update Readme

This adds the signing subkey `62CC73F884E52957B2FDD8839B7A287D9A2EC608`
which never expires (unless the root key expires).

.editorconfig

@@ -0,0 +1,30 @@
+root = true
+
+[*]
+end_of_line = lf
+charset = utf-8
+indent_style = space
+indent_size = 4
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[Makefile]
+end_of_line = lf
+charset = utf-8
+indent_style = tab
+indent_size = 4
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[{*.py,keyringctl}]
+indent_style = space
+indent_size = 4
+max_line_length = 120
+
+[*.{yml,yaml}]
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+charset = utf-8
+indent_style = space
+indent_size = 2

.flake8

@@ -0,0 +1,4 @@
+[flake8]
+max-line-length = 120
+output-file = flake8.txt
+max-complexity = 10

.gitattributes

@@ -1,7 +0,0 @@
-update-keys	export-ignore
-.gitattributes	export-ignore
-.gitignore	export-ignore
-master-keyids	export-ignore
-packager-keyids	export-ignore
-master		export-ignore
-packager	export-ignore

.gitignore

@@ -1,3 +1,7 @@
+/build
 *~
 archlinux-keyring-*.tar.gz
 archlinux-keyring-*.tar.gz.sig
+/.idea
+.coverage
+__pycache__/

.gitlab-ci.yml

@@ -0,0 +1,93 @@
+---
+image: archlinux:latest
+
+stages:
+  - test
+  - wkd
+
+lint:
+  stage: test
+  needs: []
+  before_script:
+    - pacman -Syu --needed --noconfirm make flake8 mypy python-black python-isort
+  script:
+    - make lint
+  only:
+    changes:
+      - keyringctl
+      - libkeyringctl/*
+      - tests/*
+      - .gitlab-ci.yml
+      - Makefile
+
+test:
+  stage: test
+  needs: []
+  before_script:
+    - pacman -Syu --needed --noconfirm make python sequoia-sq python-coverage python-pytest python-tomli
+  script:
+    - make test
+  only:
+    changes:
+      - keyringctl
+      - libkeyringctl/*
+      - tests/*
+      - .gitlab-ci.yml
+      - Makefile
+  coverage: '/TOTAL.*\s([.\d]+)%/'
+  artifacts:
+    when: always
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: build/coverage.xml
+      junit: build/junit-report.xml
+
+build_install:
+  stage: test
+  needs: []
+  before_script:
+    - pacman -Syu --needed --noconfirm make pkgconf python sequoia-sq systemd
+  script:
+    - make
+    - make install PREFIX=/usr
+    - pacman-key --init
+    - pacman-key --populate archlinux
+    - pacman-key --updatedb
+    - pacman -Syu
+
+keyring_check:
+  stage: test
+  needs: []
+  before_script:
+    - pacman -Syu --needed --noconfirm make python sequoia-sq git
+  script:
+    - ./keyringctl check
+    - ./keyringctl ci
+  only:
+    changes:
+      - keyring/**/*
+      - keyringctl
+      - libkeyringctl/*
+      - tests/*
+      - .gitlab-ci.yml
+      - Makefile
+
+pages:
+  stage: wkd
+  needs: []
+  tags:
+    - secure
+  before_script:
+    - pacman -Syu --needed --noconfirm make python sequoia-sq
+  script:
+    - make wkd
+    - make wkd WKD_FQDN=master-key.archlinux.org
+    - make wkd_inspect
+    - make wkd_inspect WKD_FQDN=master-key.archlinux.org
+    - cp -r build/wkd/ public
+  artifacts:
+    paths:
+      - public
+  rules:
+    - if: $CI_PROJECT_PATH == "archlinux/archlinux-keyring" && $CI_COMMIT_TAG

.gitlab/issue_templates/New Main Key.md

@@ -0,0 +1,71 @@
+<!--
+This template is used when a new main PGP public key needs to be added to the
+distribution's keyring.
+It is used by users with a valid packager key.
+
+NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
+in the "Checks" section labeled as "Owner of new key" need to be checked by the
+owner of the new key.
+-->
+/assign @archlinux/teams/main-key-holders
+/label ~"new main key"
+/title New main key of <!-- MODIFY: Add new main key holder's username -->
+<!--
+Please do not remove the above quick actions, which automatically label the
+issue and assign relevant users.
+-->
+
+# Add a new main key
+
+## Details
+
+- Username: <!-- MODIFY: Add the @-prefixed username -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MY UID> | sed -n '2p' | tr -d ' '` here -->
+- Revocation Certificate Holder: <!-- MODIFY: Add the @-prefixed username of the revocation certificate holder -->
+
+<!--
+MODIFY: Attach the above information of the details section as a clearsigned
+document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket
+using a valid packager key of the user:
+
+* Select the above text, copy/paste it into a file (e.g. `details.txt`).
+* Make sure to sign with the root certificate of the packager key (not any of
+  the subkeys!):
+  `gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
+* Upload `details.txt` as attachment to this ticket.
+-->
+
+## Checks
+
+**NOTE**: The below check boxes **must be** checked before the accompanying
+merge request to add the new main key can be merged.
+
+### Owner of new key
+
+- [ ] The [workflow for adding a new main
+  key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-main-key)
+  has been followed
+- [ ] The key pair has been validated according to the [best
+  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
+- [ ] The data in the [Details](#details) section is attached to this issue as
+  a clearsigned document
+- [ ] The revocation certificate has been sent in an encrypted message to the
+  revocation certificate holder
+- [ ] The public key has been uploaded to the `keyserver.ubuntu.com` and
+  `keys.openpgp.org` keyservers, and the `archlinux.org` UID has been verified
+  on the `keys.openpgp.org` keyserver.  Optionally the key can also be uploaded
+  to the `pgp.mit.edu` keyserver, but this is no longer mandatory as it's
+  frequently flaky.
+- [ ] A merge request to add the new public key has been created
+
+### Revocation Certificate Holder
+
+- [ ] The revocation certificate has been [verified
+  as working](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/verify-a-revocation-certificate)
+  and confirmed in a comment to this issue
+- [ ] The revocation certificate has been backed up on a dedicated encrypted backup storage medium
+
+### Main key holders
+
+- [ ] The data in the [Details](#details) section is correct and signed with a
+  valid and trusted packager key, which is already part of `archlinux-keyring`

.gitlab/issue_templates/New Packager Key.md

@@ -0,0 +1,79 @@
+<!--
+This template is used when a new packager PGP public key needs to be added to
+the distribution's keyring.
+It is either used by the sponsor of a new packager or by an existing packager
+when adding a new key for themself.
+
+NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
+in the "Checks" section labeled as "Owner of new key" need to be checked by the
+owner of the new key or by a sponsor of a new packager.
+-->
+/assign @archlinux/teams/main-key-holders
+/label ~"new packager key"
+/title New packager key of <!-- MODIFY: Add new packager key holder's username -->
+<!--
+Please do not remove the above quick actions, which automatically label the
+issue and assign relevant users.
+-->
+
+# Add a new packager key
+
+## Details
+
+- Username: <!-- MODIFY: Add the @-prefixed username -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MY UID> | sed -n '2p' | tr -d ' '` here -->
+- Sponsors: <!-- MODIFY: Add the @-prefixed usernames of the sponsors -->
+- Application: <!-- MODIFY: Add link to application, if this is the key of a new packager, else remove -->
+- Results: <!-- MODIFY: Add link to results of application, if this is the key of a new packager, else remove -->
+- Previous Key: <!--
+  MODIFY: Add the output of `gpg --keyid-format long --list-key <MY PREVIOUS ID> | sed -n '2p' | tr -d ' '` here
+  if another packager key exists already, else remove
+  -->
+
+<!--
+MODIFY: Attach the above information of the details section as a clearsigned
+document (see https://www.gnupg.org/gph/en/manual/x135.html) to this ticket.
+If a previous (valid and trusted) packager key of the user exists, it needs to
+be used for clearsigning the document.
+If the key of a new packager is added, one of their sponsors needs to clearsign
+the details section.
+
+* Select the above text, copy/paste it into a file (e.g. `details.txt`).
+* Make sure to sign with the root certificate of the packager key (not any of
+  the subkeys!):
+  `gpg --armor --default-key <fingerprint_of_root>! --clearsign details.txt`
+* Upload `details.txt` as attachment to this ticket.
+-->
+
+## Checks
+
+### Owner of new key
+
+- [ ] The [workflow for adding a new packager
+  key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/add-a-new-packager-key)
+  has been followed
+- [ ] The key pair contains one user ID with a valid `<username>@archlinux.org` email address
+  used for signing
+- [ ] The key pair has been validated according to the [best
+  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)
+- [ ] The data in the [Details](#details) section is attached to this issue as
+  a clearsigned document
+- [ ] The public key has been uploaded to the `keyserver.ubuntu.com` and
+  `keys.openpgp.org` keyservers, and the `archlinux.org` UID has been verified
+  on the `keys.openpgp.org` keyserver.  Optionally the key can also be uploaded
+  to the `pgp.mit.edu` keyserver, but this is no longer mandatory as it's
+  frequently flaky.
+- [ ] A merge request to add the new public key has been created
+
+### Main key holders
+
+- [ ] The public key has been signed by all main key holders
+  - [ ] @anthraxx
+  - [ ] @bluewind
+  - [ ] @demize
+  - [ ] @diabonas
+  - [ ] @dvzrv
+
+### Developers of the archlinux-keyring project
+- [ ] The data in the [Details](#details) section is correct and signed with a
+  valid and trusted packager key, which is already part of `archlinux-keyring`

.gitlab/issue_templates/Remove Main Key.md

@@ -0,0 +1,37 @@
+<!--
+This template is used when an existing main PGP public key needs to be removed
+from the distribution's keyring.
+It is used by users with a valid main key or the holder of the revocation
+certificate of the main key that is about to be removed.
+
+NOTE: All comment sections with a MODIFY note need to be edited. All checkboxes
+in the "Check" section labeled as "Main key holders" need to be checked for the
+accompanying merge request to be merged.
+-->
+/assign @archlinux/teams/main-key-holders
+/label ~"remove main key"
+/title Remove main key of <!-- MODIFY: Add main key holder's username -->
+<!--
+Please do not remove the above quick actions, which automatically label the
+issue and assign relevant users.
+-->
+
+# Remove a main key
+
+## Details
+
+- Username: <!-- MODIFY: Add the @-prefixed username -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <MAIN KEY UID> | sed -n '2p' | tr -d ' '` here -->
+- Resignation: <!-- MODIFY: Link to resignation of key holder -->
+
+## Checks
+
+### Main key holders
+
+- [ ] There are more than or equal to three valid main keys remaining after
+  removal of this key.
+- [ ] All packagers have at least three valid main key signatures for their
+  packager key after removal of this key.
+- [ ] A merge request to [remove the main public
+  key](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/remove-a-main-key)
+  has been created

.gitlab/issue_templates/Remove Packager Key.md

@@ -0,0 +1,43 @@
+<!--
+This template is used when an existing packager PGP public key needs to be
+removed from the distribution's keyring.
+It is used by users with a valid main key or a valid packager key.
+
+NOTE: All comment sections with a MODIFY note need to be edited.
+-->
+/assign @archlinux/teams/main-key-holders
+/label ~"remove packager key"
+/title Remove packager key of <!-- MODIFY: Add packager key holder's username -->
+<!--
+Please do not remove the above quick actions, which automatically label the
+issue and assign relevant users.
+-->
+
+# Remove a packager key
+
+## Details
+
+- Username: <!-- MODIFY: Add the @-prefixed username -->
+- PGP key ID: <!-- MODIFY: Add the output of `gpg --keyid-format long --list-key <PACKAGER KEY UID> | sed -n '2p' | tr -d ' '` here -->
+- Resignation: <!-- MODIFY: Link to resignation of key holder -->
+
+## Checks
+
+**NOTE**: The below check box **must be** checked before the main key holders
+can start to revoke the key.
+
+- [ ] There are [no packages left in any of the official
+  repositories](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Find-packages-signed-by-a-key),
+  that are signed by the key or any of its subkeys, which is about to be
+  removed.
+
+### Main key holders
+
+All main key holders should revoke their signature(s) for the given key in a
+merge request to this repository using `keyringctl`.
+
+- [ ] @anthraxx
+- [ ] @bluewind
+- [ ] @demize
+- [ ] @diabonas
+- [ ] @dvzrv

.gitlab/merge_request_templates/New Main Key.md

@@ -0,0 +1,34 @@
+<!--
+This template is used when a new main PGP public key needs to be added to the
+distribution's keyring.
+It is used by users with a valid packager key after all steps in an
+accompanying issue (opened with the template "New Main Key") have been
+fulfilled.
+-->
+/assign @archlinux/teams/main-key-holders
+/label ~"new main key"
+/title Add main key of <!-- MODIFY: Add the main key holder's username -->
+<!--
+Please do not remove the above quick actions, which automatically label the
+issue and assign relevant users.
+-->
+
+# Add a new main key
+
+## Details
+
+- Username: <!-- MODIFY: Add the @-prefixed username -->
+- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the PGP public key here -->
+
+Closes <!-- MODIFY: Add #-prefixed issue number, that will be closed by merging this merge request -->
+
+## Checks
+
+### Keyring maintainer
+
+- [ ] All steps in the accompanying ticket are fulfilled.
+
+### Main key holders
+
+- [ ] The public key has been validated according to the [best
+  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)

.gitlab/merge_request_templates/New Packager Key.md

@@ -0,0 +1,32 @@
+<!--
+This template is used when a new packager PGP public key needs to be added to
+the distribution's keyring.
+It is either used by the sponsor of a new packager or by an existing packager
+when adding a new key for themself after all steps in an accompanying issue
+(opened with the template "New Packager Key") have been fulfilled..
+-->
+/assign_reviewer @archlinux/teams/main-key-holders
+/label ~"new packager key"
+/title Add packager key of <!-- MODIFY: Add the packager key holder's username -->
+<!--
+Please do not remove the above quick actions, which automatically label the
+issue and assign relevant users.
+-->
+
+# Add a new packager key
+
+## Details
+
+- Username: <!-- MODIFY: Add the @-prefixed username -->
+- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the PGP public key here -->
+
+Related issue: <!-- MODIFY: Add #-prefixed issue number -->
+
+## Checks
+
+- [ ] All steps in the accompanying ticket are fulfilled.
+
+### Main key holders
+
+- [ ] The public key has been validated according to the [best
+  practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair)

.gitlab/merge_request_templates/Remove Main Key.md

@@ -0,0 +1,31 @@
+<!--
+This template is used when an existing main PGP public key needs to be removed
+from the distribution's keyring.
+It is used by users with a valid main key after all steps in an accompanying
+issue (opened with the template "Remove Main Key") have been fulfilled.
+-->
+/assign_reviewer @archlinux/teams/main-key-holders
+/label ~"remove main key"
+/title Remove main key of <!-- MODIFY: Add the main key holder's username -->
+<!--
+Please do not remove the above quick actions, which automatically label the
+issue and assign relevant users.
+-->
+
+# Remove a main key
+
+## Details
+
+- Username: <!-- MODIFY: Add the @-prefixed username -->
+- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the PGP public key here -->
+
+Related issue: <!-- MODIFY: Add #-prefixed issue number -->
+
+## Checks
+
+### Keyring maintainer
+
+- [ ] There are more than or equal to three valid main keys remaining after
+  removal of this key.
+- [ ] All packagers have at least three valid main key signatures for their
+  packager key after removal of this key.

.gitlab/merge_request_templates/Remove Packager Key.md

@@ -0,0 +1,30 @@
+<!--
+This template is used when an existing packager PGP public key needs to be
+removed from the distribution's keyring.
+It is used by users with a valid main key or a valid packager key after all
+steps in an accompanying issue (opened with the template "Remove Packager Key")
+have been fulfilled.
+-->
+/assign_reviewer @archlinux/teams/main-key-holders
+/label ~"remove packager key"
+/title Remove packager key of <!-- MODIFY: Add the packager's username -->
+<!--
+Please do not remove the above quick actions, which automatically label the
+issue and assign relevant users as reviewers.
+-->
+
+# Remove a packager key
+
+## Details
+
+- Username: <!-- MODIFY: Add the @-prefixed username -->
+- PGP key ID: <!-- MODIFY: Add the "long format" key ID of the PGP public key here -->
+
+Related issue: <!-- MODIFY: Add #-prefixed issue number -->
+
+## Checks
+
+### Keyring maintainer
+
+- [ ] There are no packages left in any of the official repositories, that are
+  signed by the key which is about to be removed.

CONTRIBUTING.md

@@ -0,0 +1,66 @@
+# Contributing
+
+These are the contribution guidelines for archlinux-keyring.
+All code contributions fall under the terms of the GPL-3.0-or-later (see
+[LICENSE](LICENSE)).
+
+Please read our distribution-wide [Code of
+Conduct](https://terms.archlinux.org/docs/code-of-conduct/) before
+contributing, to understand what actions will and will not be tolerated.
+
+Development of archlinux-keyring takes place on Arch Linux' Gitlab:
+https://gitlab.archlinux.org/archlinux/archlinux-keyring.
+
+Any merge request to the repository requires two approvals of authorized
+approvers (the current main key holders).
+
+## Discussion
+
+Discussion around archlinux-keyring may take place on the [arch-projects
+mailing list](https://lists.archlinux.org/listinfo/arch-projects) and in
+[#archlinux-projects](ircs://irc.libera.chat/archlinux-projects) on [Libera
+Chat](https://libera.chat/).
+
+## Requirements
+
+The following additional packages need to be installed to be able to lint
+and develop this project:
+
+* python-black
+* python-coverage
+* python-isort
+* python-pytest
+* python-tomli
+* flake8
+* mypy
+
+## Keyringctl
+
+The `keyringctl` script is written in typed python, which makes use of
+[sequoia](https://sequoia-pgp.org/)'s `sq` command.
+
+The script is type checked, linted and formatted using standard tooling.
+When providing a merge request make sure to run `make lint`.
+
+## Testing
+
+Test cases are developed per module in the [test](test) directory and should
+consist of atomic single expectation tests. A Huge test case asserting various
+different expectations are discouraged and should be split into finer grained
+test cases.
+
+To execute all tests using pytest
+```bash
+make test
+```
+
+To run keyring integrity and consistency checks
+```bash
+make check
+```
+
+## Web Key Directory
+
+Only tagged releases are built and exposed via WKD. This helps to ensure, that
+inconsistent state of the keyring is not exposed to the enduser, which may make
+use of it instantaneously.

LICENSE

@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.

