Update issue templates

.gitlab/issue_templates/*: Replace allan with grazzolini when assigning tickets or when addressing main key holders. Streamline the checkbox system, by relying on less interaction from the main key holders side if possible (e.g. checks on new keys are done automatically in a merge request, so have contributors open the merge request). Add more documentation on what needs to be edited and how to provide data exactly (e.g. keyid format, clearsigned document).
2022-02-24 23:48:25 +01:00 · 2022-02-24 23:48:25 +01:00 · 6e23b78671
commit 6e23b78671
parent 845dba12d5
4 changed files with 84 additions and 54 deletions
--- a/.gitlab/issue_templates/New
+++ b/.gitlab/issue_templates/New
@ -2,8 +2,12 @@
 This template is used when a new main PGP public key needs to be added to the
 distribution's keyring.
 It is used by users with a valid packager key.
+
+NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
+in the "Checks" section labeled as "Owner of new key" need to be checked by the
+owner of the new key.
 -->
-/assign @allan @anthraxx @bluewind @dvzrv @pierre
+/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
 /label ~"new main key"
 /title New main key of <!-- MODIFY: Add new main key holder's username -->
 <!--
@ -16,18 +20,27 @@ issue and assign relevant users.
 ## Details

 - Username: <!-- MODIFY: Add the @-prefixed username -->
- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the new PGP public key here -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MY UID> | sed -n '2p' | tr -d ' '` here -->
 - Revocation Certificate Holder: <!-- MODIFY: Add the @-prefixed username of the revocation certificate holder -->

 <!--
-NOTE: Attach the above information as a clearsigned document to this ticket
-using a valid packager key of the user.
-https://www.gnupg.org/gph/en/manual/x135.html
+MODIFY: Attach the above information of the details section as a clearsigned
+document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket
+using a valid packager key of the user:
+
+* Select the above text, copy/paste it into a file (e.g. `details.txt`).
+* Make sure to sign with the root certificate of the packager key (not any of
+  the subkeys!):
+  `gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
+* Upload `details.txt` as attachment to this ticket.
 -->

 ## Checks

-### New key owner
+**NOTE**: The below check boxes **must be** checked before the accompanying
+merge request to add the new main key can be merged.
+
+### Owner of new key

 - [ ] The [workflow for adding a new main
  key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-main-key)
@ -38,18 +51,17 @@ https://www.gnupg.org/gph/en/manual/x135.html
  a clearsigned document
 - [ ] The revocation certificate has been sent in an encrypted message to the
  revocation certificate holder
- [ ] The public key has been uploaded to the SKS infrastructure
-
-### Keyring maintainer
-
- [ ] The key pair has been validated according to the [best
-  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
- [ ] The data in the [Details](#details) section is correct and signed with a
-  valid and trusted packager key, which is part of `pacman-key`
+- [ ] The public key has been uploaded to the pgp.mit.edu and keyserver.ubuntu.com
+- [ ] A merge request to add the new public key has been created

 ### Revocation Certificate Holder

 - [ ] The revocation certificate has been [verified
  as working](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/verify-a-revocation-certificate)
  and confirmed in a comment to this issue
- [ ] The revocation certificate has been backed up in a dedicated encrypted backup storage
+- [ ] The revocation certificate has been backed up on a dedicated encrypted backup storage medium
+
+### Main key holders
+
+- [ ] The data in the [Details](#details) section is correct and signed with a
+  valid and trusted packager key, which is already part of `archlinux-keyring`
--- a/.gitlab/issue_templates/New
+++ b/.gitlab/issue_templates/New
@ -3,8 +3,12 @@ This template is used when a new packager PGP public key needs to be added to
 the distribution's keyring.
 It is either used by the sponsor of a new packager or by an existing packager
 when adding a new key for themself.
+
+NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
+in the "Checks" section labeled as "Owner of new key" need to be checked by the
+owner of the new key or by a sponsor of a new packager.
 -->
-/assign @allan @anthraxx @bluewind @dvzrv @pierre
+/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
 /label ~"new packager key"
 /title New packager key of <!-- MODIFY: Add new packager key holder's username -->
 <!--
@ -17,24 +21,33 @@ issue and assign relevant users.
 ## Details

 - Username: <!-- MODIFY: Add the @-prefixed username -->
- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the new PGP public key here -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MY UID> | sed -n '2p' | tr -d ' '` here -->
 - Sponsors: <!-- MODIFY: Add the @-prefixed usernames of the sponsors -->
 - Application: <!-- MODIFY: Add link to application, if this is the key of a new packager, else remove -->
 - Results: <!-- MODIFY: Add link to results of application, if this is the key of a new packager, else remove -->
+- Previous Key: <!--
+  MODIFY: Add the output of `gpg --keyid-format long --list-key <MY PREVIOUS ID> | sed -n '2p' | tr -d ' '` here
+  if another packager key exists already, else remove
+  -->

 <!--
-NOTE: Attach the above information as a clearsigned document to this ticket.
-https://www.gnupg.org/gph/en/manual/x135.html
+MODIFY: Attach the above information of the details section as a clearsigned
+document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket.
+If a previous (valid and trusted) packager key of the user exists, it needs to
+be used for clearsigning the document.
+If the key of a new packager is added, one of their sponsors needs to clearsign
+the details section.

