Commit Graph

31 Commits

Author SHA1 Message Date
Christian Hesse
8f471cf44e Do not export minimal, but clean 2019-10-07 23:36:09 +02:00
Christian Hesse
cf5ed9feeb update-keys: do not minimize but export-minimal 2019-08-06 09:38:04 +02:00
Eli Schwartz
5cb23e4ce6 update-keys: don't restore cwd in a subprocess
Using popd at the very end of a shell script is unnecessary, because, as
the very last command, there is nothing to restore state for.
Immediately after, the shell subprocess is ended, and processes don't
control the cwd of the parent process. Changing the cwd for the last
microsecond of the shell process, during which no commands are run, is
a mildly expensive no-op.

By the same measure, if popd is never used, pushd is not needed to
record the old cwd. So simply use 'cd'.

Signed-off-by: Christian Hesse <mail@eworm.de>
2019-08-06 09:35:52 +02:00
Eli Schwartz
c4264b6784 update-keys: move armor to gpg.conf
This option only affects --export, and we always use armored keys.

Signed-off-by: Christian Hesse <mail@eworm.de>
2019-08-06 09:35:52 +02:00
Eli Schwartz
cca61ee733 update-keys: move export-clean to gpg.conf instead of cleaning the keyring before export
This has the same effect, but causes only the exported version of the
key to be cleaned. Cleaning the internal copy doesn't matter.

Signed-off-by: Christian Hesse <mail@eworm.de>
2019-08-06 09:35:52 +02:00
Eli Schwartz
44f69d009f update-keys: use gpg.conf to persist versions
It is easier than passing around a dozen options on the command line.

Signed-off-by: Christian Hesse <mail@eworm.de>
2019-08-06 09:35:52 +02:00
Eli Schwartz
0d99720ded update-keys: use array for $GPG
Embedding quotes in a string doesn't work, it just causes KEYSERVER to
not be quoted at all.

Signed-off-by: Christian Hesse <mail@eworm.de>
2019-08-06 09:35:52 +02:00
Christian Hesse
35d91559ff Modify the temporary master key generation 2019-01-23 23:12:15 +01:00
Christian Hesse
0e79570527 Rework the update process
* use --refresh-keys if key is available, not --recv-keys
* refresh/receive in one go
2019-01-23 22:37:38 +01:00
Christian Hesse
a48a66dfd6 Import archlinux.gpg into the temporary keyring
This makes sure we do not loose signatures depending on key server used.
2019-01-23 10:27:58 +01:00
Christian Hesse
de4326f4d4 exit immediately on error
Intermittent errors (due to broker network connectivity, key server
failure, whatever ...) could result in an incomplete keyring. So exit
immediately on error.
2017-10-19 10:47:12 +02:00
Christian Hesse
6f00b281f1 Revoke keys unconditionally 2017-10-17 14:01:23 +02:00
Christian Hesse
8e8d330967 Use minimal export for revoked keys
We need the key and most recent self signature.

Signed-off-by: Christian Hesse <mail@eworm.de>
2017-10-17 12:09:39 +02:00
Christian Hesse
1c4f33d735 Do not export attribute user IDs (photo IDs)
There's no need to have images in pacman keyring...

Signed-off-by: Christian Hesse <mail@eworm.de>
2017-10-17 12:09:39 +02:00
Bartłomiej Piotrowski
0abfb04ebb
Update keyring
- add keys of new Trusted Users: zorin, shibumi, archangegabriel
- revoke keys of ex-TUs: flexiondotorg, dicebot
- revoke Dan's master key

Signed-off-by: Bartłomiej Piotrowski <bpiotrowski@archlinux.org>
2017-03-20 22:40:09 +01:00
Pierre Schmitz
5242dea788 GPG 2.1 compatibility 2015-02-07 10:28:34 +01:00
Pierre Schmitz
09a1d89a38 Support multiple keys per username 2013-09-26 22:55:57 +02:00
Pierre Schmitz
3e96a8f10f Import all keys before cleaning them up 2013-06-10 14:18:32 +02:00
Pierre Schmitz
40ea22c053 Define a list of revoked keys
Use the file packager-revoked-keyids to revoke certain keys.
2013-05-25 12:48:49 +02:00
Pierre Schmitz
3146e710fb pacman 4.0.3 no longer requires the keyring itself to be signed 2012-04-07 18:43:24 +02:00
Pierre Schmitz
ef2d7258f4 Use more reliable default keyserver; same as in pacman >= 4.0.3 2012-04-07 18:38:26 +02:00
Pierre Schmitz
b7dc439458 Simplify/cleanup update script 2012-03-31 18:40:22 +02:00
Pierre Schmitz
8c53bb72db Revert "The keyring no longer needs to be signed"
This reverts commit 9f3a1ace76.

Keep signatures until pacman 4.0.3 hits [core].
2012-03-21 09:07:08 +01:00
Pierre Schmitz
9f3a1ace76 The keyring no longer needs to be signed 2012-03-09 22:36:02 +01:00
Pierre Schmitz
15f80006f7 Only recreate signatures if needed 2012-03-04 18:39:11 +01:00
Pierre Schmitz
392c57b2bd Minimize the master keys and remove any unneeded signature 2012-03-03 20:56:03 +01:00
Pierre Schmitz
183b5fb612 Create keyring that can be used by pacman-key --populate
We also remove unused signatures from the keys to keep the history more readable
2012-03-03 18:34:23 +01:00
Pierre Schmitz
ba1072bf86 Update gpg keys 2012-02-27 14:06:39 +01:00
Pierre Schmitz
bbd88abce4 Add ownertrust file for the master keys 2012-02-20 13:03:25 +01:00
Pierre Schmitz
f2101938ba Verify packager keys using the master keys
The update script creates key files for master keys and all developers with fully trusted keys.
2012-02-12 22:42:01 +01:00
Pierre Schmitz
35a8c70457 Add keyid lists and update script
* The keyid lists are retreived from archweb
* The update script can be run to refresh all keys
2012-02-12 17:04:59 +01:00