Makefile

@@ -1,20 +1,72 @@
-V=20130926
+SHELL = /bin/bash
+PREFIX ?= /usr/local
+BUILD_DIR ?= build
+KEYRING_TARGET_DIR ?= $(PREFIX)/share/pacman/keyrings/
+SCRIPT_TARGET_DIR ?= $(PREFIX)/bin
+SYSTEMD_SYSTEM_UNIT_DIR ?= $(shell pkgconf --variable systemd_system_unit_dir systemd)
+WKD_FQDN ?= archlinux.org
+WKD_BUILD_DIR ?= $(BUILD_DIR)/wkd
+KEYRING_FILE=archlinux.gpg
+KEYRING_REVOKED_FILE=archlinux-revoked
+KEYRING_TRUSTED_FILE=archlinux-trusted
+WKD_SYNC_SCRIPT=archlinux-keyring-wkd-sync
+WKD_SYNC_SERVICE_IN=archlinux-keyring-wkd-sync.service.in
+WKD_SYNC_SERVICE=archlinux-keyring-wkd-sync.service
+WKD_SYNC_TIMER=archlinux-keyring-wkd-sync.timer
+SYSTEMD_TIMER_DIR=$(SYSTEMD_SYSTEM_UNIT_DIR)/timers.target.wants/
+SOURCES := $(shell find keyring) $(shell find libkeyringctl -name '*.py' -or -type d) keyringctl
 
-PREFIX = /usr/local
+all: build
 
-install:
-	install -dm755 $(DESTDIR)$(PREFIX)/share/pacman/keyrings/
-	install -m0644 archlinux{.gpg,-trusted,-revoked} $(DESTDIR)$(PREFIX)/share/pacman/keyrings/
+lint:
+	black --check --diff keyringctl libkeyringctl tests
+	isort --diff .
+	flake8 keyringctl libkeyringctl tests
+	mypy --install-types --non-interactive keyringctl libkeyringctl tests
+
+fmt:
+	black .
+	isort .
+
+check:
+	./keyringctl -v check
+
+test:
+	coverage run
+	coverage xml
+	coverage report --fail-under=100.0
+
+build: $(SOURCES)
+	./keyringctl -v $(BUILD_DIR)
+
+wkd: build
+	sq -f wkd generate -s $(WKD_BUILD_DIR)/ $(WKD_FQDN) $(BUILD_DIR)/$(KEYRING_FILE)
+
+wkd_inspect: wkd
+	for file in $(WKD_BUILD_DIR)/.well-known/openpgpkey/$(WKD_FQDN)/hu/*; do sq inspect $$file; done
+
+wkd_sync_service: wkd_sync/$(WKD_SYNC_SERVICE_IN)
+	sed -e 's|SCRIPT_TARGET_DIR|$(SCRIPT_TARGET_DIR)|' wkd_sync/$(WKD_SYNC_SERVICE_IN) > $(BUILD_DIR)/$(WKD_SYNC_SERVICE)
+
+clean:
+	rm -rf $(BUILD_DIR) $(WKD_BUILD_DIR)
+
+install: build wkd_sync_service
+	install -vDm 644 build/{$(KEYRING_FILE),$(KEYRING_REVOKED_FILE),$(KEYRING_TRUSTED_FILE)} -t $(DESTDIR)$(KEYRING_TARGET_DIR)
+	install -vDm 755 wkd_sync/$(WKD_SYNC_SCRIPT) -t $(DESTDIR)$(SCRIPT_TARGET_DIR)
+	install -vDm 644 build/$(WKD_SYNC_SERVICE) -t $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
+	install -vDm 644 wkd_sync/$(WKD_SYNC_TIMER) -t $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
+	install -vdm 755 $(DESTDIR)$(SYSTEMD_TIMER_DIR)
+	ln -fsv ../$(WKD_SYNC_TIMER) $(DESTDIR)$(SYSTEMD_TIMER_DIR)/$(WKD_SYNC_TIMER)
 
 uninstall:
-	rm -f $(DESTDIR)$(PREFIX)/share/pacman/keyrings/archlinux{.gpg,-trusted,-revoked}
-	rmdir -p --ignore-fail-on-non-empty $(DESTDIR)$(PREFIX)/share/pacman/keyrings/
+	rm -fv $(DESTDIR)$(KEYRING_TARGET_DIR)/{$(KEYRING_FILE),$(KEYRING_REVOKED_FILE),$(KEYRING_TRUSTED_FILE)}
+	rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(KEYRING_TARGET_DIR)
+	rm -v $(DESTDIR)$(SCRIPT_TARGET_DIR)/$(WKD_SYNC_SCRIPT)
+	rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(SCRIPT_TARGET_DIR)
+	rm -v $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)/{$(WKD_SYNC_SERVICE),$(WKD_SYNC_TIMER)}
+	rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(SYSTEMD_SYSTEM_UNIT_DIR)
+	rm -v $(DESTDIR)$(SYSTEMD_TIMER_DIR)/$(WKD_SYNC_TIMER)
+	rmdir -pv --ignore-fail-on-non-empty $(DESTDIR)$(SYSTEMD_TIMER_DIR)
 
-dist:
-	git archive --format=tar --prefix=archlinux-keyring-$(V)/ $(V) | gzip -9 > archlinux-keyring-$(V).tar.gz
-	gpg --detach-sign --use-agent archlinux-keyring-$(V).tar.gz
-
-upload:
-	scp archlinux-keyring-$(V).tar.gz archlinux-keyring-$(V).tar.gz.sig nymeria.archlinux.org:/srv/ftp/other/archlinux-keyring/
-
-.PHONY: install uninstall dist upload
+.PHONY: all lint fmt check test clean install uninstall wkd wkd_inspect

README.md

@@ -0,0 +1,158 @@
+# condorcore-keyring
+
+The archlinux-keyring project holds PGP packet material and tooling
+(`keyringctl`) to create the distribution keyring for Arch Linux.
+The keyring is used by pacman to establish the web of trust for the packagers
+of the distribution.
+
+The PGP packets describing the main signing keys can be found below the
+[keyring/main](keyring/main) directory, while those of the packagers are located below the
+[keyring/packager](keyring/packager) directory.
+
+## Requirements
+
+The following packages need to be installed to be able to create a PGP keyring
+from the provided data structure and to install it:
+
+Build:
+
+* make
+* findutils
+* pkgconf
+* systemd
+
+Runtime:
+
+* python
+* sequoia-sq >= 0.31.0
+
+Optional:
+
+* hopenpgp-tools (verify)
+* git (ci)
+
+## Usage
+
+### Build
+
+Build all PGP artifacts (keyring, ownertrust, revoked files) to the build directory
+```bash
+./keyringctl build
+```
+
+### Import
+
+Import a new packager key by deriving the username from the filename.
+```bash
+./keyringctl import <username>.asc
+```
+
+Alternatively import a file or directory and override the username
+```bash
+./keyringctl import --name <username> <file_or_directory...>
+```
+
+Updates to existing keys will automatically derive the username from the known fingerprint.
+```bash
+./keyringctl import <file_or_directory...>
+```
+
+Main key imports support the same options plus a mandatory `--main`
+```bash
+./keyringctl import --main <username>.asc
+```
+
+### Export
+
+Export the whole keyring including main and packager to stdout
+```bash
+./keyringctl export
+```
+
+Limit to specific certs using an output file
+```bash
+./keyringctl export <username_or_fingerprint_or_directory...> --output <filename>
+```
+
+### List
+
+List all certificates in the keyring
+```bash
+./keyringctl list
+```
+
+Only show a specific main key
+```bash
+./keyringctl list --main <username_or_fingerprint...>
+```
+
+### Inspect
+
+Inspect all certificates in the keyring
+```bash
+./keyringctl inspect
+```
+
+Only inspect a specific main key
+```bash
+./keyringctl inspect --main <username_or_fingerprint_or_directory...>
+```
+
+### Verify
+
+Verify certificates against modern expectations and assumptions
+```bash
+./keyringctl verify <username_or_fingerprint_or_directory...>
+```
+
+## Installation
+
+To install archlinux-keyring system-wide use the included `Makefile`:
+
+```bash
+make install
+```
+
+## Contribute
+
+Read our [contributing guide](CONTRIBUTING.md) to learn more about guidelines and
+how to provide fixes or improvements for the code base.
+
+## Releases
+
+[Releases of
+archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags)
+are exclusively created by [keyring maintainers](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/project_members?with_inherited_permissions=exclude).
+
+The tags are signed with one of the following legitimate keys:
+
+```
+condorbs master key <contacto@condorbs.net>
+5972 44DB EA52 EC6E FE5F 36A4 FDD4 2A59 FD43 C07B
+
+Kevin Muñoz (CyberSecurity Engineer) <kmunoz@condorbs.net>
+2B9D 22B4 1F2A F104 2BFC E73A 3CA0 B9DF 1BE7 CE09
+
+Jesus Martin Ortega Martinez (Sysadmin/Backend Developer) <jortega@condorbs.net>
+9E64 6BB0 630C 8FD1 8ACD 1554 1B93 E6A7 66CD 229D
+
+```
+
+To verify a tag, first import the relevant PGP keys:
+
+```bash
+gpg --auto-key-locate wkd --search-keys <email-from-above>
+```
+
+Afterwards a tag can be verified from a clone of this repository. Please note
+that one **must** check the used key of the signature against the legitimate
+keys listed above:
+
+```bash
+git verify-tag <tag>
+```
+
+## License
+
+Archlinux-keyring is licensed under the terms of the **GPL-3.0-or-later** (see
+[LICENSE](LICENSE)).

archlinux-revoked

@@ -1 +0,0 @@
-BC1FBE4D2826A0B51E47ED62E2539214C6C11350

archlinux-trusted

@@ -1,5 +0,0 @@
-AB19265E5D7D20687D303246BA1DFB64FFF979E7:4:
-27FFC4769E19F096D41D9265A04F9397CDFD6BB0:4:
-44D4A033AC140143927397D47EFD567D4C7EA887:4:
-0E8B644079F599DFC1DDC3973348882F6AC6A4C2:4:
-684148BB25B49E986A4944C55184252D824B18E8:4:

keyring/main/condorbs/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xjMEZO+HvhYJKwYBBAHaRw8BAQdA0ZgcznaDUjbUKMod0O1TPAwzzt/0r4elBhOw
+7MbXW4k=
+=qB7P
+-----END PGP PUBLIC KEY BLOCK-----

keyring/main/condorbs/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B/subkey/53B8D3093BF135D42674D00EFE7E4A67BB957913/53B8D3093BF135D42674D00EFE7E4A67BB957913.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zjgEZO+KNRIKKwYBBAGXVQEFAQEHQFkPP4NhQp0KsSfhhiTvssqu7PygTGXQi7Qe
+H4z+Ud5JAwEIBw==
+=n0nQ
+-----END PGP ARMORED FILE-----

keyring/main/condorbs/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B/subkey/53B8D3093BF135D42674D00EFE7E4A67BB957913/certification/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wngEGBYIACAWIQRZckTb6lLsbv5fNqT91CpZ/UPAewUCZO+KNQIbDAAKCRD91CpZ
+/UPAe/Q1APwMjKPn5u6/qc8iSZNbmVoE4EgOAYS6WTVAcrVV7rF6fQD/Z+pl1zMf
+CouDiHO4ZmlFjeNL2eXuZBZCk/lWhEVu/w0=
+=WqjU
+-----END PGP SIGNATURE-----

keyring/main/condorbs/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B/subkey/7CD932B25C34937161180F0F9C9C8B6804503E6E/7CD932B25C34937161180F0F9C9C8B6804503E6E.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zjMEZO+KdRYJKwYBBAHaRw8BAQdAYbnrkxnt+czK37JQ26fC0VrmdCfCSHn2xoEC
+i99TBOE=
+=wsKX
+-----END PGP ARMORED FILE-----

keyring/main/condorbs/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B/subkey/7CD932B25C34937161180F0F9C9C8B6804503E6E/certification/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wngEGBYIACAWIQRZckTb6lLsbv5fNqT91CpZ/UPAewUCZO+KdQIbIAAKCRD91CpZ
+/UPAe4DZAP0TghO5H5L+O/fPZGo5JRiYz4UMDGz74LGxPp0gJO+NPwEAtkQwhStj
+tdp06YC1pYYE5kXa1LTKYVvpyRiyf2rRogc=
+=+Kku
+-----END PGP SIGNATURE-----

keyring/main/condorbs/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B/uid/__CondorBS_Master_Key___contacto@condorbs.net_6090000b/__CondorBS_Master_Key___contacto@condorbs.net_6090000b.asc

@@ -0,0 +1,5 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zS4gKENvbmRvckJTIE1hc3RlciBLZXkpIDxjb250YWN0b0Bjb25kb3Jicy5uZXQ+
+=gkv7
+-----END PGP ARMORED FILE-----

keyring/main/condorbs/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B/uid/__CondorBS_Master_Key___contacto@condorbs.net_6090000b/certification/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B.asc

@@ -0,0 +1,8 @@
+-----BEGIN PGP SIGNATURE-----
+
+wpAEExYIADgWIQRZckTb6lLsbv5fNqT91CpZ/UPAewUCZO+HvgIbAwULCQgHAgYV
+CgkICwIEFgIDAQIeAQIXgAAKCRD91CpZ/UPAexq8AQCetQu2K7djsOjNcmtzeqKD
+2cF9SbLkyuoIzQXiHSC80AEA9H6W/acrWqPxGdfC/xZbYNDQDL+EQ3ACpXJQT3Hy
+RwY=
+=y5nP
+-----END PGP SIGNATURE-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/9E646BB0630C8FD18ACD15541B93E6A766CD229D.asc

@@ -0,0 +1,8 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xpMEZMmVIRMFK4EEACMEIwQAMg6oXItBfN9on9xjiZlu12gJ1tLIh5H8obYC1hdc
+8dp5I9/r2SDyModKr3YCRaLnvO9rkwoJ8G7aY0WXyj4O/c0AvosLnDvULoBexQB6
+VHtMkWe9ugbB0cZB54EJJr+pdaJUimOyZT0X3QMmSRhTBriAhnU/nk9KDfiZEyMM
+b8uZEjk=
+=GKHU
+-----END PGP PUBLIC KEY BLOCK-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/subkey/3051C14ACC7CFFBEF5CB04D776D67D99EA77D0F6/3051C14ACC7CFFBEF5CB04D776D67D99EA77D0F6.asc

@@ -0,0 +1,8 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zpcEZMmVIRIFK4EEACMEIwQBtRBYmz2Ikb81Ng2DQ1vNfbSvPegAnBGgeBXcpN/o
+lkCPy/ZlknKbcfl3IKQclFFi5+Oxn9wAl7cjUiEJ2I5hwXoAGz5B7+sj+YcFq+rg
+0YcXqWZtgzqtHXElvB8cFua1XlVX5/e8nllFImSsWoy+Sx0xfkwnpn6jksvbACRW
+ACpuB8YDAQoJ
+=LjwU
+-----END PGP ARMORED FILE-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/subkey/3051C14ACC7CFFBEF5CB04D776D67D99EA77D0F6/certification/9E646BB0630C8FD18ACD15541B93E6A766CD229D.asc

@@ -0,0 +1,8 @@
+-----BEGIN PGP SIGNATURE-----
+
+wrsEGBMKACAWIQSeZGuwYwyP0YrNFVQbk+anZs0inQUCZMmVIQIbDAAKCRAbk+an
+Zs0inUO6AgiGHmHLw4H6e4xXqIeagIvOYGYZWjp3L4flgogOUet+04zPV0GiH4aE
+bojPlS9Qgis6uzVsdkvg2aTVlT1mNrwoWgIJASQuhhubtoKvM1OqPOE4Wg3dJGXt
+435oYPDvCtd7aTleqLzo4Cu5ArSC6mLJ1u0ZmeGBIX2FCbboSHuwpCNca6aN
+=F5p6
+-----END PGP SIGNATURE-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___jortega@condorbs.net_2a95b4c3/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___jortega@condorbs.net_2a95b4c3.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zVBKZXN1cyBNYXJ0aW4gT3J0ZWdhIE1hcnRpbmV6IChTeXNhZG1pbi9CYWNrZW5k
+IERldmVsb3BlcikgPGpvcnRlZ2FAY29uZG9yYnMubmV0Pg==
+=e3s5
+-----END PGP ARMORED FILE-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___jortega@condorbs.net_2a95b4c3/certification/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQQrnSK0HyrxBCv85zo8oLnfG+fOCQUCZNqa7AAKCRA8oLnfG+fO
+CWqZAQD3QajH/taR/uqhPiZru3xo+ylvCi3ZuzaoLSYCMfWUiAEAuAfusmx7Rctj
+y8k92/3roCiWz1HgmwGtAXfDAAxguA0=
+=3qNK
+-----END PGP SIGNATURE-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___jortega@condorbs.net_2a95b4c3/certification/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQRZckTb6lLsbv5fNqT91CpZ/UPAewUCZPTEhwAKCRD91CpZ/UPA
+e2LuAP9tdozKCw1PUpDvfLyC3vKc7EFqJSkDYRhyNYmc+g70tgEAtKaD9hLGVY7E
+7S7+MHx3ThOfcz7gp9mTRzrZ//NFswk=
+=z6WD
+-----END PGP SIGNATURE-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___jortega@condorbs.net_2a95b4c3/certification/9E646BB0630C8FD18ACD15541B93E6A766CD229D.asc

@@ -0,0 +1,9 @@
+-----BEGIN PGP SIGNATURE-----
+
+wsATBBMTCgA4FiEEnmRrsGMMj9GKzRVUG5Pmp2bNIp0FAmTJ6B8CGwMFCwkIBwIG
+FQoJCAsCBBYCAwECHgECF4AACgkQG5Pmp2bNIp0P/AIJAdxv/DbUoqRGRnwdcEBF
+wqZi12/v+K9IGgLsvmOyAlluInp/aWG8w6iO1Gcr7uz5ChQ+qCwPBe3cBQRNiE3e
+52lfAgjUjvEO63nIwCCgERUNqaaDZorlVYUlNG/KO1bJ8BT6iJYI2ruj10jt3T8H
+OQD7R+gE3Kye2v3QOj8h7XSDF0e3ZQ==
+=8eqD
+-----END PGP SIGNATURE-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martin.ortega.arashi@gmail.com_d92840be/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martin.ortega.arashi@gmail.com_d92840be.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zVpKZXN1cyBNYXJ0aW4gT3J0ZWdhIE1hcnRpbmV6IChTeXNhZG1pbi9CYWNrZW5k
+IERldmVsb3BlcikgPG1hcnRpbi5vcnRlZ2EuYXJhc2hpQGdtYWlsLmNvbT4=
+=HM/p
+-----END PGP ARMORED FILE-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martin.ortega.arashi@gmail.com_d92840be/certification/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQQrnSK0HyrxBCv85zo8oLnfG+fOCQUCZNqa7AAKCRA8oLnfG+fO
+CS1LAP44EV14Z4lOt+XiVFUzmBujq60m4/bvTjbB77tD9LvNegEAjeUkPoi3JtHx
+WBMKHcJD07LnWS0hqrdlPxFl9dp5Uwg=
+=Y2Va
+-----END PGP SIGNATURE-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martin.ortega.arashi@gmail.com_d92840be/certification/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQRZckTb6lLsbv5fNqT91CpZ/UPAewUCZPTEgQAKCRD91CpZ/UPA
+e0rYAQCl6lPg73DMmTeAUV1Uqi2nyMjNIefvEtUY2uabv8FvMwD9FiFMI0yDbmoc
+c/sYuHcQqZhxzBJDlOYymnjw9OAv+QM=
+=wrpE
+-----END PGP SIGNATURE-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martin.ortega.arashi@gmail.com_d92840be/certification/9E646BB0630C8FD18ACD15541B93E6A766CD229D.asc

@@ -0,0 +1,9 @@
+-----BEGIN PGP SIGNATURE-----
+
+wsATBBMTCgA4FiEEnmRrsGMMj9GKzRVUG5Pmp2bNIp0FAmTJ6dECGwMFCwkIBwIG
+FQoJCAsCBBYCAwECHgECF4AACgkQG5Pmp2bNIp3QYwIJARhW4FH+4LaSuqcJF+A3
+DVlAM446erNpUWx0IZGreiO559IK+1YKdDlMXgiag26XVXKNM2QGrsHhAwU9+dLx
+fC4FAgdO1bF1oPT9ASKljXqcFfy4+t2X/8nv1BMTl5u9esCP7VZ9xURirIpklJwY
+NcDtRWMZSX4xrMBnkdn+x08EwLmzTQ==
+=vhPl
+-----END PGP SIGNATURE-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martinortega@ciencias.unam.mx_4b07ff77/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martinortega@ciencias.unam.mx_4b07ff77.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zVlKZXN1cyBNYXJ0aW4gT3J0ZWdhIE1hcnRpbmV6IChTeXNhZG1pbi9CYWNrZW5k
+IERldmVsb3BlcikgPG1hcnRpbm9ydGVnYUBjaWVuY2lhcy51bmFtLm14Pg==
+=ZuCG
+-----END PGP ARMORED FILE-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martinortega@ciencias.unam.mx_4b07ff77/certification/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQQrnSK0HyrxBCv85zo8oLnfG+fOCQUCZNqa7AAKCRA8oLnfG+fO
+CS0rAQCJXdLjaSluAAs2/llUmSyNMEiHrewhW/1xMGT+flLeJwD+IbKRpqVSnxdv
+1Zf1l7V4twaNTR9Szn+y79/iAXKi3Qo=
+=xMYy
+-----END PGP SIGNATURE-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martinortega@ciencias.unam.mx_4b07ff77/certification/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQRZckTb6lLsbv5fNqT91CpZ/UPAewUCZPTEiAAKCRD91CpZ/UPA
+ewEIAQD1Tv6GyecgA8IveFHfGVRus/hCgAoSc4PMMyWI15ypyQEA+FNlZsmueGul
+kfskMpwMmp/BkVYi3PtBja2G9yNRggc=
+=BnkF
+-----END PGP SIGNATURE-----

keyring/main/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martinortega@ciencias.unam.mx_4b07ff77/certification/9E646BB0630C8FD18ACD15541B93E6A766CD229D.asc

