FD1 8ACD 1554 1B93 E6A7 66CD 229D`
readme: add list of all keyring maintainers that could issue releases This declares a list of all legitimate keys. 2022-04-24 15:07:00 -05:00
			```

			`To verify a tag, first import the relevant PGP keys:`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
			```bash
readme: add list of all keyring maintainers that could issue releases This declares a list of all legitimate keys. 2022-04-24 15:07:00 -05:00			`gpg --auto-key-locate wkd --search-keys <email-from-above>`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00			```

readme: add list of all keyring maintainers that could issue releases This declares a list of all legitimate keys. 2022-04-24 15:07:00 -05:00			`Afterwards a tag can be verified from a clone of this repository. Please note`
			`that one must check the used key of the signature against the legitimate`
			`keys listed above:`
README: Add new default sections and cleanup README.md: Add a short purpose introduction. Add requirements, installation, contribution, releases and license sections. 2021-10-16 12:22:38 -05:00
			```bash
			`git verify-tag <tag>`
			```

			`## License`

			`Archlinux-keyring is licensed under the terms of the GPL-3.0-or-later (see`
			`[LICENSE](LICENSE)).`