Declare the whole keyring data as well as the code as input dependency
for the build target. This way we can properly depend on the build
target for installation without forcing rebuilding on every invocation.
A rebuild will be triggered if either the keyring or the source code
creating the build output changes.
The directories are added to the source dependencies on purpose to
guarantee that changes like deleted files will result in a rebuild.
The mtime of the build directory is force updated on every run to allow
make to track the output artifacts mtime compared against the
dependencies.
Currently only newly added certificates will be checked against the
expectations as existing keys are not all fully compatible with those
assumptions. New certificates are determined by using
$CI_MERGE_REQUEST_DIFF_BASE_SHA as the base,
This allows an easy to use cli which invokes the export function to get
the keyring and uses the ownertrust and revoke functions to write all
artifacts into a target directory.
This gives more control over the export command that may be useful to
export a single packager to import it into gpg. This will also give more
flexibility to chain this function to the future verify stage.
By default the command exports the whole keyring directory.
Include a readme with steps how to add/remove/update a key in the
keyring and how to release a new keyring version.
Signed-off-by: Jelle van der Waa <jelle@vdwaa.nl>