@@ -0,0 +1,9 @@
+-----BEGIN PGP SIGNATURE-----
+
+wsAUBBMTCgA4FiEEnmRrsGMMj9GKzRVUG5Pmp2bNIp0FAmTJ6X8CGwMFCwkIBwIG
+FQoJCAsCBBYCAwECHgECF4AACgkQG5Pmp2bNIp2agwIJAcixnfmr/NmpYJa0oS6w
+YB619pekk3gMzeLaBX3VXbHus3p/KPPcBIq0NbjGe6V7pcwHW2qd9Iq43zH/LtGD
+CVnYAgkBCv9EzRpbXQrMNtc3fHiR/vbCRIeP4LVnQYcTImFh7+nrlmr01Fl4gy4I
+MEF0ydpFMwwTLdA18CpjVWJysaLPogc=
+=Fcxd
+-----END PGP SIGNATURE-----

keyring/main/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xjMEZNlVYBYJKwYBBAHaRw8BAQdAqrHl4S2UIU1DVv75VVqxYWzMXIj6DUYOEdx5
+9S54ziY=
+=AoQq
+-----END PGP PUBLIC KEY BLOCK-----

keyring/main/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/subkey/BA4AA44367DAAD0F20F415BFD07D531204D231E1/BA4AA44367DAAD0F20F415BFD07D531204D231E1.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zjMEZNlWbxYJKwYBBAHaRw8BAQdAV2fQb6zL0/FtXruJHxiYulW0C/RVdJH5u/st
+dZ4XCao=
+=xMzn
+-----END PGP ARMORED FILE-----

keyring/main/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/subkey/BA4AA44367DAAD0F20F415BFD07D531204D231E1/certification/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wngEGBYIACAWIQQrnSK0HyrxBCv85zo8oLnfG+fOCQUCZNlWbwIbIAAKCRA8oLnf
+G+fOCcclAP9vH93UilCUalYkdkg0IIimuOrYJAFE3PoYzM3Yfh9VSAD/b750y/y6
+5soKAhwaVWI0mD+2ktStLv5GQQVsD9aYqAI=
+=Vrin
+-----END PGP SIGNATURE-----

keyring/main/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/subkey/DA436DE8EF44606E25CE6DCBDC7A4E881B30B5C6/DA436DE8EF44606E25CE6DCBDC7A4E881B30B5C6.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zjgEZNlWvxIKKwYBBAGXVQEFAQEHQEQesoNgKWVLnSEVok8pd9FyElkGY1zDKXsi
+ZaVYcTRkAwEIBw==
+=VQWX
+-----END PGP ARMORED FILE-----

keyring/main/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/subkey/DA436DE8EF44606E25CE6DCBDC7A4E881B30B5C6/certification/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wngEGBYIACAWIQQrnSK0HyrxBCv85zo8oLnfG+fOCQUCZNlWvwIbDAAKCRA8oLnf
+G+fOCU8IAP43YS3bfntHouOiZk7UuxLbHeXQl6YkBTgO0W+uKTPtrwD8CBgI2PED
+ktTsoBkDQxKzGJRmCRwnaK1yIipT/mwQEQ8=
+=T+Yn
+-----END PGP SIGNATURE-----

keyring/main/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/uid/Kevin_Mu_oz__CiberSecurity_Engineer___kmunoz@condorbs.net_b896e3f8/Kevin_Mu_oz__CiberSecurity_Engineer___kmunoz@condorbs.net_b896e3f8.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zTtLZXZpbiBNdcOxb3ogKENpYmVyU2VjdXJpdHkgRW5naW5lZXIpIDxrbXVub3pA
+Y29uZG9yYnMubmV0Pg==
+=dz9S
+-----END PGP ARMORED FILE-----

keyring/main/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/uid/Kevin_Mu_oz__CiberSecurity_Engineer___kmunoz@condorbs.net_b896e3f8/certification/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,8 @@
+-----BEGIN PGP SIGNATURE-----
+
+wpAEExYIADgWIQQrnSK0HyrxBCv85zo8oLnfG+fOCQUCZNlVYAIbAwULCQgHAgYV
+CgkICwIEFgIDAQIeAQIXgAAKCRA8oLnfG+fOCS2YAP9NkmVFAljJiYFLtc7o1xB3
+xT/qtfJKw95khnhQFLqd5AEAsb5vlZ/bDvb56Ygea+O/ar+qpq1q+cGvnUx2/OGP
+Jg4=
+=zdAS
+-----END PGP SIGNATURE-----

keyring/main/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/uid/Kevin_Mu_oz__CiberSecurity_Engineer___kmunoz@condorbs.net_b896e3f8/certification/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQRZckTb6lLsbv5fNqT91CpZ/UPAewUCZPS9OAAKCRD91CpZ/UPA
+e7bFAQCN21II7aHOe/paU/jX2vyQ33XS3oxJVpmQSEzp6R7U/QEAzwXCicEeAV3T
+71ymIsxFKu+fMHmpiSSvmAvzhxUBhwQ=
+=Lpv2
+-----END PGP SIGNATURE-----

keyring/main/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/uid/Kevin_Mu_oz__CyberSecurity_Engineer___kmunoz@condorbs.net_6546871d/Kevin_Mu_oz__CyberSecurity_Engineer___kmunoz@condorbs.net_6546871d.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zTtLZXZpbiBNdcOxb3ogKEN5YmVyU2VjdXJpdHkgRW5naW5lZXIpIDxrbXVub3pA
+Y29uZG9yYnMubmV0Pg==
+=sa4s
+-----END PGP ARMORED FILE-----

keyring/main/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/uid/Kevin_Mu_oz__CyberSecurity_Engineer___kmunoz@condorbs.net_6546871d/certification/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+wsBmBBMWCADOAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAhkBFiEEK50itB8q
+8QQr/Oc6PKC53xvnzgkFAmTnd4NDFIAAAAAAEAAqcHJvb2ZAYXJpYWRuZS5pZGh0
+dHBzOi8vbWFzdG9kb24uY2VudGF1cmljb3JleC5uZXQvQGttdW5vek4UgAAAAAAQ
+ADVwcm9vZkBhcmlhZG5lLmlkaHR0cHM6Ly90Lm1lL0Vycm9yNDA0SGFja2VyTm90
+Rm91bmQ/cHJvb2Y9UGVsb2NvbmNoYTMACgkQPKC53xvnzgk04wD/X+sXGUkHidbq
+LnXHpIRALPWj2Z3xMZ0lhQtGoFwzleUA/3qo1clCRsshDzPcogzhb17suxeeFCpc
+xnhBBgIiQHAA
+=kX0Z
+-----END PGP SIGNATURE-----

keyring/main/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/uid/Kevin_Mu_oz__CyberSecurity_Engineer___kmunoz@condorbs.net_6546871d/certification/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQRZckTb6lLsbv5fNqT91CpZ/UPAewUCZPS9MQAKCRD91CpZ/UPA
+e1UaAP91tm9ss0SMP48+hyhqwijwWeGEhag1NFh2rsHJvZJI6wEArG3FTI9fp62K
+iz6rdhGhqCNLy+xzapAxbWQSdbDl4AM=
+=1F9Z
+-----END PGP SIGNATURE-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/9E646BB0630C8FD18ACD15541B93E6A766CD229D.asc

@@ -0,0 +1,8 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xpMEZMmVIRMFK4EEACMEIwQAMg6oXItBfN9on9xjiZlu12gJ1tLIh5H8obYC1hdc
+8dp5I9/r2SDyModKr3YCRaLnvO9rkwoJ8G7aY0WXyj4O/c0AvosLnDvULoBexQB6
+VHtMkWe9ugbB0cZB54EJJr+pdaJUimOyZT0X3QMmSRhTBriAhnU/nk9KDfiZEyMM
+b8uZEjk=
+=GKHU
+-----END PGP PUBLIC KEY BLOCK-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/subkey/3051C14ACC7CFFBEF5CB04D776D67D99EA77D0F6/3051C14ACC7CFFBEF5CB04D776D67D99EA77D0F6.asc

@@ -0,0 +1,8 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zpcEZMmVIRIFK4EEACMEIwQBtRBYmz2Ikb81Ng2DQ1vNfbSvPegAnBGgeBXcpN/o
+lkCPy/ZlknKbcfl3IKQclFFi5+Oxn9wAl7cjUiEJ2I5hwXoAGz5B7+sj+YcFq+rg
+0YcXqWZtgzqtHXElvB8cFua1XlVX5/e8nllFImSsWoy+Sx0xfkwnpn6jksvbACRW
+ACpuB8YDAQoJ
+=LjwU
+-----END PGP ARMORED FILE-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/subkey/3051C14ACC7CFFBEF5CB04D776D67D99EA77D0F6/certification/9E646BB0630C8FD18ACD15541B93E6A766CD229D.asc

@@ -0,0 +1,8 @@
+-----BEGIN PGP SIGNATURE-----
+
+wrsEGBMKACAWIQSeZGuwYwyP0YrNFVQbk+anZs0inQUCZMmVIQIbDAAKCRAbk+an
+Zs0inUO6AgiGHmHLw4H6e4xXqIeagIvOYGYZWjp3L4flgogOUet+04zPV0GiH4aE
+bojPlS9Qgis6uzVsdkvg2aTVlT1mNrwoWgIJASQuhhubtoKvM1OqPOE4Wg3dJGXt
+435oYPDvCtd7aTleqLzo4Cu5ArSC6mLJ1u0ZmeGBIX2FCbboSHuwpCNca6aN
+=F5p6
+-----END PGP SIGNATURE-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___jortega@condorbs.net_2a95b4c3/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___jortega@condorbs.net_2a95b4c3.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zVBKZXN1cyBNYXJ0aW4gT3J0ZWdhIE1hcnRpbmV6IChTeXNhZG1pbi9CYWNrZW5k
+IERldmVsb3BlcikgPGpvcnRlZ2FAY29uZG9yYnMubmV0Pg==
+=e3s5
+-----END PGP ARMORED FILE-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___jortega@condorbs.net_2a95b4c3/certification/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQQrnSK0HyrxBCv85zo8oLnfG+fOCQUCZNqa7AAKCRA8oLnfG+fO
+CWqZAQD3QajH/taR/uqhPiZru3xo+ylvCi3ZuzaoLSYCMfWUiAEAuAfusmx7Rctj
+y8k92/3roCiWz1HgmwGtAXfDAAxguA0=
+=3qNK
+-----END PGP SIGNATURE-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___jortega@condorbs.net_2a95b4c3/certification/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQRZckTb6lLsbv5fNqT91CpZ/UPAewUCZPTEhwAKCRD91CpZ/UPA
+e2LuAP9tdozKCw1PUpDvfLyC3vKc7EFqJSkDYRhyNYmc+g70tgEAtKaD9hLGVY7E
+7S7+MHx3ThOfcz7gp9mTRzrZ//NFswk=
+=z6WD
+-----END PGP SIGNATURE-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___jortega@condorbs.net_2a95b4c3/certification/9E646BB0630C8FD18ACD15541B93E6A766CD229D.asc

@@ -0,0 +1,9 @@
+-----BEGIN PGP SIGNATURE-----
+
+wsATBBMTCgA4FiEEnmRrsGMMj9GKzRVUG5Pmp2bNIp0FAmTJ6B8CGwMFCwkIBwIG
+FQoJCAsCBBYCAwECHgECF4AACgkQG5Pmp2bNIp0P/AIJAdxv/DbUoqRGRnwdcEBF
+wqZi12/v+K9IGgLsvmOyAlluInp/aWG8w6iO1Gcr7uz5ChQ+qCwPBe3cBQRNiE3e
+52lfAgjUjvEO63nIwCCgERUNqaaDZorlVYUlNG/KO1bJ8BT6iJYI2ruj10jt3T8H
+OQD7R+gE3Kye2v3QOj8h7XSDF0e3ZQ==
+=8eqD
+-----END PGP SIGNATURE-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martin.ortega.arashi@gmail.com_d92840be/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martin.ortega.arashi@gmail.com_d92840be.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zVpKZXN1cyBNYXJ0aW4gT3J0ZWdhIE1hcnRpbmV6IChTeXNhZG1pbi9CYWNrZW5k
+IERldmVsb3BlcikgPG1hcnRpbi5vcnRlZ2EuYXJhc2hpQGdtYWlsLmNvbT4=
+=HM/p
+-----END PGP ARMORED FILE-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martin.ortega.arashi@gmail.com_d92840be/certification/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQQrnSK0HyrxBCv85zo8oLnfG+fOCQUCZNqa7AAKCRA8oLnfG+fO
+CS1LAP44EV14Z4lOt+XiVFUzmBujq60m4/bvTjbB77tD9LvNegEAjeUkPoi3JtHx
+WBMKHcJD07LnWS0hqrdlPxFl9dp5Uwg=
+=Y2Va
+-----END PGP SIGNATURE-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martin.ortega.arashi@gmail.com_d92840be/certification/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQRZckTb6lLsbv5fNqT91CpZ/UPAewUCZPTEgQAKCRD91CpZ/UPA
+e0rYAQCl6lPg73DMmTeAUV1Uqi2nyMjNIefvEtUY2uabv8FvMwD9FiFMI0yDbmoc
+c/sYuHcQqZhxzBJDlOYymnjw9OAv+QM=
+=wrpE
+-----END PGP SIGNATURE-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martin.ortega.arashi@gmail.com_d92840be/certification/9E646BB0630C8FD18ACD15541B93E6A766CD229D.asc

@@ -0,0 +1,9 @@
+-----BEGIN PGP SIGNATURE-----
+
+wsATBBMTCgA4FiEEnmRrsGMMj9GKzRVUG5Pmp2bNIp0FAmTJ6dECGwMFCwkIBwIG
+FQoJCAsCBBYCAwECHgECF4AACgkQG5Pmp2bNIp3QYwIJARhW4FH+4LaSuqcJF+A3
+DVlAM446erNpUWx0IZGreiO559IK+1YKdDlMXgiag26XVXKNM2QGrsHhAwU9+dLx
+fC4FAgdO1bF1oPT9ASKljXqcFfy4+t2X/8nv1BMTl5u9esCP7VZ9xURirIpklJwY
+NcDtRWMZSX4xrMBnkdn+x08EwLmzTQ==
+=vhPl
+-----END PGP SIGNATURE-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martinortega@ciencias.unam.mx_4b07ff77/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martinortega@ciencias.unam.mx_4b07ff77.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zVlKZXN1cyBNYXJ0aW4gT3J0ZWdhIE1hcnRpbmV6IChTeXNhZG1pbi9CYWNrZW5k
+IERldmVsb3BlcikgPG1hcnRpbm9ydGVnYUBjaWVuY2lhcy51bmFtLm14Pg==
+=ZuCG
+-----END PGP ARMORED FILE-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martinortega@ciencias.unam.mx_4b07ff77/certification/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQQrnSK0HyrxBCv85zo8oLnfG+fOCQUCZNqa7AAKCRA8oLnfG+fO
+CS0rAQCJXdLjaSluAAs2/llUmSyNMEiHrewhW/1xMGT+flLeJwD+IbKRpqVSnxdv
+1Zf1l7V4twaNTR9Szn+y79/iAXKi3Qo=
+=xMYy
+-----END PGP SIGNATURE-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martinortega@ciencias.unam.mx_4b07ff77/certification/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQRZckTb6lLsbv5fNqT91CpZ/UPAewUCZPTEiAAKCRD91CpZ/UPA
+ewEIAQD1Tv6GyecgA8IveFHfGVRus/hCgAoSc4PMMyWI15ypyQEA+FNlZsmueGul
+kfskMpwMmp/BkVYi3PtBja2G9yNRggc=
+=BnkF
+-----END PGP SIGNATURE-----

keyring/packager/madara125/9E646BB0630C8FD18ACD15541B93E6A766CD229D/uid/Jesus_Martin_Ortega_Martinez__Sysadmin_Backend_Developer___martinortega@ciencias.unam.mx_4b07ff77/certification/9E646BB0630C8FD18ACD15541B93E6A766CD229D.asc

