2023-09-04 07:45:00 -06:00
# condorcore-keyring
2018-03-22 04:15:59 -06:00
2021-10-16 12:22:38 -05:00
The archlinux-keyring project holds PGP packet material and tooling
(`keyringctl`) to create the distribution keyring for Arch Linux.
The keyring is used by pacman to establish the web of trust for the packagers
of the distribution.
2018-03-22 04:15:59 -06:00
2021-10-16 12:22:38 -05:00
The PGP packets describing the main signing keys can be found below the
2021-10-19 18:41:04 -05:00
[keyring/main ](keyring/main ) directory, while those of the packagers are located below the
[keyring/packager ](keyring/packager ) directory.
2018-03-22 04:15:59 -06:00
2021-10-16 12:22:38 -05:00
## Requirements
2018-03-22 04:15:59 -06:00
2021-10-16 12:22:38 -05:00
The following packages need to be installed to be able to create a PGP keyring
from the provided data structure and to install it:
2018-10-03 13:17:40 -05:00
2021-11-26 16:40:11 -06:00
Build:
2022-01-11 06:19:24 -06:00
2021-10-16 12:22:38 -05:00
* make
2021-11-26 16:40:11 -06:00
* findutils
2022-07-28 06:09:38 -05:00
* pkgconf
* systemd
2021-11-26 16:40:11 -06:00
Runtime:
2022-01-11 06:19:24 -06:00
2021-10-16 12:22:38 -05:00
* python
2023-07-09 07:33:22 -06:00
* sequoia-sq >= 0.31.0
2018-10-03 13:17:40 -05:00
2021-10-24 14:49:55 -05:00
Optional:
2022-01-11 06:19:24 -06:00
2021-10-24 14:49:55 -05:00
* hopenpgp-tools (verify)
2021-10-24 15:08:50 -05:00
* git (ci)
2021-10-24 14:49:55 -05:00
2021-10-20 13:13:48 -05:00
## Usage
2018-03-22 04:15:59 -06:00
2021-10-21 14:04:16 -05:00
### Build
Build all PGP artifacts (keyring, ownertrust, revoked files) to the build directory
```bash
./keyringctl build
```
2021-10-21 13:17:09 -05:00
### Import
2021-10-16 12:22:38 -05:00
2021-10-21 13:17:09 -05:00
Import a new packager key by deriving the username from the filename.
2021-10-16 12:22:38 -05:00
```bash
2021-10-20 13:13:48 -05:00
./keyringctl import < username > .asc
2021-10-16 12:22:38 -05:00
```
2021-10-21 13:17:09 -05:00
Alternatively import a file or directory and override the username
2021-10-20 13:13:48 -05:00
```bash
2021-10-21 13:34:48 -05:00
./keyringctl import --name < username > < file_or_directory... >
2021-10-20 13:13:48 -05:00
```
2021-10-16 12:22:38 -05:00
2021-10-21 13:17:09 -05:00
Updates to existing keys will automatically derive the username from the known fingerprint.
```bash
2021-10-21 13:34:48 -05:00
./keyringctl import < file_or_directory... >
2021-10-21 13:17:09 -05:00
```
2021-10-16 12:22:38 -05:00
2021-10-21 13:17:09 -05:00
Main key imports support the same options plus a mandatory `--main`
2021-10-20 13:13:48 -05:00
```bash
./keyringctl import --main < username > .asc
```
2021-10-16 12:22:38 -05:00
2021-10-21 13:34:48 -05:00
### Export
Export the whole keyring including main and packager to stdout
```bash
./keyringctl export
```
2021-10-22 20:01:06 -05:00
Limit to specific certs using an output file
2021-10-21 13:34:48 -05:00
```bash
2021-10-22 20:01:06 -05:00
./keyringctl export < username_or_fingerprint_or_directory... > --output < filename >
2021-10-21 13:34:48 -05:00
```
2021-10-21 14:13:35 -05:00
### List
List all certificates in the keyring
```bash
./keyringctl list
```
Only show a specific main key
```bash
2021-10-22 20:01:06 -05:00
./keyringctl list --main < username_or_fingerprint... >
2021-10-21 14:13:35 -05:00
```
2021-10-21 14:51:02 -05:00
### Inspect
Inspect all certificates in the keyring
```bash
./keyringctl inspect
```
Only inspect a specific main key
```bash
2021-10-22 20:01:06 -05:00
./keyringctl inspect --main < username_or_fingerprint_or_directory... >
2021-10-21 14:51:02 -05:00
```
2021-10-24 14:49:55 -05:00
### Verify
Verify certificates against modern expectations and assumptions
```bash
./keyringctl verify < username_or_fingerprint_or_directory... >
```
2021-10-20 13:13:48 -05:00
## Installation
To install archlinux-keyring system-wide use the included `Makefile` :
```bash
make install
```
## Contribute
2021-10-16 12:22:38 -05:00
2021-10-20 13:13:48 -05:00
Read our [contributing guide ](CONTRIBUTING.md ) to learn more about guidelines and
how to provide fixes or improvements for the code base.
2021-10-16 12:22:38 -05:00
## Releases
[Releases of
archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags)
2022-04-24 15:07:00 -05:00
are exclusively created by [keyring maintainers ](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/project_members?with_inherited_permissions=exclude ).
2021-10-16 12:22:38 -05:00
2022-04-24 15:07:00 -05:00
The tags are signed with one of the following legitimate keys:
```
2023-09-04 07:45:00 -06:00
condorbs master key < contacto @ condorbs . net >
5972 44DB EA52 EC6E FE5F 36A4 FDD4 2A59 FD43 C07B
2022-04-24 15:07:00 -05:00
2023-09-04 07:45:00 -06:00
Kevin Muñoz (CyberSecurity Engineer) < kmunoz @ condorbs . net >
2B9D 22B4 1F2A F104 2BFC E73A 3CA0 B9DF 1BE7 CE09
2022-04-24 15:07:00 -05:00
2023-09-04 07:45:00 -06:00
Jesus Martin Ortega Martinez (Sysadmin/Backend Developer) < jortega @ condorbs . net >
9E64 6BB0 630C 8FD1 8ACD 1554 1B93 E6A7 66CD 229D
2022-04-24 15:07:00 -05:00
```
To verify a tag, first import the relevant PGP keys:
2021-10-16 12:22:38 -05:00
```bash
2022-04-24 15:07:00 -05:00
gpg --auto-key-locate wkd --search-keys < email-from-above >
2021-10-16 12:22:38 -05:00
```
2022-04-24 15:07:00 -05:00
Afterwards a tag can be verified from a clone of this repository. Please note
that one **must** check the used key of the signature against the legitimate
keys listed above:
2021-10-16 12:22:38 -05:00
```bash
git verify-tag < tag >
```
## License
Archlinux-keyring is licensed under the terms of the **GPL-3.0-or-later** (see
[LICENSE ](LICENSE )).