-If this is the key of a new packager, one of their sponsors needs to do the
-signature.
-If this is a new key of an already existing packager, the packager themself
-needs to do the signature.
+* Select the above text, copy/paste it into a file (e.g. `details.txt`).
+* Make sure to sign with the root certificate of the packager key (not any of
+  the subkeys!):
+  `gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
+* Upload `details.txt` as attachment to this ticket.
 -->

 ## Checks

-### New key owner
+### Owner of new key

 - [ ] The [workflow for adding a new packager
  key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-packager-key)
@ -45,24 +58,18 @@ needs to do the signature.
  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
 - [ ] The data in the [Details](#details) section is attached to this issue as
  a clearsigned document
- [ ] The public key has been uploaded to the SKS infrastructure
+- [ ] The public key has been uploaded to the pgp.mit.edu and keyserver.ubuntu.com
+- [ ] A merge request to add the new public key has been created

 ### Main key holders

- [ ] The public key has been validated according to the [best
-  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
 - [ ] The public key has been signed by all main key holders
-  - [ ] @allan
  - [ ] @anthraxx
  - [ ] @bluewind
  - [ ] @dvzrv
+  - [ ] @grazzolini
  - [ ] @pierre

-### Keyring maintainer
-
- [ ] The public key contains one user ID with a valid
-  `<username>@archlinux.org` email address used for signing
- [ ] The public key has been validated according to the [best
-  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
+### Developers of the archlinux-keyring project
 - [ ] The data in the [Details](#details) section is correct and signed with a
-  valid and trusted packager key, which is part of `pacman-key`
+  valid and trusted packager key, which is already part of `archlinux-keyring`
--- a/.gitlab/issue_templates/Remove
+++ b/.gitlab/issue_templates/Remove
@ -1,9 +1,14 @@
 <!--
 This template is used when an existing main PGP public key needs to be removed
 from the distribution's keyring.
-It is used by users with a valid main key.
+It is used by users with a valid main key or the holder of the revocation
+certificate of the main key that is about to be removed.
+
+NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
+in the "Check" section labeled as "Main key holders" need to be checked for the
+accompanying merge request to be merged.
 -->
-/assign @allan @anthraxx @bluewind @dvzrv @pierre
+/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
 /label ~"remove main key"
 /title Remove main key of <!-- MODIFY: Add main key holder's username -->
 <!--
@ -16,7 +21,7 @@ issue and assign relevant users.
 ## Details

 - Username: <!-- MODIFY: Add the @-prefixed username -->
- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the PGP public key here -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MAIN KEY UID> | sed -n '2p' | tr -d ' '` here -->
 - Resignation: <!-- MODIFY: Link to resignation of key holder -->

 ## Checks
@ -27,8 +32,6 @@ issue and assign relevant users.
  removal of this key.
 - [ ] All packagers have at least three valid main key signatures for their
  packager key after removal of this key.
-
-### Keyring maintainer
-
- [ ] The key has been revoked by either the revocation certificate holder or
-  the main key holder.
+- [ ] A merge request to [remove the main public
+  key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/remove-a-main-key)
+  has been created
--- a/.gitlab/issue_templates/Remove
+++ b/.gitlab/issue_templates/Remove
@ -2,8 +2,10 @@
 This template is used when an existing packager PGP public key needs to be
 removed from the distribution's keyring.
 It is used by users with a valid main key or a valid packager key.
+
+NOTE: All comment sections with a MODIFY note need to be edited.
 -->
-/assign @allan @anthraxx @bluewind @dvzrv @pierre
+/assign @anthraxx @bluewind @dvzrv @grazzolini @pierre
 /label ~"remove packager key"
 /title Remove packager key of <!-- MODIFY: Add packager key holder's username -->
 <!--
@ -16,20 +18,26 @@ issue and assign relevant users.
 ## Details

 - Username: <!-- MODIFY: Add the @-prefixed username -->
- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the PGP public key here -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <PACKAGER KEY UID> | sed -n '2p' | tr -d ' '` here -->
 - Resignation: <!-- MODIFY: Link to resignation of key holder -->

 ## Checks

- [ ] There are no packages left in any of the official repositories, that are
-  signed by the key, that is about to be removed.
+**NOTE**: The below check box **must be** checked before the main key holders
+can start to revoke the key.
+
+- [ ] There are [no packages left in any of the official
+  repositories](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Find-packages-signed-by-a-key),
+  that are signed by the key or any of its subkeys, which is about to be
+  removed.

 ### Main key holders

- [ ] All main key holders have revoked their signature for the key and
-  published the result on the SKS infrastructure
-  - [ ] @allan
-  - [ ] @anthraxx
-  - [ ] @bluewind
-  - [ ] @dvzrv
-  - [ ] @pierre
+All main key holders should revoke their signature(s) for the given key in a
+merge request to this repository using `keyringctl`.
+
+- [ ] @anthraxx
+- [ ] @bluewind
+- [ ] @dvzrv
+- [ ] @grazzolini
+- [ ] @pierre