@@ -0,0 +1,9 @@
+-----BEGIN PGP SIGNATURE-----
+
+wsAUBBMTCgA4FiEEnmRrsGMMj9GKzRVUG5Pmp2bNIp0FAmTJ6X8CGwMFCwkIBwIG
+FQoJCAsCBBYCAwECHgECF4AACgkQG5Pmp2bNIp2agwIJAcixnfmr/NmpYJa0oS6w
+YB619pekk3gMzeLaBX3VXbHus3p/KPPcBIq0NbjGe6V7pcwHW2qd9Iq43zH/LtGD
+CVnYAgkBCv9EzRpbXQrMNtc3fHiR/vbCRIeP4LVnQYcTImFh7+nrlmr01Fl4gy4I
+MEF0ydpFMwwTLdA18CpjVWJysaLPogc=
+=Fcxd
+-----END PGP SIGNATURE-----

keyring/packager/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xjMEZNlVYBYJKwYBBAHaRw8BAQdAqrHl4S2UIU1DVv75VVqxYWzMXIj6DUYOEdx5
+9S54ziY=
+=AoQq
+-----END PGP PUBLIC KEY BLOCK-----

keyring/packager/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/subkey/BA4AA44367DAAD0F20F415BFD07D531204D231E1/BA4AA44367DAAD0F20F415BFD07D531204D231E1.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zjMEZNlWbxYJKwYBBAHaRw8BAQdAV2fQb6zL0/FtXruJHxiYulW0C/RVdJH5u/st
+dZ4XCao=
+=xMzn
+-----END PGP ARMORED FILE-----

keyring/packager/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/subkey/BA4AA44367DAAD0F20F415BFD07D531204D231E1/certification/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wngEGBYIACAWIQQrnSK0HyrxBCv85zo8oLnfG+fOCQUCZNlWbwIbIAAKCRA8oLnf
+G+fOCcclAP9vH93UilCUalYkdkg0IIimuOrYJAFE3PoYzM3Yfh9VSAD/b750y/y6
+5soKAhwaVWI0mD+2ktStLv5GQQVsD9aYqAI=
+=Vrin
+-----END PGP SIGNATURE-----

keyring/packager/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/subkey/DA436DE8EF44606E25CE6DCBDC7A4E881B30B5C6/DA436DE8EF44606E25CE6DCBDC7A4E881B30B5C6.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zjgEZNlWvxIKKwYBBAGXVQEFAQEHQEQesoNgKWVLnSEVok8pd9FyElkGY1zDKXsi
+ZaVYcTRkAwEIBw==
+=VQWX
+-----END PGP ARMORED FILE-----

keyring/packager/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/subkey/DA436DE8EF44606E25CE6DCBDC7A4E881B30B5C6/certification/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wngEGBYIACAWIQQrnSK0HyrxBCv85zo8oLnfG+fOCQUCZNlWvwIbDAAKCRA8oLnf
+G+fOCU8IAP43YS3bfntHouOiZk7UuxLbHeXQl6YkBTgO0W+uKTPtrwD8CBgI2PED
+ktTsoBkDQxKzGJRmCRwnaK1yIipT/mwQEQ8=
+=T+Yn
+-----END PGP SIGNATURE-----

keyring/packager/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/uid/Kevin_Mu_oz__CiberSecurity_Engineer___kmunoz@condorbs.net_b896e3f8/Kevin_Mu_oz__CiberSecurity_Engineer___kmunoz@condorbs.net_b896e3f8.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zTtLZXZpbiBNdcOxb3ogKENpYmVyU2VjdXJpdHkgRW5naW5lZXIpIDxrbXVub3pA
+Y29uZG9yYnMubmV0Pg==
+=dz9S
+-----END PGP ARMORED FILE-----

keyring/packager/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/uid/Kevin_Mu_oz__CiberSecurity_Engineer___kmunoz@condorbs.net_b896e3f8/certification/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,8 @@
+-----BEGIN PGP SIGNATURE-----
+
+wpAEExYIADgWIQQrnSK0HyrxBCv85zo8oLnfG+fOCQUCZNlVYAIbAwULCQgHAgYV
+CgkICwIEFgIDAQIeAQIXgAAKCRA8oLnfG+fOCS2YAP9NkmVFAljJiYFLtc7o1xB3
+xT/qtfJKw95khnhQFLqd5AEAsb5vlZ/bDvb56Ygea+O/ar+qpq1q+cGvnUx2/OGP
+Jg4=
+=zdAS
+-----END PGP SIGNATURE-----

keyring/packager/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/uid/Kevin_Mu_oz__CiberSecurity_Engineer___kmunoz@condorbs.net_b896e3f8/certification/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQRZckTb6lLsbv5fNqT91CpZ/UPAewUCZPS9OAAKCRD91CpZ/UPA
+e7bFAQCN21II7aHOe/paU/jX2vyQ33XS3oxJVpmQSEzp6R7U/QEAzwXCicEeAV3T
+71ymIsxFKu+fMHmpiSSvmAvzhxUBhwQ=
+=Lpv2
+-----END PGP SIGNATURE-----

keyring/packager/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/uid/Kevin_Mu_oz__CyberSecurity_Engineer___kmunoz@condorbs.net_6546871d/Kevin_Mu_oz__CyberSecurity_Engineer___kmunoz@condorbs.net_6546871d.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP ARMORED FILE-----
+
+zTtLZXZpbiBNdcOxb3ogKEN5YmVyU2VjdXJpdHkgRW5naW5lZXIpIDxrbXVub3pA
+Y29uZG9yYnMubmV0Pg==
+=sa4s
+-----END PGP ARMORED FILE-----

keyring/packager/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/uid/Kevin_Mu_oz__CyberSecurity_Engineer___kmunoz@condorbs.net_6546871d/certification/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+wsBmBBMWCADOAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAhkBFiEEK50itB8q
+8QQr/Oc6PKC53xvnzgkFAmTnd4NDFIAAAAAAEAAqcHJvb2ZAYXJpYWRuZS5pZGh0
+dHBzOi8vbWFzdG9kb24uY2VudGF1cmljb3JleC5uZXQvQGttdW5vek4UgAAAAAAQ
+ADVwcm9vZkBhcmlhZG5lLmlkaHR0cHM6Ly90Lm1lL0Vycm9yNDA0SGFja2VyTm90
+Rm91bmQ/cHJvb2Y9UGVsb2NvbmNoYTMACgkQPKC53xvnzgk04wD/X+sXGUkHidbq
+LnXHpIRALPWj2Z3xMZ0lhQtGoFwzleUA/3qo1clCRsshDzPcogzhb17suxeeFCpc
+xnhBBgIiQHAA
+=kX0Z
+-----END PGP SIGNATURE-----

keyring/packager/mrhacker/2B9D22B41F2AF1042BFCE73A3CA0B9DF1BE7CE09/uid/Kevin_Mu_oz__CyberSecurity_Engineer___kmunoz@condorbs.net_6546871d/certification/597244DBEA52EC6EFE5F36A4FDD42A59FD43C07B.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+wnUEEBYIAB0WIQRZckTb6lLsbv5fNqT91CpZ/UPAewUCZPS9MQAKCRD91CpZ/UPA
+e1UaAP91tm9ss0SMP48+hyhqwijwWeGEhag1NFh2rsHJvZJI6wEArG3FTI9fp62K
+iz6rdhGhqCNLy+xzapAxbWQSdbDl4AM=
+=1F9Z
+-----END PGP SIGNATURE-----

keyringctl

@@ -0,0 +1,8 @@
+#!/usr/bin/env python3
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from libkeyringctl.cli import main
+
+if __name__ == "__main__":
+    main()

libkeyringctl/ci.py

@@ -0,0 +1,45 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from os import environ
+from pathlib import Path
+from typing import List
+
+from .git import git_changed_files
+from .util import get_parent_cert_paths
+from .verify import verify
+
+
+def ci(working_dir: Path, keyring_root: Path, project_root: Path) -> None:
+    """Verify certificates against modern expectations using `sq keyring lint` and hokey
+
+    Currently only newly added certificates will be checked against the expectations as existing
+    keys are not all fully compatible with those assumptions.
+    New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base,
+
+    Parameters
+    ----------
+    working_dir: A directory to use for temporary files
+    keyring_root: The keyring root directory to look up username shorthand sources
+    project_root: Path to the root of the git repository
+    """
+
+    ci_merge_request_diff_base = environ.get("CI_MERGE_REQUEST_DIFF_BASE_SHA")
+    created, deleted, modified = git_changed_files(
+        git_path=project_root, base=ci_merge_request_diff_base, paths=[Path("keyring")]
+    )
+
+    changed_certificates: List[Path] = list(get_parent_cert_paths(paths=created + deleted + modified))
+
+    verify(
+        working_dir=working_dir,
+        keyring_root=keyring_root,
+        sources=changed_certificates,
+        lint_hokey=False,
+        lint_sq_keyring=False,
+    )
+
+    added_certificates: List[Path] = [
+        path for path in changed_certificates if (path / f"{path.name}.asc").relative_to(project_root) in created
+    ]
+    if added_certificates:
+        verify(working_dir=working_dir, keyring_root=keyring_root, sources=added_certificates)

libkeyringctl/cli.py

@@ -0,0 +1,229 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from argparse import ArgumentParser
+from logging import DEBUG
+from logging import basicConfig
+from logging import debug
+from pathlib import Path
+from tempfile import TemporaryDirectory
+from tempfile import mkdtemp
+
+from .ci import ci
+from .keyring import Username
+from .keyring import build
+from .keyring import convert
+from .keyring import export
+from .keyring import inspect_keyring
+from .keyring import list_keyring
+from .types import TrustFilter
+from .util import absolute_path
+from .util import cwd
+from .verify import verify
+
+parser = ArgumentParser()
+parser.add_argument(
+    "-v", "--verbose", action="store_true", help="Causes to print debugging messages about the progress"
+)
+parser.add_argument("--wait", action="store_true", help="Block before cleaning up the temp directory")
+parser.add_argument(
+    "-f",
+    "--force",
+    action="store_true",
+    default=False,
+    help="force the execution of subcommands (e.g. overwriting of files)",
+)
+subcommands = parser.add_subparsers(dest="subcommand")
+
+convert_parser = subcommands.add_parser(
+    "convert",
+    help="convert one or multiple PGP public keys to a decomposed directory structure",
+)
+convert_parser.add_argument("source", type=absolute_path, nargs="+", help="Files or directorie to convert")
+convert_parser.add_argument("--target", type=absolute_path, help="Target directory instead of a random tmpdir")
+convert_parser.add_argument(
+    "--name",
+    type=Username,
+    default=None,
+    help="override the username to use (only useful when using a single file as source)",
+)
+
+import_parser = subcommands.add_parser(
+    "import",
+    help="import one or several PGP keys to the keyring directory structure",
+)
+import_parser.add_argument("source", type=absolute_path, nargs="+", help="Files or directories to import")
+import_parser.add_argument(
+    "--name",
+    type=Username,
+    default=None,
+    help="override the username to use (only useful when using a single file as source)",
+)
+import_parser.add_argument("--main", action="store_true", help="Import a main signing key into the keyring")
+
+export_parser = subcommands.add_parser(
+    "export",
+    help="export a directory structure of PGP packet data to a combined file",
+)
+export_parser.add_argument("-o", "--output", type=absolute_path, help="file to write PGP packet data to")
+export_parser.add_argument(
+    "source",
+    nargs="*",
+    help="username, fingerprint or directories containing certificates",
+    type=absolute_path,
+)
+
+build_parser = subcommands.add_parser(
+    "build",
+    help="build keyring PGP artifacts alongside ownertrust and revoked status files",
+)
+
+list_parser = subcommands.add_parser(
+    "list",
+    help="list the certificates in the keyring",
+)
+list_parser.add_argument("--main", action="store_true", help="List main signing keys instead of packager keys")
+list_parser.add_argument(
+    "--trust",
+    choices=[e.value for e in TrustFilter],
+    default=TrustFilter.all.value,
+    help="Filter the list based on trust",
+)
+list_parser.add_argument(
+    "source",
+    nargs="*",
+    help="username, fingerprint or directories containing certificates",
+    type=absolute_path,
+)
+
+inspect_parser = subcommands.add_parser(
+    "inspect",
+    help="inspect certificates in the keyring and pretty print the data",
+)
+inspect_parser.add_argument(
+    "source",
+    nargs="*",
+    help="username, fingerprint or directories containing certificates",
+    type=absolute_path,
+)
+
+verify_parser = subcommands.add_parser(
+    "verify",
+    help="verify certificates against modern expectations",
+)
+verify_parser.add_argument(
+    "source",
+    nargs="*",
+    help="username, fingerprint or directories containing certificates",
+    type=absolute_path,
+)
+verify_parser.add_argument("--no-lint-hokey", dest="lint_hokey", action="store_false", help="Do not run hokey lint")
+verify_parser.add_argument(
+    "--no-lint-sq-keyring", dest="lint_sq_keyring", action="store_false", help="Do not run sq keyring lint"
+)
+verify_parser.set_defaults(lint_hokey=True, lint_sq_keyring=True)
+
+check_parser = subcommands.add_parser(
+    "check",
+    help="Run keyring integrity and consistency checks",
+)
+
+ci_parser = subcommands.add_parser(
+    "ci",
+    help="ci command to verify certain aspects and expectations in pipelines",
+)
+
+
+def main() -> None:  # noqa: ignore=C901
+    args = parser.parse_args()
+
+    if args.verbose:
+        basicConfig(level=DEBUG)
+
+    # temporary working directory that gets auto cleaned
+    with TemporaryDirectory(prefix="arch-keyringctl-") as tempdir:
+        project_root = Path(".").absolute()
+        keyring_root = Path("keyring").absolute()
+        working_dir = Path(tempdir)
+        debug(f"Working directory: {working_dir}")
+        with cwd(working_dir):
+            if "convert" == args.subcommand:
+                target_dir = args.target or Path(mkdtemp(prefix="arch-keyringctl-")).absolute()
+                print(
+                    convert(
+                        working_dir=working_dir,
+                        keyring_root=keyring_root,
+                        sources=args.source,
+                        target_dir=target_dir,
+                        name_override=args.name,
+                    )
+                )
+            elif "import" == args.subcommand:
+                target_dir = "main" if args.main else "packager"
+                print(
+                    convert(
+                        working_dir=working_dir,
+                        keyring_root=keyring_root,
+                        sources=args.source,
+                        target_dir=keyring_root / target_dir,
+                        name_override=args.name,
+                    )
+                )
+            elif "export" == args.subcommand:
+                result = export(
+                    working_dir=working_dir,
+                    keyring_root=keyring_root,
+                    sources=args.source,
+                    output=args.output,
+                )
+                if result:
+                    print(
+                        result,
+                        end="",
+                    )
+            elif "build" == args.subcommand:
+                build(
+                    working_dir=working_dir,
+                    keyring_root=keyring_root,
+                    target_dir=keyring_root.parent / "build",
+                )
+            elif "list" == args.subcommand:
+                trust_filter = TrustFilter[args.trust]
+                list_keyring(
+                    keyring_root=keyring_root,
+                    sources=args.source,
+                    main_keys=args.main,
+                    trust_filter=trust_filter,
+                )
+            elif "inspect" == args.subcommand:
+                print(
+                    inspect_keyring(
+                        working_dir=working_dir,
+                        keyring_root=keyring_root,
+                        sources=args.source,
+                    ),
+                    end="",
+                )
+            elif "verify" == args.subcommand:
+                verify(
+                    working_dir=working_dir,
+                    keyring_root=keyring_root,
+                    sources=args.source,
+                    lint_hokey=args.lint_hokey,
+                    lint_sq_keyring=args.lint_sq_keyring,
+                )
+            elif "ci" == args.subcommand:
+                ci(working_dir=working_dir, keyring_root=keyring_root, project_root=project_root)
+            elif "check" == args.subcommand:
+                verify(
+                    working_dir=working_dir,
+                    keyring_root=keyring_root,
+                    sources=[keyring_root],
+                    lint_hokey=False,
+                    lint_sq_keyring=False,
+                )
+            else:
+                parser.print_help()
+
+            if args.wait:
+                print("Press [ENTER] to continue")
+                input()

libkeyringctl/git.py

@@ -0,0 +1,55 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from pathlib import Path
+from typing import List
+from typing import Optional
+from typing import Tuple
+
+from .util import system
+
+
+def git_changed_files(
+    git_path: Optional[Path] = None, base: Optional[str] = None, paths: Optional[List[Path]] = None
+) -> Tuple[List[Path], List[Path], List[Path]]:
+    """Returns lists of created, deleted and modified files based on diff stats related to a base commit
+    and optional paths.
+
+    Parameters
+    ----------
+    git_path: Path to the git repository, current directory by default
+    base: Optional base rev or current index by default
+    paths: Optional list of paths to take into account, unfiltered by default
+
+    Returns
+    -------
+    Lists of created, deleted and modified paths
+    """
+    cmd = ["git"]
+    if git_path:
+        cmd += ["-C", str(git_path)]
+    cmd += ["--no-pager", "diff", "--color=never", "--summary", "--numstat"]
+    if base:
+        cmd += [base]
+    if paths:
+        cmd += ["--"]
+        cmd += [str(path) for path in paths]
+
+    result: str = system(cmd)
+
+    created: List[Path] = []
+    deleted: List[Path] = []
+    modified: List[Path] = []
+
+    for line in result.splitlines():
+        line = line.strip()
+        if line.startswith("create"):
+            created.append(Path(line.split(maxsplit=3)[3]))
+            continue
+        if line.startswith("delete"):
+            deleted.append(Path(line.split(maxsplit=3)[3]))
+            continue
+        modified.append(Path(line.split(maxsplit=2)[2]))
+
+    modified = [path for path in modified if path not in created and path not in deleted]
+
+    return created, deleted, modified

