On Debian/Ubuntu the default shell is dash, and builds are done with
SHELL overridden to dash. Since archlinux-keyring now has Bash-isms in
the install and uninstall targets (for {} expansion), and rewriting it
to drop this is inconvenient (because we'll have to repeat the path
prefixes), hardcode the use of Bash instead.
Use /bin/bash to be compatible with distros that have not finished the
/bin -> /usr/bin migration yet.
Signed-off-by: Michel Alexandre Salim <michel@michel-slm.name>
.gitlab-ci.yml:
Copy the WKD dir to a public dir (used by gitlab pages) directly instead
of creating the public dir and copying into it, as that is brittle.
Makefile:
Force symlinking of systemd unit for activation. If the service is
already installed and activated (symlinked) on the target system, a
non-forced symlink would fail otherwise.
.gitlab-ci.yml:
Add gitlab-ci integration to build WKD dir on tag using the `make wkd`
target per FQDN used by Arch Linux. Builds only happen on a secure
runner, the job is running in its own stage after the tests and only
runs in pipelines for tags.
keyring/packager/serebit/CAAE0C97533C35D3A0C6C34066E60E5F785A6824/uid/Campbell_Jones__for_package_signing_only___serebit@archlinux.org_55f6fd2b/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature by dvzrv
(2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E) for serebit
(CAAE0C97533C35D3A0C6C34066E60E5F785A6824).
keyring/packager/yan12125/E62545315B012B69C8C94A1D56EC201BFC794362/uid/Chih-Hsuan_Yen__yan12125@archlinux.org_fea86268/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature by dvzrv
(2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E) for yan12125
(E62545315B012B69C8C94A1D56EC201BFC794362).
There are some other changes with my current key:
* Actually revoke an unused uid
As per RFC 4880 [1], a revocation signature (sigclass 0x30) "should
have a later creation date than that certificate." However, somehow in
my keyring I have certificates newer than the previous revocation
signature. As a result, that uid is not marked as revoked by gpg. I
created a new revocation signature to fix that.
* Make @archlinux.org the primary UID
[1] https://datatracker.ietf.org/doc/html/rfc4880
wkd_sync/archlinux-keyring-wkd-sync.service.in:
Replace use of explicit script location (i.e. /usr/bin) with
SCRIPT_TARGET_DIR placeholder.
Makefile:
Create WKD sync service file from input file, replacing the
SCRIPT_TARGET_DIR placeholder with $SCRIPT_TARGET_DIR.
wkd_sync/archlinux-keyring-wkd-sync.service -> wkd_sync/archlinux-keyring-wkd-sync.service.in:
This allows using the file as input file, where overriding keywords can
be done using sed.
Makefile:
Change Makefile to allow installation of keyring data, systemd units and
scripts more configurable.
This allows user provided overrides via KEYRING_TARGET_DIR,
SCRIPT_TARGET_DIR, SYSTEMD_SYSTEM_UNIT_DIR.
Instead of relying on wildcards, rely on specifically named files, as
this can be reused also in the uninstall target without issue and
provides a clearer overview of what will be installed/uninstalled.
Specifically only make use of DESTDIR in the install and uninstall
targets, which allows easier overrides.
Extend uninstall target to also remove WKD sync related script and
systemd units.
keyring/packager/dvzrv/991F6E3F0765CF6295888586139B09DA5BF0D338/uid/David_Runge__dvzrv@archlinux.org_d2ad250f/certification/D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C.asc:
Add main key signature by anthraxx for dvzrv on key 991F6E3F0765CF6295888586139B09DA5BF0D338.
keyring/packager/muflone/CAA1D2323A05219AA2F01AA4E642299183ED727E/*:
Revoke signature on muflone@archlinux.org for
CAA1D2323A05219AA2F01AA4E642299183ED727E.
.gitlab-ci.yml:
Add pkgconf and systemd to the list of packages, that are installed
before executing the build and install targets. They are required to
retrieve the correct path for systemd's system units.
wkd_sync/archlinux-keyring-wkd-sync.timer:
Add timer which triggers archlinux-keyring-wkd-sync.service to
persistently refresh existing PGP keys of archlinux-keyring weekly with
up to 12h of randomized delay.
wkd_sync/archlinux-keyring-wkd-sync:
Add script to refresh existing keys of archlinux-keyring on user
systems based on the state of the distribution's Web Key Directory
(WKD).
Invalid or revoked keys are ignored.