libkeyringctl/sequoia.py

@@ -0,0 +1,363 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from collections import deque
+from datetime import datetime
+from functools import reduce
+from pathlib import Path
+from platform import python_version_tuple
+from re import sub
+from tempfile import mkdtemp
+from typing import Dict
+
+# NOTE: remove after python 3.8.x is no longer supported upstream
+if int(python_version_tuple()[1]) < 9:  # pragma: no cover
+    from typing import Iterable
+else:
+    from collections.abc import Iterable
+from typing import List
+from typing import Optional
+
+from .types import Fingerprint
+from .types import PacketKind
+from .types import Uid
+from .types import Username
+from .util import cwd
+from .util import natural_sort_path
+from .util import system
+
+
+def keyring_split(working_dir: Path, keyring: Path, preserve_filename: bool = False) -> Iterable[Path]:
+    """Split a file containing a PGP keyring into separate certificate files
+
+    The original keyring filename is preserved if the split only yields a single certificate.
+    If preserve_filename is True, all keyrings are placed into separate directories while preserving
+    the filename.
+
+    The file is split using sq.
+
+    Parameters
+    ----------
+    working_dir: The path of the working directory below which to create the output files
+    keyring: The path of a file containing a PGP keyring
+    preserve_filename: If True, all keyrings are placed into separate directories while preserving the filename
+
+    Returns
+    -------
+    An iterable over the naturally sorted list of certificate files derived from a keyring
+    """
+
+    keyring_dir = Path(mkdtemp(dir=working_dir, prefix="keyring-")).absolute()
+
+    with cwd(keyring_dir):
+        system(["sq", "keyring", "split", "--prefix", "", str(keyring)])
+
+    keyrings: List[Path] = list(natural_sort_path(keyring_dir.iterdir()))
+
+    if 1 == len(keyrings) or preserve_filename:
+        for index, key in enumerate(keyrings):
+            keyring_sub_dir = Path(mkdtemp(dir=keyring_dir, prefix=f"{keyring.name}-")).absolute()
+            keyrings[index] = key.rename(keyring_sub_dir / keyring.name)
+
+    return keyrings
+
+
+def keyring_merge(certificates: List[Path], output: Optional[Path] = None, force: bool = False) -> str:
+    """Merge multiple certificates into a keyring
+
+    Parameters
+    ----------
+    certificates: List of paths to certificates to merge into a keyring
+    output: Path to a file which the keyring is written, return the result instead if None
+    force: Whether to force overwriting existing files (defaults to False)
+
+    Returns
+    -------
+    The result if no output file has been used
+    """
+
+    cmd = ["sq", "keyring", "merge"]
+    if force:
+        cmd.insert(1, "--force")
+    if output:
+        cmd += ["--output", str(output)]
+    cmd += [str(cert) for cert in sorted(certificates)]
+
+    return system(cmd)
+
+
+def packet_split(working_dir: Path, certificate: Path) -> Iterable[Path]:
+    """Split a file containing a PGP certificate into separate packet files
+
+    The files are split using sq
+
+    Parameters
+    ----------
+    working_dir: The path of the working directory below which to create the output files
+    certificate: The absolute path of a file containing one PGP certificate
+
+    Returns
+    -------
+    An iterable over the naturally sorted list of packet files derived from certificate
+    """
+
+    packet_dir = Path(mkdtemp(dir=working_dir, prefix="packet-")).absolute()
+
+    with cwd(packet_dir):
+        system(["sq", "packet", "split", "--prefix", "", str(certificate)])
+    return natural_sort_path(packet_dir.iterdir())
+
+
+def packet_join(packets: List[Path], output: Optional[Path] = None, force: bool = False) -> str:
+    """Join PGP packet data in files to a single output file
+
+    Parameters
+    ----------
+    packets: A list of paths to files that contain PGP packet data
+    output: Path to a file to which all PGP packet data is written, return the result instead if None
+    force: Whether to force overwriting existing files (defaults to False)
+
+    Returns
+    -------
+    The result if no output file has been used
+    """
+
+    cmd = ["sq", "packet", "join"]
+    if force:
+        cmd.insert(1, "--force")
+    packets_str = list(map(lambda path: str(path), packets))
+    cmd.extend(packets_str)
+    cmd.extend(["--output", str(output)])
+    return system(cmd)
+
+
+def inspect(
+    packet: Path, certifications: bool = True, fingerprints: Optional[Dict[Fingerprint, Username]] = None
+) -> str:
+    """Inspect PGP packet data and return the result
+
+    Parameters
+    ----------
+    packet: Path to a file that contain PGP data
+    certifications: Whether to print third-party certifications
+    fingerprints: Optional dict of fingerprints to usernames to enrich the output with
+
+    Returns
+    -------
+    The result of the inspection
+    """
+
+    cmd = ["sq", "inspect"]
+    if certifications:
+        cmd.append("--certifications")
+    cmd.append(str(packet))
+    result: str = system(cmd)
+
+    if fingerprints:
+        for fingerprint, username in fingerprints.items():
+            result = sub(f"{fingerprint}", f"{fingerprint} {username}", result)
+            result = sub(f" {fingerprint[24:]}", f" {fingerprint[24:]} {username}", result)
+
+    return result
+
+
+def packet_dump(packet: Path) -> str:
+    """Dump a PGP packet to string
+
+    The `sq packet dump` command is used to retrieve a dump of information from a PGP packet
+
+    Parameters
+    ----------
+    packet: The path to the PGP packet to retrieve the value from
+
+    Returns
+    -------
+    The contents of the packet dump
+    """
+
+    return system(["sq", "packet", "dump", str(packet)])
+
+
+def packet_dump_field(packet: Path, query: str) -> str:
+    """Retrieve the value of a field from a PGP packet
+
+    Field queries are possible with the following notation during tree traversal:
+    - Use '.' to separate the parent section
+    - Use '*' as a wildcard for the current section
+    - Use '|' inside the current level as a logical OR
+
+    Example:
+    - Version
+    - Hashed area|Unhashed area.Issuer
+    - *.Issuer
+
+    Parameters
+    ----------
+    packet: The path to the PGP packet to retrieve the value from
+    query: The name of the field as a query notation
+
+    Raises
+    ------
+    Exception: If the field is not found in the PGP packet
+
+    Returns
+    -------
+    The value of the field found in packet
+    """
+
+    dump = packet_dump(packet)
+
+    queries = deque(query.split("."))
+    path = [queries.popleft()]
+    depth = 0
+
+    # remove leading 4 space indention
+    lines = list(filter(lambda line: line.startswith("    "), dump.splitlines()))
+    lines = [sub(r"^ {4}", "", line, count=1) for line in lines]
+    # filter empty lines
+    lines = list(filter(lambda line: line.strip(), lines))
+
+    for line in lines:
+        # determine current line depth by counting whitespace pairs
+        depth_line = int((len(line) - len(line.lstrip(" "))) / 2)
+        line = line.lstrip(" ")
+
+        # skip nodes that are deeper as our currently matched path
+        if depth < depth_line:
+            continue
+
+        # unwind the current query path until reaching previous match depth
+        while depth > depth_line:
+            queries.appendleft(path.pop())
+            depth -= 1
+        matcher = path[-1].split("|")
+
+        # check if current field matches the query expression
+        field = line.split(sep=":", maxsplit=1)[0]
+        if field not in matcher and "*" not in matcher:
+            continue
+
+        # next depth is one level deeper as the current line
+        depth = depth_line + 1
+
+        # check if matcher is not the leaf of the query expression
+        if queries:
+            path.append(queries.popleft())
+            continue
+
+        # return final match
+        return line.split(sep=": ", maxsplit=1)[1] if ": " in line else line
+
+    raise Exception(f"Packet '{packet}' did not match the query '{query}'")
+
+
+def packet_signature_creation_time(packet: Path) -> datetime:
+    """Retrieve the signature creation time field as datetime
+
+    Parameters
+    ----------
+    packet: The path to the PGP packet to retrieve the value from
+
+    Returns
+    -------
+    The signature creation time as datetime
+    """
+    field = packet_dump_field(packet, "Hashed area.Signature creation time")
+    field = " ".join(field.split(" ", 3)[0:3])
+    return datetime.strptime(field, "%Y-%m-%d %H:%M:%S %Z")
+
+
+def packet_kinds(packet: Path) -> List[PacketKind]:
+    """Retrieve the PGP packet types of a packet path
+
+    Parameters
+    ----------
+    packet: The path to the PGP packet to retrieve the kind of
+
+    Returns
+    -------
+    The kind of PGP packet
+    """
+
+    dump = packet_dump(packet)
+    lines = [line for line in dump.splitlines()]
+    lines = list(
+        filter(lambda line: not line.startswith(" ") and not line.startswith("WARNING") and line.strip(), lines)
+    )
+    return [PacketKind(line.split()[0]) for line in lines]
+
+
+def latest_certification(certifications: Iterable[Path]) -> Path:
+    """Returns the latest certification based on the signature creation time from a list of packets.
+
+    Parameters
+    ----------
+    certifications: List of certification from which to choose the latest from
+
+    Returns
+    -------
+    The latest certification from a list of packets
+    """
+    return reduce(
+        lambda a, b: a if packet_signature_creation_time(a) > packet_signature_creation_time(b) else b,
+        certifications,
+    )
+
+
+def key_generate(uids: List[Uid], outfile: Path) -> str:
+    """Generate a PGP key with specific uids
+
+    Parameters
+    ----------
+    uids: List of uids that the key should have
+    outfile: Path to the file to which the key should be written to
+
+    Returns
+    -------
+    The result of the key generate call
+    """
+
+    cmd = ["sq", "key", "generate"]
+    for uid in uids:
+        cmd.extend(["--userid", str(uid)])
+    cmd.extend(["--output", str(outfile)])
+    return system(cmd)
+
+
+def key_extract_certificate(key: Path, output: Optional[Path]) -> str:
+    """Extracts the non secret part from a key into a certificate
+
+    Parameters
+    ----------
+    key: Path to a file that contain secret key material
+    output: Path to the file to which the key should be written to, stdout if None
+
+    Returns
+    -------
+    The result of the extract in case output is None
+    """
+
+    cmd = ["sq", "key", "extract-cert", str(key)]
+    if output:
+        cmd.extend(["--output", str(output)])
+    return system(cmd)
+
+
+def certify(key: Path, certificate: Path, uid: Uid, output: Optional[Path]) -> str:
+    """Inspect PGP packet data and return the result
+
+    Parameters
+    ----------
+    key: Path to a file that contain secret key material
+    certificate: Path to a certificate file whose uid should be certified
+    uid: Uid contain in the certificate that should be certified
+    output: Path to the file to which the key should be written to, stdout if None
+
+    Returns
+    -------
+    The result of the certification in case output is None
+    """
+
+    cmd = ["sq", "certify", str(key), str(certificate), uid]
+    if output:
+        cmd.extend(["--output", str(output)])
+    return system(cmd)

libkeyringctl/trust.py

@@ -0,0 +1,270 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from logging import debug
+from pathlib import Path
+from typing import Dict
+from typing import Iterable
+from typing import Optional
+from typing import Set
+
+from .types import Color
+from .types import Fingerprint
+from .types import Trust
+from .types import TrustFilter
+from .types import Uid
+from .util import contains_fingerprint
+from .util import get_cert_paths
+from .util import get_fingerprint_from_partial
+
+
+def certificate_trust_from_paths(
+    sources: Iterable[Path], main_keys: Set[Fingerprint], all_fingerprints: Set[Fingerprint]
+) -> Dict[Fingerprint, Trust]:
+    """Get the trust status of all certificates in a list of paths given by main keys.
+
+    Uses `get_get_certificate_trust` to determine the trust status.
+
+    Parameters
+    ----------
+    sources: Certificates to acquire the trust status from
+    main_keys: Fingerprints of trusted keys used to calculate the trust of the certificates from sources
+    all_fingerprints: Fingerprints of all certificates, packager and main, to look up key-ids to full fingerprints
+
+    Returns
+    -------
+    A dictionary of fingerprints and their trust level
+    """
+
+    sources = get_cert_paths(sources)
+    certificate_trusts: Dict[Fingerprint, Trust] = {}
+
+    for certificate in sorted(sources):
+        fingerprint = Fingerprint(certificate.name)
+        certificate_trusts[fingerprint] = certificate_trust(
+            certificate=certificate, main_keys=main_keys, all_fingerprints=all_fingerprints
+        )
+    return certificate_trusts
+
+
+def certificate_trust(  # noqa: ignore=C901
+    certificate: Path, main_keys: Set[Fingerprint], all_fingerprints: Set[Fingerprint]
+) -> Trust:
+    """Get the trust status of a certificates given by main keys.
+
+    main certificates are:
+        revoked if:
+            - the certificate has been self-revoked (also applies to 3rd party applied revocation certificates)
+        full trust if:
+            - the certificate is not self-revoked
+
+    regular certificates are:
+        full trust if:
+            - the certificate is not self-revoked and:
+                - any uid contains at least 3 non revoked main key signatures
+        marginal trust if:
+            - the certificate is not self-revoked and:
+                - any uid contains at least 1 but less than 3 non revoked main key signatures
+                - no uid contains at least 3 non revoked main key signatures
+        unknown trust if:
+            - the certificate is not self-revoked and:
+                - no uid contains any non revoked main key signature
+        revoked if:
+            - the certificate has been self-revoked, or
+            - no uid contains at least 3 non revoked main key signatures and:
+                - any uid contains at least 1 revoked main key signature
+
+    Parameters
+    ----------
+    certificate: Certificate to acquire the trust status from
+    main_keys: Fingerprints of trusted keys used to calculate the trust of the certificates from sources
+    all_fingerprints: Fingerprints of all certificates, packager and main, to look up key-ids to full fingerprints
+
+    Returns
+    -------
+    Trust level of the certificate
+    """
+
+    fingerprint: Fingerprint = Fingerprint(certificate.name)
+    keyring_root = certificate.parent.parent.parent
+
+    # collect revoked main keys
+    main_keys_revoked: Set[Fingerprint] = set()
+    for main_key in main_keys:
+        for revocation in keyring_root.glob(f"main/*/{main_key}/revocation/*.asc"):
+            if main_key.endswith(revocation.stem):
+                main_keys_revoked.add(main_key)
+
+    revocations: Set[Fingerprint] = set()
+    # TODO: what about direct key revocations/signatures?
+    for revocation in certificate.glob("revocation/*.asc"):
+        issuer: Optional[Fingerprint] = get_fingerprint_from_partial(all_fingerprints, Fingerprint(revocation.stem))
+        if not issuer:
+            raise Exception(f"Unknown issuer: {issuer}")
+        if not fingerprint.endswith(issuer):
+            raise Exception(f"Wrong root revocation issuer: {issuer}, expected: {fingerprint}")
+        debug(f"Revoking {fingerprint} due to self-revocation")
+        revocations.add(fingerprint)
+
+    if revocations:
+        return Trust.revoked
+
+    # main keys are either trusted or revoked
+    is_main_certificate = contains_fingerprint(fingerprints=main_keys, fingerprint=fingerprint)
+    if is_main_certificate:
+        return Trust.full
+
+    uid_trust: Dict[Uid, Trust] = {}
+    self_revoked_uids: Set[Uid] = set()
+    uids = certificate / "uid"
+    for uid_path in uids.iterdir():
+        uid: Uid = Uid(uid_path.name)
+
+        revocations = set()
+        for revocation in uid_path.glob("revocation/*.asc"):
+            issuer = get_fingerprint_from_partial(all_fingerprints, Fingerprint(revocation.stem))
+            if not issuer:
+                raise Exception(f"Unknown issuer: {issuer}")
+            # self revocation
+            if fingerprint.endswith(issuer):
+                self_revoked_uids.add(uid)
+            # main key revocation
+            elif contains_fingerprint(fingerprints=main_keys, fingerprint=issuer):
+                revocations.add(issuer)
+
+        certifications: Set[Fingerprint] = set()
+        for certification in uid_path.glob("certification/*.asc"):
+            issuer = get_fingerprint_from_partial(all_fingerprints, Fingerprint(certification.stem))
+            if not issuer:
+                raise Exception(f"Unknown issuer: {issuer}")
+            # only take main key certifications into account
+            if not contains_fingerprint(fingerprints=main_keys, fingerprint=issuer):
+                continue
+            # do not care about revoked main keys
+            if contains_fingerprint(fingerprints=main_keys_revoked, fingerprint=issuer):
+                continue
+            # do not care about certifications that are revoked
+            if contains_fingerprint(fingerprints=revocations, fingerprint=issuer):
+                continue
+            certifications.add(issuer)
+
+        # self revoked uid
+        if uid in self_revoked_uids:
+            debug(f"Certificate {fingerprint} with uid {uid} is self-revoked")
+            uid_trust[uid] = Trust.revoked
+            continue
+
+        # full trust
+        if len(certifications) >= 3:
+            uid_trust[uid] = Trust.full
+            continue
+
+        # no full trust and contains revocations
+        if revocations:
+            uid_trust[uid] = Trust.revoked
+            continue
+
+        # marginal trust
+        if certifications:
+            uid_trust[uid] = Trust.marginal
+            continue
+
+        # no trust
+        uid_trust[uid] = Trust.unknown
+
+    for uid, uid_trust_status in uid_trust.items():
+        debug(f"Certificate {fingerprint} with uid {uid} has trust level: {uid_trust_status.name}")
+
+    trust: Trust
+    # any uid has full trust
+    if any(map(lambda t: Trust.full == t, uid_trust.values())):
+        trust = Trust.full
+    # no uid has full trust but at least one is revoked
+    elif any(map(lambda e: Trust.revoked == e[1] and e[0] not in self_revoked_uids, uid_trust.items())):
+        trust = Trust.revoked
+    # no uid has full trust or is revoked
+    elif any(map(lambda t: Trust.marginal == t, uid_trust.values())):
+        trust = Trust.marginal
+    else:
+        trust = Trust.unknown
+
+    debug(f"Certificate {fingerprint} has trust level: {trust.name}")
+    return trust
+
+
+def trust_icon(trust: Trust) -> str:
+    """Returns a single character icon representing the passed trust status
+
+    Parameters
+    ----------
+    trust: The trust to get an icon for
+
+    Returns
+    -------
+    The single character icon representing the passed trust status
+    """
+    if trust == Trust.revoked:
+        return "✗"
+    if trust == Trust.unknown:
+        return "~"
+    if trust == Trust.marginal:
+        return "~"
+    if trust == Trust.full:
+        return "✓"
+    return "?"
+
+
+def trust_color(trust: Trust) -> Color:
+    """Returns a color representing the passed trust status
+
+    Parameters
+    ----------
+    trust: The trust to get the color of
+
+    Returns
+    -------
+    The color representing the passed trust status
+    """
+    match trust:
+        case Trust.full:
+            return Color.GREEN
+        case Trust.unknown | Trust.marginal:
+            return Color.YELLOW
+        case _:
+            return Color.RED
+
+
+def format_trust_label(trust: Trust) -> str:
+    """Formats a given trust status to a text label including color and icon.
+
+    Parameters
+    ----------
+    trust: The trust to get the label for
+
+    Returns
+    -------
+    Text label representing the trust status as literal and icon with colors
+    """
+    return f"{trust_color(trust).value}{trust_icon(trust)} {trust.name}{Color.RST.value}"
+
+
+def filter_by_trust(trust: Trust, trust_filter: TrustFilter) -> bool:
+    """Filters a trust by a given filter and returns true if within the rules
+
+    Parameters
+    ----------
+    trust: Trust to check for being filtered
+    trust_filter: Filter rules to check the trust against
+
+    Returns
+    -------
+    True if the given trust is within the filter rules
+    """
+    trust_map = {
+        TrustFilter.unknown: [Trust.unknown],
+        TrustFilter.marginal: [Trust.marginal],
+        TrustFilter.full: [Trust.full],
+        TrustFilter.revoked: [Trust.revoked],
+        TrustFilter.unrevoked: [Trust.unknown, Trust.marginal, Trust.full],
+        TrustFilter.all: [Trust.revoked, Trust.unknown, Trust.marginal, Trust.full],
+    }
+    return trust in trust_map[trust_filter]

libkeyringctl/types.py

@@ -0,0 +1,38 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from enum import Enum
+from enum import auto
+from typing import NewType
+
+Fingerprint = NewType("Fingerprint", str)
+Uid = NewType("Uid", str)
+Username = NewType("Username", str)
+PacketKind = NewType("PacketKind", str)
+
+
+class Trust(Enum):
+    unknown = auto()
+    revoked = auto()
+    marginal = auto()
+    full = auto()
+
+
+class TrustFilter(Enum):
+    unknown = "unknown"
+    revoked = "revoked"
+    marginal = "marginal"
+    full = "full"
+    unrevoked = "unrevoked"
+    all = "all"
+
+
+TRUST_MAX_LENGTH: int = max([len(e.name) for e in Trust])
+
+
+class Color(Enum):
+    RED = "\033[31m"
+    GREEN = "\033[32m"
+    YELLOW = "\033[33m"
+    RST = "\033[0m"
+    BOLD = "\033[1m"
+    UNDERLINE = "\033[4m"

libkeyringctl/util.py

@@ -0,0 +1,341 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+from contextlib import contextmanager
+from hashlib import sha256
+from os import chdir
+from os import environ
+from os import getcwd
+from pathlib import Path
+from platform import python_version_tuple
+from re import escape
+from re import split
+from re import sub
+from string import ascii_letters
+from string import digits
+from subprocess import STDOUT
+from subprocess import CalledProcessError
+from subprocess import check_output
+from sys import exit
+from sys import stderr
+from tempfile import mkstemp
+from traceback import print_stack
+from typing import IO
+from typing import AnyStr
+from typing import Dict
+
+# NOTE: remove after python 3.8.x is no longer supported upstream
+if int(python_version_tuple()[1]) < 9:  # pragma: no cover
+    from typing import Iterable
+    from typing import Iterator
+else:
+    from collections.abc import Iterable
+    from collections.abc import Iterator
+from typing import List
+from typing import Optional
+from typing import Set
+from typing import Union
+
+from libkeyringctl.types import Fingerprint
+from libkeyringctl.types import Trust
+from libkeyringctl.types import Uid
+
+
+@contextmanager
+def cwd(new_dir: Path) -> Iterator[None]:
+    """Change to a new current working directory in a context and go back to the previous dir after the context is done
+
+    Parameters
+    ----------
+    new_dir: A path to change to
+    """
+
+    previous_dir = getcwd()
+    chdir(new_dir)
+    try:
+        yield
+    finally:
+        chdir(previous_dir)
+
+
+def natural_sort_path(_list: Iterable[Path]) -> Iterable[Path]:
+    """Sort an Iterable of Paths naturally
+
+    Parameters
+    ----------
+    _list: An iterable containing paths to be sorted
+
+    Return
+    ------
+    An Iterable of paths that are naturally sorted
+    """
+
+    def convert_text_chunk(text: str) -> Union[int, str]:
+        """Convert input text to int or str
+
+        Parameters
+        ----------
+        text: An input string
+
+        Returns
+        -------
+        Either an integer if text is a digit, else text in lower-case representation
+        """
+
+        return int(text) if text.isdigit() else text.lower()
+
+    def alphanum_key(key: Path) -> List[Union[int, str]]:
+        """Retrieve an alphanumeric key from a Path, that can be used in sorted()
+
+        Parameters
+        ----------
+        key: A path for which to create a key
+
+        Returns
+        -------
+        A list of either int or str objects that may serve as 'key' argument for sorted()
+        """
+
+        return [convert_text_chunk(c) for c in split("([0-9]+)", str(key.name))]
+
+    return sorted(_list, key=alphanum_key)
+
+
+def system(
+    cmd: List[str],
+    _stdin: Optional[IO[AnyStr]] = None,
+    exit_on_error: bool = False,
+    env: Optional[Dict[str, str]] = None,
+) -> str:
+    """Execute a command using check_output
+
+    Parameters
+    ----------
+    cmd: A list of strings to be fed to check_output
+    _stdin: input fd used for the spawned process
+    exit_on_error: Whether to exit the script when encountering an error (defaults to False)
+    env: Optional environment vars for the shell invocation
+
+    Raises
+    ------
+    CalledProcessError: If not exit_on_error and `check_output()` encounters an error
+
+    Returns
+    -------
+    The output of cmd
+    """
+    if not env:
+        env = {"HOME": environ["HOME"], "PATH": environ["PATH"], "LANG": "en_US.UTF-8"}
+
+    try:
+        return check_output(cmd, stderr=STDOUT, stdin=_stdin, env=env).decode()
+    except CalledProcessError as e:
+        stderr.buffer.write(e.stdout)
+        print_stack()
+        if exit_on_error:
+            exit(e.returncode)
+        raise e
+
+
+def absolute_path(path: str) -> Path:
+    """Return the absolute path of a given str
+
+    Parameters
+    ----------
+    path: A string representing a path
+
+    Returns
+    -------
+    The absolute path representation of path
+    """
+
+    return Path(path).absolute()
+
+
+def transform_fd_to_tmpfile(working_dir: Path, sources: List[Path]) -> None:
+    """Transforms an input list of paths from any file descriptor of the current process to a tempfile in working_dir.
+
+    Using this function on fd inputs allow to pass the content to another process while hidepid is active and /proc
+    not visible for the other process.
+
+    Parameters
+    ----------
+    working_dir: A directory to use for temporary files
+    sources: Paths that should be iterated and all fd's transformed to tmpfiles
+    """
+    for index, source in enumerate(sources):
+        source_str = str(source)
+        if source_str.startswith("/proc/self/fd/") or source_str.startswith("/dev/fd/"):
+            file = mkstemp(dir=working_dir, prefix=f"{source.name}", suffix=".fd")[1]
+            with open(file, mode="wb") as f:
+                f.write(source.read_bytes())
+                f.flush()
+            sources[index] = Path(file)
+
+
+def get_cert_paths(paths: Iterable[Path]) -> Set[Path]:
+    """Walks a list of paths and resolves all discovered certificate paths
+
+    Parameters
+    ----------
+    paths: A list of paths to walk and resolve to certificate paths.
+
+    Returns
+    -------
+    A set of paths to certificates
+    """
+
+    # depth first search certificate paths
+    cert_paths: Set[Path] = set()
+    visit: List[Path] = list(paths)
+    while visit:
+        path = visit.pop()
+        # this level contains a certificate, abort depth search
+        if list(path.glob("*.asc")):
+            cert_paths.add(path)
+            continue
+        visit.extend([path for path in path.iterdir() if path.is_dir()])
+    return cert_paths
+
+
+def get_parent_cert_paths(paths: Iterable[Path]) -> Set[Path]:
+    """Walks a list of paths upwards and resolves all discovered parent certificate paths
+
+    Parameters
+    ----------
+    paths: A list of paths to walk and resolve to certificate paths.
+
+    Returns
+    -------
+    A set of paths to certificates
+    """
+
+    # depth first search certificate paths
+    cert_paths: Set[Path] = set()
+    visit: List[Path] = list(paths)
+    while visit:
+        node = visit.pop().parent
+        # this level contains a certificate, abort depth search
+        if "keyring" == node.parent.parent.parent.name:
+            cert_paths.add(node)
+            continue
+        visit.append(node)
+    return cert_paths
+
+
+def contains_fingerprint(fingerprints: Iterable[Fingerprint], fingerprint: Fingerprint) -> bool:
+    """Returns weather an iterable structure of fingerprints contains a specific fingerprint
+
+    Parameters
+    ----------
+    fingerprints: Iteratable structure of fingerprints that should be searched
+    fingerprint: Fingerprint to search for
+
+    Returns
+    -------
+    Weather an iterable structure of fingerprints contains a specific fingerprint
+    """
+
+    return any(filter(lambda e: str(e).endswith(fingerprint), fingerprints))
+
+
+def get_fingerprint_from_partial(
+    fingerprints: Iterable[Fingerprint], fingerprint: Fingerprint
+) -> Optional[Fingerprint]:
+    """Returns the full fingerprint looked up from a partial fingerprint like a key-id
+
+    Parameters
+    ----------
+    fingerprints: Iteratable structure of fingerprints that should be searched
+    fingerprint: Partial fingerprint to search for
+
+    Returns
+    -------
+    The full fingerprint or None
+    """
+
+    for fingerprint in filter(lambda e: str(e).endswith(fingerprint), fingerprints):
+        return fingerprint
+    return None
+
+
+def filter_fingerprints_by_trust(trusts: Dict[Fingerprint, Trust], trust: Trust) -> List[Fingerprint]:
+    """Filters a dict of Fingerprint to Trust by a passed Trust parameter and returns the matching fingerprints.
+
+    Parameters
+    ----------
+    trusts: Dict of Fingerprint to Trust that should be filtered based on the trust parameter
+    trust: Trust that should be used to filter the trusts dict
+
+    Returns
+    -------
+    The matching fingerprints of the dict filtered by trust
+    """
+
+    return list(
+        map(
+            lambda item: item[0],
+            filter(lambda item: trust == item[1], trusts.items()),
+        )
+    )
+
+
+simple_printable: str = ascii_letters + digits + "_-.+@"
+ascii_mapping: Dict[str, str] = {
+    "àáâãäæąăǎа": "a",
+    "ćçĉċč": "c",
+    "ďđ": "d",
+    "éèêëęēĕėěɇ": "e",
+    "ĝğġģ": "g",
+    "ĥħȟ": "h",
+    "ìíîïĩīĭįıij": "i",
+    "ĵɉ": "j",
+    "ķ": "k",
+    "ł": "l",
+    "ńņň": "n",
+    "òóôõöøŏőðȍǿ": "o",
+    "śș": "s",
+    "ß": "ss",
+    "ț": "t",
+    "úûüȗűȕù": "u",
+    "ýÿ": "y",
+    "źż": "z",
+}
+ascii_mapping_lookup: Dict[str, str] = {}
+for key, value in ascii_mapping.items():
+    for c in key:
+        ascii_mapping_lookup[c] = value
+        ascii_mapping_lookup[c.upper()] = value.upper()
+
+
+def simplify_ascii(_str: str) -> str:
+    """Simplify a string to contain more filesystem and printable friendly characters
+
+    Parameters
+    ----------
+    _str: A string to simplify (e.g. 'Foobar McFooface <foobar@foo.face>')
+
+    Returns
+    -------
+    The simplified representation of _str
+    """
+    _str = _str.strip("<")
+    _str = _str.strip(">")
+    _str = "".join([ascii_mapping_lookup.get(char) or char for char in _str])
+    _str = sub("[^" + escape(simple_printable) + "]", "_", _str)
+    return _str
+
+
+def simplify_uid(uid: Uid, hash_postfix: bool = True) -> str:
+    """Simplify a uid to contain more filesystem and printable friendly characters with an optional
+    collision resistant hash postfix.
+
+    Parameters
+    ----------
+    uid: Uid to simplify (e.g. 'Foobar McFooface <foobar@foo.face>')
+    hash_postfix: Whether to add a hash of the uid as postfix
+
+    Returns
+    -------
+    Simplified str representation of uid
+    """
+    _hash = "" if not hash_postfix else f"_{sha256(uid.encode()).hexdigest()[:8]}"
+    return f"{simplify_ascii(_str=uid)}{_hash}"

libkeyringctl/verify.py

@@ -0,0 +1,342 @@
+from logging import debug
+from pathlib import Path
+from subprocess import PIPE
+from subprocess import Popen
+from tempfile import NamedTemporaryFile
+from typing import List
+from typing import Optional
+from typing import Set
+
+from libkeyringctl.keyring import export
+from libkeyringctl.keyring import get_fingerprints_from_paths
+from libkeyringctl.keyring import is_pgp_fingerprint
+from libkeyringctl.keyring import transform_fingerprint_to_keyring_path
+from libkeyringctl.keyring import transform_username_to_keyring_path
+from libkeyringctl.sequoia import packet_dump_field
+from libkeyringctl.sequoia import packet_kinds
+from libkeyringctl.types import Fingerprint
+from libkeyringctl.types import Uid
+from libkeyringctl.util import get_cert_paths
+from libkeyringctl.util import get_fingerprint_from_partial
+from libkeyringctl.util import simplify_uid
+from libkeyringctl.util import system
+
+
+def verify(  # noqa: ignore=C901
+    working_dir: Path,
+    keyring_root: Path,
+    sources: Optional[List[Path]],
+    lint_hokey: bool = True,
+    lint_sq_keyring: bool = True,
+) -> None:
+    """Verify certificates against modern expectations using `sq keyring lint` and hokey
+
+    Parameters
+    ----------
+    working_dir: A directory to use for temporary files
+    keyring_root: The keyring root directory to look up username shorthand sources
+    sources: A list of username, fingerprint or directories from which to read PGP packet information
+        (defaults to `keyring_root`)
+    lint_hokey: Whether to run hokey lint
+    lint_sq_keyring: Whether to run sq keyring lint
+    """
+
+    if not sources:
+        sources = [keyring_root]
+
+    # transform shorthand paths to actual keyring paths
+    transform_username_to_keyring_path(keyring_dir=keyring_root / "packager", paths=sources)
+    transform_fingerprint_to_keyring_path(keyring_root=keyring_root, paths=sources)
+
+    cert_paths: Set[Path] = get_cert_paths(sources)
+    all_fingerprints = get_fingerprints_from_paths([keyring_root])
+
+    for certificate in sorted(cert_paths):
+        print(f"Verify {certificate.name} owned by {certificate.parent.name}")
+
+        verify_integrity(certificate=certificate, all_fingerprints=all_fingerprints)
+
+        with NamedTemporaryFile(
+            dir=working_dir, prefix=f"{certificate.parent.name}-{certificate.name}", suffix=".asc"
+        ) as keyring:
+            keyring_path = Path(keyring.name)
+            export(
+                working_dir=working_dir,
+                keyring_root=keyring_root,
+                sources=[certificate],
+                output=keyring_path,
+            )
+
+            if lint_hokey:
+                keyring_fd = Popen(("sq", "dearmor", f"{str(keyring_path)}"), stdout=PIPE)
+                print(system(["hokey", "lint"], _stdin=keyring_fd.stdout), end="")
+            if lint_sq_keyring:
+                print(system(["sq", "keyring", "lint", f"{str(keyring_path)}"]), end="")
+
+
+def verify_integrity(certificate: Path, all_fingerprints: Set[Fingerprint]) -> None:  # noqa: ignore=C901
+    if not is_pgp_fingerprint(certificate.name):
+        raise Exception(f"Unexpected certificate name for certificate {certificate.name}: {str(certificate)}")
+
+    pubkey = certificate / f"{certificate.name}.asc"
+    if not pubkey.is_file():
+        raise Exception(f"Missing certificate pubkey {certificate.name}: {str(pubkey)}")
+
+    if not list(certificate.glob("uid/*/*.asc")):
+        raise Exception(f"Missing at least one UID for {certificate.name}")
+
+    # check packet files
+    for path in certificate.iterdir():
+        if path.is_file():
+            if path.name != f"{certificate.name}.asc":
+                raise Exception(f"Unexpected file in certificate {certificate.name}: {str(path)}")
+            assert_packet_kind(path=path, expected="Public-Key")
+            assert_filename_matches_packet_fingerprint(path=path, check=certificate.name)
+            debug(f"OK: {path}")
+        elif path.is_dir():
+            if "revocation" == path.name:
+                verify_integrity_key_revocations(path=path)
+            elif "directkey" == path.name:
+                for directkey in path.iterdir():
+                    assert_is_dir(path=directkey)
+                    if "certification" == directkey.name:
+                        verify_integrity_direct_key_certifications(path=directkey)
+                    elif "revocation" == directkey.name:
+                        verify_integrity_direct_key_revocations(path=directkey)
+                    else:
+                        raise_unexpected_file(path=directkey)
+            elif "uid" == path.name:
+                for uid in path.iterdir():
+                    assert_is_dir(path=uid)
+                    uid_packet = uid / f"{uid.name}.asc"
+                    assert_is_file(path=uid_packet)
+
+                    uid_binding_sig = uid / "certification" / f"{certificate.name}.asc"
+                    uid_revocation_sig = uid / "revocation" / f"{certificate.name}.asc"
+                    if not uid_binding_sig.is_file() and not uid_revocation_sig:
+                        raise Exception(f"Missing uid binding/revocation sig for {certificate.name}: {str(uid)}")
+
+                    for uid_path in uid.iterdir():
+                        if uid_path.is_file():
+                            if uid_path.name != f"{uid.name}.asc":
+                                raise Exception(f"Unexpected file in certificate {certificate.name}: {str(uid_path)}")
+
+                            assert_packet_kind(path=uid_path, expected="User")
+
+                            uid_value = simplify_uid(Uid(packet_dump_field(packet=uid_path, query="Value")))
+                            if uid_value != uid.name:
+                                raise Exception(f"Unexpected uid in file {str(uid_path)}: {uid_value}")
+                        elif not uid_path.is_dir():
+                            raise Exception(f"Unexpected file type in certificate {certificate.name}: {str(uid_path)}")
+                        elif "certification" == uid_path.name:
+                            for sig in uid_path.iterdir():
+                                assert_is_file(path=sig)
+                                assert_is_pgp_fingerprint(path=sig, _str=sig.stem)
+                                assert_has_suffix(path=sig, suffix=".asc")
+
+                                assert_packet_kind(path=sig, expected="Signature")
+                                assert_signature_type_certification(path=sig)
+
+                                issuer = get_fingerprint_from_partial(
+                                    fingerprints=all_fingerprints,
+                                    fingerprint=Fingerprint(
+                                        packet_dump_field(packet=sig, query="Hashed area|Unhashed area.Issuer")
+                                    ),
+                                )
+                                if issuer != sig.stem:
+                                    raise Exception(f"Unexpected issuer in file {str(sig)}: {issuer}")
+                                debug(f"OK: {sig}")
+                        elif "revocation" == uid_path.name:
+                            for sig in uid_path.iterdir():
+                                assert_is_file(path=sig)
+                                assert_is_pgp_fingerprint(path=sig, _str=sig.stem)
+                                assert_has_suffix(path=sig, suffix=".asc")
+
+                                assert_packet_kind(path=sig, expected="Signature")
+                                assert_signature_type(path=sig, expected="CertificationRevocation")
+
+                                issuer = get_fingerprint_from_partial(
+                                    fingerprints=all_fingerprints,
+                                    fingerprint=Fingerprint(
+                                        packet_dump_field(packet=sig, query="Hashed area|Unhashed area.Issuer")
+                                    ),
+                                )
+                                if issuer != sig.stem:
+                                    raise Exception(f"Unexpected issuer in file {str(sig)}: {issuer}")
+
+                                certification = uid_path.parent / "certification" / sig.name
+                                if certification.exists():
+                                    raise Exception(f"Certification exists for revocation {str(sig)}: {certification}")
+
+                                debug(f"OK: {sig}")
+                        else:
+                            raise Exception(f"Unexpected directory in certificate {certificate.name}: {str(uid_path)}")
+                        debug(f"OK: {uid_path}")
+                    debug(f"OK: {uid}")
+            elif "subkey" == path.name:
+                for subkey in path.iterdir():
+                    assert_is_dir(path=subkey)
+                    assert_is_pgp_fingerprint(path=subkey, _str=subkey.name)
+
+                    subkey_packet = subkey / f"{subkey.name}.asc"
+                    assert_is_file(path=subkey_packet)
+
+                    subkey_binding_sig = subkey / "certification" / f"{certificate.name}.asc"
+                    subkey_revocation_sig = subkey / "revocation" / f"{certificate.name}.asc"
+                    if not subkey_binding_sig.is_file() and not subkey_revocation_sig:
+                        raise Exception(f"Missing subkey binding/revocation sig for {certificate.name}: {str(subkey)}")
+
+                    for subkey_path in subkey.iterdir():
+                        if subkey_path.is_file():
+                            if subkey_path.name != f"{subkey.name}.asc":
+                                raise Exception(
+                                    f"Unexpected file in certificate {certificate.name}: {str(subkey_path)}"
+                                )
+
+                            assert_packet_kind(path=subkey_path, expected="Public-Subkey")
+                            assert_filename_matches_packet_fingerprint(path=subkey_path, check=subkey_path.stem)
+                        elif not subkey_path.is_dir():
+                            raise Exception(
+                                f"Unexpected file type in certificate {certificate.name}: {str(subkey_path)}"
+                            )
+                        elif "certification" == subkey_path.name:
+                            for sig in subkey_path.iterdir():
+                                assert_is_file(path=sig)
+                                assert_is_pgp_fingerprint(path=sig, _str=sig.stem)
+                                assert_has_suffix(path=sig, suffix=".asc")
+
+                                assert_packet_kind(path=sig, expected="Signature")
+                                assert_signature_type(path=sig, expected="SubkeyBinding")
+
+                                assert_filename_matches_packet_issuer_fingerprint(path=sig, check=certificate.name)
+                        elif "revocation" == subkey_path.name:
+                            for sig in subkey_path.iterdir():
+                                assert_is_file(path=sig)
+                                assert_is_pgp_fingerprint(path=sig, _str=sig.stem)
+                                assert_has_suffix(path=sig, suffix=".asc")
+
+                                assert_packet_kind(path=sig, expected="Signature")
+                                assert_signature_type(path=sig, expected="SubkeyRevocation")
+
+                                assert_filename_matches_packet_issuer_fingerprint(path=sig, check=certificate.name)
+                        else:
+                            raise Exception(
+                                f"Unexpected directory in certificate {certificate.name}: {str(subkey_path)}"
+                            )
+                        debug(f"OK: {subkey_path}")
+            else:
+                raise Exception(f"Unexpected directory in certificate {certificate.name}: {str(path)}")
+        else:
+            raise Exception(f"Unexpected file type in certificate {certificate.name}: {str(path)}")
+
+
+def assert_packet_kind(path: Path, expected: str) -> None:
+    kinds = packet_kinds(packet=path)
+    if not kinds or len(kinds) != 1:
+        raise Exception(f"Unexpected amount of packets in file {str(path)}: {kinds}")
+    kind = kinds[0]
+    if kind != expected:
+        raise Exception(f"Unexpected packet in file {str(path)} kind: {kind} expected: {expected}")
+
+
+def assert_signature_type(path: Path, expected: str) -> None:
+    sig_type = packet_dump_field(packet=path, query="Type")
+    if sig_type != expected:
+        raise Exception(f"Unexpected packet type in file {str(path)} type: {sig_type} expected: {expected}")
+
+
+def assert_signature_type_certification(path: Path) -> None:
+    sig_type = packet_dump_field(packet=path, query="Type")
+    if sig_type not in ["GenericCertification", "PersonaCertification", "CasualCertification", "PositiveCertification"]:
+        raise Exception(f"Unexpected packet certification type in file {str(path)} type: {sig_type}")
+
+
+def assert_is_pgp_fingerprint(path: Path, _str: str) -> None:
+    if not is_pgp_fingerprint(_str):
+        raise Exception(f"Unexpected file name, not a pgp fingerprint: {str(path)}")
+
+
+def assert_filename_matches_packet_issuer_fingerprint(path: Path, check: str) -> None:
+    fingerprint = packet_dump_field(packet=path, query="Unhashed area|Hashed area.Issuer Fingerprint")
+    if not fingerprint == check:
+        raise Exception(f"Unexpected packet fingerprint in file {str(path)}: {fingerprint}")
+
+
+def assert_filename_matches_packet_fingerprint(path: Path, check: str) -> None:
+    fingerprint = packet_dump_field(packet=path, query="Fingerprint")
+    if not fingerprint == check:
+        raise Exception(f"Unexpected packet fingerprint in file {str(path)}: {fingerprint}")
+
+
+def assert_has_suffix(path: Path, suffix: str) -> None:
+    if path.suffix != suffix:
+        raise Exception(f"Unexpected file suffix in {str(path)} expected: {suffix}")
+
+
+def assert_is_file(path: Path) -> None:
+    if not path.is_file():
+        raise Exception(f"Unexpected type, should be file: {str(path)}")
+
+
+def assert_is_dir(path: Path) -> None:
+    if not path.is_dir():
+        raise Exception(f"Unexpected type, should be directory: {str(path)}")
+
+
+def raise_unexpected_file(path: Path) -> None:
+    raise Exception(f"Unexpected file in directory: {str(path)}")
+
+
+def verify_integrity_key_revocations(path: Path) -> None:
+    assert_is_dir(path=path)
+    for sig in path.iterdir():
+        assert_is_file(path=sig)
+        assert_is_pgp_fingerprint(path=sig, _str=sig.stem)
+        assert_has_suffix(path=sig, suffix=".asc")
+
+        assert_packet_kind(path=sig, expected="Signature")
+        assert_signature_type(path=sig, expected="KeyRevocation")
+
+        assert_filename_matches_packet_issuer_fingerprint(path=sig, check=sig.stem)
+
+        debug(f"OK: {sig}")
+
+
+def verify_integrity_direct_key_certifications(path: Path) -> None:
+    for issuer_dir in path.iterdir():
+        assert_is_dir(path=issuer_dir)
+        assert_is_pgp_fingerprint(path=issuer_dir, _str=issuer_dir.name)
+        for certification in issuer_dir.iterdir():
+            verify_integrity_direct_key_certification(path=certification)
+
+
+def verify_integrity_direct_key_revocations(path: Path) -> None:
+    for issuer_dir in path.iterdir():
+        assert_is_dir(path=issuer_dir)
+        assert_is_pgp_fingerprint(path=issuer_dir, _str=issuer_dir.name)
+        for certification in issuer_dir.iterdir():
+            verify_integrity_direct_key_revocation(path=certification)
+
+
+def verify_integrity_direct_key_certification(path: Path) -> None:
+    assert_is_file(path=path)
+    assert_has_suffix(path=path, suffix=".asc")
+
+    assert_packet_kind(path=path, expected="Signature")
+    assert_signature_type(path=path, expected="DirectKey")
+
+    assert_filename_matches_packet_issuer_fingerprint(path=path, check=path.parent.name)
+
+    debug(f"OK: {path}")
+
+
+def verify_integrity_direct_key_revocation(path: Path) -> None:
+    assert_is_file(path=path)
+    assert_has_suffix(path=path, suffix=".asc")
+
+    assert_packet_kind(path=path, expected="Signature")
+    assert_signature_type(path=path, expected="CertificationRevocation")
+
+    assert_filename_matches_packet_issuer_fingerprint(path=path, check=path.parent.name)
+
+    debug(f"OK: {path}")

master-keyids

@@ -1,5 +0,0 @@
-AB19265E5D7D20687D303246BA1DFB64FFF979E7	allan
-27FFC4769E19F096D41D9265A04F9397CDFD6BB0	dan
-44D4A033AC140143927397D47EFD567D4C7EA887	ibiru
-0E8B644079F599DFC1DDC3973348882F6AC6A4C2	pierre
-684148BB25B49E986A4944C55184252D824B18E8	thomas

master/allan.asc

@@ -1,29 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBE7VXhABEAC7AB9vHjR4b/lXq/HANeeN2vWQYK3xL2/01nvUPwycjDbCkOg2
-LZzBiun4KARWHgslErhZ26Yxsf5GQmkbndAliZJ1QDC8Evp9iH4zvc0BCp6Tw4+I
-7uHc/rlNw4g5/92EzHVtOWzw0FaB5exRPZfiGuuyOtzbny3oEHw11uighYxt7POI
-dlBFGAZjf1Qcjc1dAhRUerH7W/CFhL+fAvgu1zPtjei4m9jQNR2xjR8ISu9HyfYE
-z1s7tQeL3AZwVg4YYRdFSjbJQAc1CJoRh5YnYdjpxfgmNVLxo8BAqM45ZrX21nW1
-+eog00360d2lQhhYmFrySrxXLvlTfpapt0NwZbbSlvhJbS4C3DQ/Wxj3WIaYTXd3
-tXbH6CQBnOUL8mItQnwHJKbHXZKV1dZHAftMNBrSllHX7s4yZZCKsDd7PxiSCqFJ
-Ihh/RKGHRVprpx7WZ1b43MoeRDqcRvG+/dnoURFe7xEzzZU47YjLplxGETzQmw7h
-fYkMihatKflMs3pgNbuUOduwF3wbvM/31PmCCD2/ZXeH+BBFJdu9Mwj/ZWBwHMxU
-nTDnlRzSoo5ELBtc5oQ1ReZZD5By32WGNootgU3mjSi2XB0iL8nQSYBOQrvXlBxF
-7NIdIdEIjHWvyPLP2Pf8r2j8Ly7WHW/rVpxRCmRMVShzevATFTBBhMe8eQARAQAB
-tERBbGxhbiBNY1JhZSAoQXJjaCBMaW51eCBNYXN0ZXIgS2V5KSA8YWxsYW5AbWFz
-dGVyLWtleS5hcmNobGludXgub3JnPokCOAQTAQIAIgUCTtVeEAIbAwYLCQgHAwIG
-FQgCCQoLBBYCAwECHgECF4AACgkQuh37ZP/5eefKZQ//eYzQxcKro2T9CcYRXZk6
-7+67u4gzBHOraOk0uioook0c5zGTX0Yi1E8p9yhj0GSmuEzUMruFiIPpFrIoGYqZ
-bCiVprJ92NjHI2U2X/hoq4hc/w4lh+HWW1cWjH1zrfSHK2fMeIowul1FJubcI5O5
-Pqw8joqSKPxw6LbnbSn7bsqxjL0exYF41XlfglNAFuXur5FwXtQJ7R7U84Zw61qr
-PtEG3lFc7iEqdjySqILJr6Vd8MT8ETEjsI1IqCRmNJGxMSKqcVj3tyEmupFosNmP
-L0RcvdVUkm4QST3Yu20oB/A3fMjr1VTbpvzX20/n9b7twbg3uwiFGi8PEKI092dS
-rfI/CER+NZ+tStNFsQcqWggcMfeaR8o8XQ9fxBRdlCbIesnsp6sUPHDlmkrqCS85
-T2YEZMoHiKOUvp8y4vNOjxImwjfeZ0f55GnWku+d8SMNlR9IZfY/tHpZXZKfh2BB
-JX8kJ+drqVtitVrNWG6pAW1nNyE4lsHOF31dUlsYfrblBruIFNfXbeS/Q7su+ee5
-a0UqqK+g4HHlpE4sZXFnLz5XNCHbFtRP1XZ4rFHmjy8bS9NMPi4eYLhJVUrpAwb6
-CEDGzc1+01g3EulR7IeYDFzvlp/FmtKPnxc5DKXcgC7KlW5j5pVOcwbDFBZN7mor
-yzb5eOr17cStIAH/hlIGL5A=
-=gixX
------END PGP PUBLIC KEY BLOCK-----

master/dan.asc

@@ -1,40 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQGNBE7VPpABDADAOk+g4YfRSe3FpZ+ZxQzcAhZBt9t4tm1DJsrrpczlB4Nah4Pj
-y1ZDUuOD6K97+56obAyHw/FXpukcOljn5ugj8DxkWZoFZoQXJ/7en5b4aMPaDtzl
-41bk4ntmge7D3wMmzfNJzKoQJU4U4QyCfPb7W4SlGcmrFmrqHLZ3SMU8JBlPwN6+
-j4WuT04Bkg+2LurrlBotwf7n0nazrunkK5/CMHSbFObpd6Ug7cLoy7Jc54QEOxTN
-L+wVe3H4cbFZJ7Jly7h++5zo1O6bngNR+SapiCMSMsa5nPN4m6PbjspRqvO7U+LD
-tkUa1I9vzbpDUeURDBmVCwPseOg8aLko0jBjyvOb/TILaoj2hNpM2zyl4ytgpAc/
-ccUkZqVJ4+pdtd48sSh2tOYPcoZF7hSFYpNpV5XD0ub3DvtRaR4AiWoZM35mlDwe
-KMh84K4SuuWkKgVzvijtvpk4lUtdfVrilFQmjkf90EHO9PQ2NHMgRjv+dNtxgU23
-hWKcIQUEnnTQqnEAEQEAAbRARGFuIE1jR2VlIChBcmNoIExpbnV4IE1hc3RlciBL
-ZXkpIDxkYW5AbWFzdGVyLWtleS5hcmNobGludXgub3JnPokBtwQTAQIAIQUCTtU+
-kAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCgT5OXzf1rsOYLC/wOFwhJ
-PxoCIxfTxOY9x1nDsl+RPk9k8k01GXffoax0Sgzyc8d2aK+THetdY7wnooL2P9aC
-SXxI7vrNBm75JqnylcA26zy3admewGGzg1/tbQSU/Jst9yDXwnsb4hIF9SEZ1FeH
-mjOfAjfpNlUm4irlCSOvDfEIP9wiiNztvAGFsbwDq2aHG1GxGN9lagnfdVMsSyJW
-BbdJikEij3aAQ4VIkvapslmIJeFJTbtYAbFtNhfE4gVv+tRSThq2e78krtDHeLty
-6gt+oiqSd6ZNIrdLTqxnqQ/BKLkyNQi/wYxu0AIsoBg1/Lg9Hd5t8IyfPBDpi661
-WSXEOApTVmUUzZb2pSC5kb40nNvCWjIjsfCfABfio608p9/iSXsJuT8n5+ffGIsg
-MwzmTGjoNqELvk5ty8ArvSYb1SRrV0axqTtMtbWG7s6hkgAvMxzXoXO+LoY5VrJZ
-TFgjl3BcvXCrNARE5nvlmb+CksoQ5vDFHKFnaZMXE1LGZYkXg7tYLXlyCvG5AY0E
-TtU+kAEMAIF4dGry4h298sl7KUAOSL1GrtvFLxMPiFBPQUglkG8QDzGEc0JAlb0c
-HdnVZoUaGQSvrsYNCsOujxv/IYa/ioTdNlBiouusFRy83rzgFEtg1j34+WkXMdPI
-gdYBLL+6rdJ6iLdwMOUk79AmKWP5mFdV3lbnrdpy/eLdRl0tFM2DCZOcxtpcqat8
-A4BrDEVACWnzUSaJB9o99HnJc64cTfZZz+/kpI90BRmd7tXjhhk1e4zaPViQqW75
-Do9dXry8HGMNLYmXOnNOe4uKxazd/Wu4Ov83Wa48MGaxzC8uC9GJ60LJFb10nODu
-yhYZTnPujLtXWrn4ySDcwTytRddbgm648A+aujnJuexX971GfvlSN2MXj+jIjroe
-7Ya32j2Y4lc/4vb6hA4bS7lsdIHfZ6mAg80Zu1IeG8G0nUPYWb6GqU6R2tT8ABiJ
-4io9ShtWG+irCN+mllEEVNmxpfpAbGj7WZMF9sRJKxgx+nmt1ymrErIqp2MiJxsX
-Yh/RKT33vwARAQABiQGfBBgBAgAJBQJO1T6QAhsMAAoJEKBPk5fN/WuwvL0L/jXd
-Sk/Ui3LFhj/IEritEpwsUgUNZbPzQoQ3cOWDY1k+0mbds65mni2n0rRoDE9qA+9o
-OpGB4imSahynX4K20Pk6mE7oMrTr4Mpqve0/+uoGx4jeFVwm3PanUbAamPnJ324i
-tGCvqHQ9NCFW4IMtPe3L01sxC7gEH6CpMjk9DsKE5sQjXtZJpyh5FrK6exOkzei6
-ag0vIbetJI2NgmDn8rVzXrpTIecn4+Dv/EmvzXKFmMAejhsdCHTgfyG7ONYuDHSp
-IiNy3v3YHyRkDUfnN541p+meEdWazYblpmKXGvQ3d7QxtPgheKlSn9f0CcXfZ8fB
-EQFCBh9nH7sn5bfO9aNhbFCP5bI9Rjswfjcn/vh4F+d+uC5NMzpPyWRaTph3T9mE
-dGUtxAscHfJnku+SZhItu/3gVSLjqBCJ2Bc/RsOWHSuulCSSKovlcJhX5/yYxOvh
-w3ll28x4RHX390vUZ9yvLvXT8Px2vBXZGvUNRCqfDHMnUaNIYD1ypigu58Oqhg==
-=18XY
------END PGP PUBLIC KEY BLOCK-----

master/ibiru.asc

@@ -1,70 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQGNBE7PgFcBDACaaq6It/HbI8oF/U/tL6e8DRV9d4Up3ZLi/U530iKz7+hvebd8
-tHwVzdIxroa+7nvL0d6/zsSIMlmHpq77b3phSnRR3Iq8ffKIcDBukS2MRajEdscx
-YtezNejBOHivNX3lc6OAAi3et0i29wzzsKCWXIU/cVX0LwYt5RMUnIAvn97p9ghQ
-t9hkXLC0fuUkAS239yZ2OyngUdyaoDKn5e4pXC2utYcv1c12SnX5wgkVMX8G2vWa
-9brGotTSn321YxDn2Vy6vMEo2nadqWsl88e9HK+6dFl5FI1L+kVIeTycsjbQgw/w
-keJMtEm6XnaUmjCYILi1DlBPGD677bMJeYwHeFB1qX6ni/LmI59ampJXtEITf/fI
-ii2LZsLrPV6MHtYmTmZwBmz7lvFhx8pZhqvDzMcoHtmsUICUdjmjlM+31Ec2uc42
-Ykxvjq2vAojloBuy4x55gRY2Lnd1GBb8nQvrtzkazyyvfZTf/ncOxYyXqm6mazyX
-WcFK7tTwbTvqoR0AEQEAAbRDSW9udXQgQmlydSAoQXJjaCBMaW51eCBNYXN0ZXIg
-S2V5KSA8aW9udXRAbWFzdGVyLWtleS5hcmNobGludXgub3JnPokBuAQTAQIAIgUC
-Ts+AVwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQfv1WfUx+qIdJ7Av+
-OEvsmPHM7w/e3v2ci7foSNxLugGRw/oUboq7FWD4ttk2rL5pqKnjmfHMgl0ThUhp
-GzfCY2HYHdpUbgLU/WACaplTX2DYTQSh/V6OWfbChUit9SvEmKLwAT5lsSIms1ia
-w8zIuBouVmdpMM/Apk2ZNYgHMEzodvbIHq57ZqaZZGvmN7J1YWZzyAawFZqkemHg
-43RsD3y/9CMwVLr9JJn/SjSLq2NKQNsd9A5529LZSXjKx9/6ro0qbwqcDIgq08/H
-9/PXV7VKvRhwVZa0lDrWjpiJwwrYG+qE1PgeBiKXkRQelD1LKiE9rg0zckojHDAS
-T9Z10EBmVFFE9ReNaaOSfwC6X5YUPBxIOqvxNqbHqfIfKr8fmS49r7QsjSOcbuSX
-q1jP60aByexISnij4Wtp6/Oi2rNziAOQSLnpJTcjNEcOd6tQrtnyRkOy/ahd1prz
-XNeWO7XjbkXvs12PDkVz/GEw2FieUTTftPpX3+yYBgoMufDHCWlNKWTQ+Q5EqutO
-uI0ETs+AVwEEANqD48GrHuy5gywO3riuxdNJiZ9rgWy7OzQrQWINmqZ+7U4/3UWt
-fUT3k6lNMv5qDjakYxkBVHjEmKMHzdn8GyMCwhHTHv+ak4+g3ruMnBTyhsJSPGgg
-5oI8rOU1jX+2juIcok1DfWzIEnNOZe2DTN4xdnwKBrF4c4DEVhX46VMbABEBAAGJ
-AZ8EKAECAAkFAk7Pi9gCHQMACgkQfv1WfUx+qIc1mAv+MDJCVlEpEA3aUMmrqh9G
-P+18qga8u2lMzXf/qa2L4esP19Wo4WK1tBoO55/U9a1al5A6ESDEf61bKqYUwPUK
-/vhbdCWGRowHSKEkBNrhZTTyNmfE62hLDtJSKorRezGoU7AA7EymVgv3wONHAzJQ
-0eBQ8Gcb0nO7ysxuIjPvHPzfFuXSXCxxGLe4eLCJ+48DLZHqYJ4YmRm8Ymb0dA+0
-L0vvONwDYcmVoeo6JoF6Q9ynOqlkDRpc+Ca5E/Ip+wW265FjiMU6ihYDsimUPwiW
-mu4uVfh8QxWjrxSZMotUEBPPzHJrLsGc1+eMqfllRBhqU1hwz0yGmYvb5kA8idcS
-wdJdRVQLbo1U41aeFWwAYFluCnIuHR4Zzc+BAFh7bQFLzCHgg2wPHh45E+vWED/C
-jkFCLGbGhHHba+J0lEotOVBg8LaL9XzQpcuAgj4Q5WS3EPYkRQfrdJp3zMQ+oFBz
-BnUs17dfwzFApzD1wlnzZ5DaAZwVDGO/1jm7/ibh01m6iQGfBBgBAgAJBQJOz4BX
-AhsMAAoJEH79Vn1MfqiH8WQL/iLyQ87L9xuNc0TdGObma3GPo9H8K81nnorgbPgT
-4TDwVgU47zuqOynWREBr/jkhwN1gVRWcX9ymFdebLj/BxO1+OzJsoG30zOckd9+x
-lJTkwaohANyXUkPLvC4F/ncaygrEgCA4B7rHowjUv5WV69SlfUKO0qPXLCtF/0Mg
-+dCJh2LkBNSsXTmAY9wT6v30AS/lyCG0T5ba4nW7YlJ8o4h2Wu1MC5WDq51IuU4R
-ssR5ZBIDeGtiVzveF4JvJ25Zia2JjtZwRNgHvqm1dGjiQfc2wGKrHK5D8IQsTkgb
-laWz9kbjW5qgBL7yv0URbXuuZW6PbBeMsZQ/pT9qsuESnhxSxRxgFrDWCOAbf0TJ
-eg8AJ35/TCP5P0mjDb1daV1xIbocywl9n5I0C1pqN8oIrXVTfRxrf9STv6ig7hJ5
-7XkGOErpeHwKrkGYJGyF/t+F9J1NJZWOUP8waq+wjMYoDNvxovP3N3JxXthZ8/kA
-mC+mIlOFNPcMbt+F/h92TeuIXrkBjQROz4BXAQwAosEtg6AKsz8UuKC2oCzOdNHk
-0SfazMLZNdzZStLtjsIjKPQE2gS8PLuIJO1IIUjumMCKqqvp7xvQ0KiMZv/8Oi0c
-hnUkpxN8jngApevRFqMh5WpKXVQ+JCB8GthQQkJs6Nq2zxi9xS57ZUIdZxXIV3ts
-Yderi46hWJ3PqGfSusbsIE2kAusJkfxUDOtbEz/BGQGJAoWN5WOPM0Mnj9NFzonI
-rbHpZaDmHOlMnC2EPDwujWyUXV54n9xKeg6enDPbMRWiJUbdbVawk/t8qGEG8di+
-jok2tKveQugtbKlIsw+TcKWWwAPBTBQWwq6CvG9xiZQlEGkatPsP8LbBMy1rp+v8
-qEjgEt7uhb/Tezzm+D2bActeXQJt70oflAyBLcBaf/2kXcRRHB6QgX/iMFq8ukvW
-5tXmakQ3+23Iw6LVO2x5EWPdQOFjvnVvk5U7L78aZ4L4Oh1Y/+SH6QVngnt/2eEW
-FR6eNWOyydE6Fz3MZsY1QyLweFhJ6VbSC+XEfFpJABEBAAGJAZ8EKAECAAkFAk7P
-i4MCHQMACgkQfv1WfUx+qIee9wv+NKc5EW2Ow1jFLbKBWIQtwoxH6T5WLstkgyuK
-sro/O9X4IHn12EUORAo7IBUnJreIaeGdLIK2UBUp/7oY/BesJ5G1uMaVi7XQOo/i
-1wsItuJ8vtAS3qQcqmDVqNCBX1yNm9/LVpi0iC6UwKsjSjMPrOBgAAVuqVspyAod
-2AniMbDxtAEvE7Afzt7BOEg2tobdQ/xQNxoeM9bVNkMVApM2OoHppph7qHfX4Y4c
-gmDVjE2QCuqt8KCgx0I+6kkN2ByjvEAG00dRDvaIDnLXH+r+ZUidPPDo+sjZfV0G
-pvFuksONCv4MySv56Gu+I8XwBOmMU1cUuievfYOz4ZJIOQyEFpXpgdijpFHqmdhn
-L4l3qMgIRwAfnPOte/c2TtsVGvr4JAzr77INHDA3ZvQd4A9hwmYECMPZpSgQkHcC
-DR06ICZmhv5CLegUAuS8ymtvCdsYnZ8JKzbZrr8InpiX9ZE5+tYEYl+c2mw1t1oX
-Hc8j2OPUDi53X4+4AH3DDEaCSAo6iQGfBBgBAgAJBQJOz4BXAhsgAAoJEH79Vn1M
-fqiHRvML/RTrooncFgDB513/c8TSEQSpDr6CKUXMhb4SIIQzzMdbSIsZ2SKpmFqe
-PJ2GtNoAHwUXINdqFkuQqZR+tNF3F2oe5ZZ6VqjJJOjZyqW9fxNUpYe6R1a6fWCP
-ISKcx/inGA1ucwVs7f7V1SmDn/hGVIrrGRoyIJJh7eQ7oeE+xtGqtJ5g1lC/9pIw
-2QBpKsmQkynKw+rpu9gwn4aXdqZ2B6JCILixx/AV2/KT9dttAgPfK5KeMkSVga7v
-JzxhFq3R73AKHUJlnRTMugGYMZN95LNTNQJvN7CdUtPL9SpqWeCus/SQ1uFaUK5k
-oWVcea2nnPjxVvShflHkKYMnK+jVPRZxerdzJY9TIJUskc2G1oUAMp73XehVQwSy
-X7Kn5XfmfPFz3FhLNvC0NxfJOduVnYcT4q0Tr4fqw/lhgN7Q6nsshTr4JVi3600D
-kVN8VYMiuINNNudQWfFTQSriVoipWQNbVvLLAFHsozSHUr1xasser4UXnnZhlfjs
-GKT3VHw/QQ==
-=Q9DZ
------END PGP PUBLIC KEY BLOCK-----

master/pierre.asc

@@ -1,52 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQGNBE7Gu3MBDACGmD2FPejnpbdjOxuEDKYmIC1y2SkD1W97KwS9tOSceGy1gni9
-uObZsiiiUqzu9p8uOpX0kxdykgk9cliH6QxFQr5e1WOSG6MkkDqYLAjP5kVFnT4T
-E6lDklYQ6YW7j3lJVwFDNXV6yobt6ApMHaDGqERpcgs6prKb9wZZ/EdyqBblYTyJ
-t0s3RpE5AolNHSboaJZ5YRf5s/T0mteJ37pAIljgXhfeiqxAl1Yp+RkRglaiHLhZ
-pcJW2HRACmYv9SYSuLV0JcCAG4qeUyiHSoz93gAaf6VCv5JsYVg2Mwt5rGqE7CXg
-XDHV4Klq/KrmaHmp81qpB1ngK1g6cCz34mdnLBMbyt5G2EdrIOiv/bBo5LsXtEhz
-C6I/LZ75sXV3xC60+6ZWKkeZFtyXq0g9X5Gxc+wf79K2EVkAC1UwEylK/n8rfP01
-vk6fkNJsSb42BEchyECo5iMY2BMGXQ6mlJqpEx3bxE4W1Di01XaT29nB/8hP3xbk
-kJ1bu4hMa35sQQEAEQEAAbRIUGllcnJlIFNjaG1pdHogKEFyY2ggTGludXggTWFz
-dGVyIEtleSkgPHBpZXJyZUBtYXN0ZXIta2V5LmFyY2hsaW51eC5vcmc+iQG4BBMB
-AgAiBQJOxrtzAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAzSIgvasak
-wqLMC/9NV/ZY0nhUIZ/8I+U6ez60cr11i4Oq1NtZmNoNta6ER0OXrlunu6h+ZKiH
-ET0jva0XS2B5eDBipDY7PHSuF7v2b0MbBR603FVryHrmL4SosJoZ/dC4T8Xr8L9d
-k+fY65aIXt0EZme2AgRaqKXn4sW0vcOHDmGm2HqPv8TWtCu5ZDkOT/u9LP4oUde0
-e0cpfdZLCgxLqYj5tFWO2Gt7Gq5WCDxHtr/QhFX7GqNTqvr6AukzT7S991tKlk6V
-Wm/qMHo4tDrC2fBcvV4f+fFHSe/oBkxbF0LrcodkJ81Iq+e99p2JQ/Rn2yBZyKWL
-hmuiDRavoQ/TgfEmn92j2rzq5IPiQkjuyQpDsYGV9K1KhMsunK4j1Xbt2tyUEo0K
-H4ynAP07COUNa36rRw3ZqlErHR4BwFksvN5sdJ+zHIHeLsQEComRh7TV0DWukdTN
-T4gpwIXNxBKN+b6QxHWtnsJlMsaExiI1OefHvBJAjXzzow0z6v3+axZ9Q/PrTtPp
-YNpRI1i4jQROxrtzAQQAw3wH1CdqQaqpVV8CCrJ/VzUx2cY6Ba+FnGKqfZyqmYy4
-PrGS6p8T39ZeOuQj7kPJm8gKl4WyZpTTXf452WByFe9ZCpXnTbt991zjpAGnYXBf
-1u7tPZGE6MabE64Zq/g88PimhcOKWdcMBC+AxBBbdyrEjdkCy67vqRZEBrqkgPUA
-EQEAAYkBnwQYAQIACQUCTsa7cwIbDAAKCRAzSIgvasakwjo+C/wOB89KCN4bGy4o
-Wu5eM2kSuLLaCDSn851dg22tHsaoTiCQ8/XmLhlqOqtAf0mF4o4lXHpWhIVg+jT7
-QTGUkFWcTUz/wfrQ0LQCTtwYktWTY5/BdMDR/wk2mvkDa8Y8+cZB8gUNaF9dNp8t
-jOEiWiVl0kQsYV6zzbda9KGKknfEOiNd/z/VJs7m0BqxyUhjndPRsjrn3D9mE1Hi
-ARCG51iHY1nMmJCT36DfBkLw8tXCplSeCdNetc0QTU/KxvDKee0ZcCdHYu5tm1BP
-NJ/nKMyew3E0gL5Qlnmgyg0I4i5A3OHOeNqCK1trr9dGJwPmw9B2GGAKH/ZGzJft
-VaXCUOXNirH/ixmVaT+NgpvOrPIdVTbS/YkcdNGsbkZCy3C7/NOc96ky2ReBroPT
-Cw5DNAm0kqylbnCLgIzL0x0Y+SXfNsutX9hwEqior43JXDQ+LzRNXaai7FzHgPTx
-2h52iomNRq8LP9t88Mixlz61/JG6IChW5mt/7fuBaoh4aobUOqK5AY0ETsa7cwEM
-ALMKwEWKsIs2s1gyMO+IlIWpECPbUZsyQpe1oWMHUdqsKA0TgR+AX+lwtZPICPb8
-OeA+X9ZZctaKHNLEKAt1nE6W1ToaB7k6zilZytas7qiO0agtslUdDYjKNiUlK0LP
-zgvaODwUtLuj//4oK92F63Nypc4sYE9i5xcf4FYnfwADh0nHLJveG1WCzutXvENH
-q/DZIVc0RADadU5MY4tX7QUFVwExHifPbTOny22PrDMVLZ9FsmsRfeIf1wSEUBPu
-gXSx8CBkP72/RdUVQJuHRNuQBq2F1PZtMsIvHYRHZN8BhtTV1aG7g9e2mSF0eUTX
-h71HlrDsQlZRVUfwrNUoFT57gPeI/qcPKQqoH08Pnavit5xhBvvctK6SE5fPPo5e
-nuuEX4oXnj/tdmNbyu6qi6gA0PhNzsZaNrOWTlDbJ6x9Q9Q1unyWOrexaQ9hZYgv
-7e9CjtYuYrNYpW5Wxe5cQDrn62zZxqPdqcIcYYf5a6+o0vYfI/4pgMbNMM5Pa0dP
-KwARAQABiQGfBBgBAgAJBQJOxrtzAhsgAAoJEDNIiC9qxqTC4qcL/1ZJwKEY8G9Z
-ZJOjcP3gvmNlGr/lXipMHniVcMaYSeC2364b2qvZVqUd9vbD12be69V9xfnC1EeN
-zY6a1tp1p2tL5mX61CHcMwORU3KOVceDT0BYF/kdGwcjl98kl5l7crAnOY9UuwvP
-YOSWFFVw9WjwfRS9c+oUWq4fNyKe9+dWWzoawUliAzEYt6mNxC/Tdo8QKQNIhyd8
-r9wQWvCj6xZ1fV4nc+YEv6iFWuWiyctkEfB7rDnvp2tqFIwYPuNV4EssxTshIH4m
-JYzLR6hWMuR1ty3B34t5FCGP0nu0pdafl7Ahfjy4g3mAXL0xIXArelPiUFan7sxk
-sUqDFrSUdqNw2xoeVdAXZjuMZlHEcokFiIU9XtzXi4HAaqTiAaa6NM7G1wnkB0Aj
-lnrMv5w1ODUmgezoc1Asjsixgs7GMhYazvqefc9yTxeq1+VDKiMcCxZmh7BUASEQ
-Vxy/NGS6GAV+fm+voMCUzOrkiWxr8AYHwCdUy7Q1/5qpoTC7FJ6qKA==
-=7voJ
------END PGP PUBLIC KEY BLOCK-----

master/thomas.asc

@@ -1,67 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQGNBE7Hp9UBDACNaL5VM5JsuA6EGjfJmagZO3pSlNWEtx0NmGQYPYOBwywXZFwq
-0zBdpNFxwJOyxn2xdgQxtX8L1APxT7T/WGTPPDMHx7/N1xaWJqRxTQYV50MTmJaR
-+pgSR59zR1exRpEClcLOx72LpGKMYpWQ7JRJn0/9+JtSpwHlsfYrdi+VMgfU62d9
-H00sSCkmJsl/3uvLvcbDyqtFu9bpMA7T2g+Ws1xaocD3fwRPogpM2Q2czYr514O6
-wZp//wScBHRsgFRjQsYm02ZdbEQCmmK80/WhFA3CoovNG0+zXqu92tW7fj+pvTp3
-4GX61MPUj7INKzxfSCo6ygtyUrozr5IuYlMc1misT26kfQUuKRgg7M3eF3pKcaVC
-DNX14h7Y+tcX4yUBTsi5lvE88xZUTLp0MSmNMy22wX+OrCbb/YnzW4XnFWYgS/i8
-hfaeKsxuIi3g7kkUmvydTtVpgCYWfZZWeHt9cG+FoZjjoH7aePMaL7QCYi4zc2t2
-p5BbNZI/zmd//dcAEQEAAbRJVGhvbWFzIELDpGNobGVyIChBcmNoIExpbnV4IE1h
-c3RlciBLZXkpIDx0aG9tYXNAbWFzdGVyLWtleS5hcmNobGludXgub3JnPokBuAQT
-AQIAIgUCTsen1QIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQUYQlLYJL
-GOhFowv/cqnogm8UAuXIXyfO1g9l7HdLDH9KjJWuO/QqvWW1ZmsgbbmRCn93kqan
-XYyiKhaIhc/ztAa6uiIqPQ4X1TP8gMijWD1zL0fi4R4V60S9om0Veft8O7Xbu47/
-ZtlefbwjnnohaqGuM/cusS2hI9j2Q52kuIaJvSB2kndP24QFQH6Q+4F0UtJ2YmeO
-A3mcquuJBrnjfaA4SsHJudtCL6P2KaoxaH7uNwG4b9wgFnDBFZi9Pzs88cXu1/tO
-W5gxGUijNPi5SCmlzKbdLHRx6rr+8f6dWsyzwK7J/9l46dfjqn7sryml1w64+V+m
-G4vwdE4uRITSmAb9MpFrbZY7LJxagSuKYkrt2QcV69gBeOJ8pSy6I2q+tRBdCejZ
-lzJ63cboIE/KMKM/X9tMk+E/NvIjcKVFH5at7EywISpqNU3c4IsEcz/zc17UQ4A/
-+muxs/xng3oWB0h4wFpfbxdDmKGrwqMXdO8jenYYVM7dRFJnQJm6V2Zi1/rQiz0Y
-xCdA0K8suI0ETsen1QEEALxGNpmp9ije7XNBqbpZI+6Qj1UZD4aS/wKRwpkumVF+
-U4wgzUg5DXydqmxYGm53tFY4Epg7MY2INFEJQcnFjWWAhwHfb6KAWAspfbnNsyOG
-2WqPfXBTerhI0INXOKuFvtn7Qjkb/YL4WjrTT5vrP3jYEF2rptpANnxV8EkmabzV
-ABEBAAGJAZ8EGAECAAkFAk7Hp9UCGwwACgkQUYQlLYJLGOgV4Qv/ZpiZf2YR4MTL
-RvZur+kDc7UYf+MaBLkbuJXksOXgRu/lQPTkozjQ4vJnHdlQV2QyUY9xvtYozFfG
-lHzH1g4D/0tWOUG788g5D8mKg+yNb4Fx4oku5HVNIZROMiJiaHVAgdZv+A+Q2r7z
-YnwEVndeZCXizXzVIhfbATqph/jMjXc9v9zvMVd7ZrhlBJSwdO8ylxCjAX71xW2L
-p6wOefEN08TwpavIRtXwUZCm8oZEKBYBwrnZfS/HfbK7sGiZn9dXnTmh4SlNwbcd
-dDbC584iKR8wMm4YrgoZxNPxUSd040GVcS+DKFWaG5amm1e4imNSQ+dC6NQr6j27
-Pa9DQnu7O5ulL61R/8zEJO99eR0oAzQuVJkOWLn8M1dosp5FaIS0AMm7HfjPaGDk
-Brz5zlyUAQFM5CY0c6oPZzRSJ1bZ7ost7LKB5OSW6S7C2zbZgXS1ZzF5xVo3c4AH
-txIIPAX1+idhs3C9TpLvkucPQLJ6OpINDcZyaaEZfFr4jDRHW0eaiQGfBCgBAgAJ
-BQJOx7ByAh0DAAoJEFGEJS2CSxjoOG8MAIAPbJLRIScwMV6a87w5BNkXmm9p9gDx
-f5YlUxY6RNsppeWqQGoyoBilwQlfER0SurZWU6vJh/Nkzxkh7SqtTMpHGF5HFPFA
-O8cMKZRB2qOBMoGChHLpYNKIKhQZtCiRYgWYWYr2mToTcpvoVAYFNuP2oOzWEo68
-9PdeVVETtr0onJ0ru8LKN/nvTjZ6qVG2bdJ73xkHIkYUyq+z2AdoasbPtWHsVsJ9
-lDA34l2LXMZK5XKz/AkODX++YWtvAIJfKWr55V72Tp6uu3Z+f4JqfQY3wYpAkAgd
-vrSdbmESG61Xe+HnLzC0qk2/yVyEo5SOHHDt58dO0oB+9TMwAyviJqG559cxfd1u
-E4EmHjuGHeN2RwfOz2RL9wpGguKe8VH47huqXr8ZEpNfxvnoycHum0NqEfBp/94p
-p8ggoB+mGK+W0fnw6sGqFWT9n7ImB3NbuzT0sd/p2wEWd08nvRbbQCWZPaHzPAUX
-6R/V0+oah8j+pU6HurKAa/3fuRE66JJIK7kBDQROx6fVAQgAhEWcwAlUUwy5g53b
-pVGvqAFj6/KJmPp2pH8slVyyf1fWB66F4op5/cFO5qY44a3HhRWCI+HjOW+Ib8fU
-AT6A5EilkLSgf/F5VKLZdmH5L1ub3exGl3gt7hNb8P826JfTO57VnLUnksGS8wg6
-ecJK08CRkjmtYM5WUlExXv5kSVxGnHp0DLMQ+vekbIYRBIBv3OB/lGeyKImACdK0
-IPWiFrGJiLUUvNctcXTEnb/2yW/ctFmt7xtBgbN5q4brq0ZCxTDy91rK+np+tRiE
-tQlE4Ut8s4qS8RRaNJWPTkmCQDH72SRgqfxO6nlMRkhMHIikbDZXvn3fXayywo9U
-as0ElQARAQABiQGfBBgBAgAJBQJOx6fVAhsgAAoJEFGEJS2CSxjo4QoL/1o6dwwP
-/TjB/JqUFrvTyi4OK258CEv4GvXTnUlE1F7gBqQEWZnDpTW1ZBcrUAwAf56Nm9iE
-oFZbTW8c3oEXCb7F6ezfV74o43Lg9Tlks2leUmxc0+3PnXbMqJBfNgO9W96I/7Q9
-9t5YKDmjLeEGeVlCSBlEkkiLMupC3LgKAfLOLxi9DjlpvAXBVvTlMM9ygEGRdwsT
-SygBYEVQheLHW3vZJlAZLgRdCRummxJmM91jkJJP1b2xHtdTQ/HlylfRKESpKswv
-IffOofHYKHtRRIvhCA7rcpNHOcpCkZO4nONlLhD7bgb/hE+4fFldroUlTcSHX7Gj
-YyZ8SCiWfCCks03gKo6TCnDSIpWfsMX4sQswsGZu0V+aGHq1jA/d3f2U2Bh+EaCT
-CQr5AggAoW/PMJo89NYia1ayMXneXy9mdzaTHSIC0+HXdRq+V1qvPnsR3ZSat9eF
-7/JhsAVXBYr2HIdqJ5FBk12rfbh1XRXb/IOEG7AvFE0k16oVMyr35JNC/okBnwQo
-AQIACQUCTsewbQIdAwAKCRBRhCUtgksY6A5bDACCWeELwz5KvZq+rmeOZtLm28L3
-6xf7dtKKIaBA7Rctk4LCokXlsmotZolXuoULH1mgPxxEOKWxTVBoXSGaEWTUP61L
-cSmRDygCFBNct/MHB+mw00jrfpLjW/8c7A3ysD/VR42gXxWtojSaqGESgYVegWeF
-NY+8UxIHtIGfmpaE+58dVbO9Z774Z1eSpjZzbMHWZtV4RmnZLrZjTF+SMYpY0b6X
-o7LtQUidcldhtXgA+JhOd1leOGL8eXJAdBPkqaNmyXNYa+9yFsIN17d0aw/Owrn/
-AlFBR6FQBjl4Mf5D41uJIy+bcmolHeTnx5pgIngBPo76W7zQDgiNcQ8UfW4mRSOH
-po7jh5o88kF3QTNETmEQQSQUlNnOH4NP9XiL2Ce85gs0D++nRDmt2tbshSqS8xEp
-U2oxRjEQx5eyuQqEZEt95nLC7YkECqvUDopAmCR8zVzur2HKtz/ScMQ8cLvgV/WG
-DWK7TtEiLpQR6VL76LQ67lyK35zq8pLjQwsD0e0=
-=cE6/
------END PGP PUBLIC KEY BLOCK-----

packager-keyids

@@ -1,66 +0,0 @@
-6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD	allan
-9437DD3815A7A9169E3D3946AFF5D95098BC6FF5	alucryd
-4FCF887689C41B09506BE8D5F3E1D5C5D30DB0AD	andrea
-ADC8A1FCC15E01D45310419E94657AB20F2A092B	andyrtr
-40776A5221EF5AD468A4906D42A1DB15EC133BAD	angvp
-962855F072C7A01846405864FCF3C8CB5CF9C8D4	arodseth
-CE0BDE71A759A87F23F0F7D8B61DBCE10901C163	bgyorgy
-5A2257D19FF7E1E0E415968CE62F853100F0D0F0	bisson
-CFA6AF15E5C74149FC1D8C086D1655C14CE1C13E	bluewind
-F3691687D867B81B51CE07D9BBE43771487328A9	bpiotrowski
-6EA3F3F3B9082632A9CBE931D53A0445B47A0DAB	cbehan
-66BD74A036D522F51DD70A3C7F2A16726521E06D	cbrannon
-9515D8A8EAB88E49BB65EDBCE6B456CAF15447D5	cinelli
-E7210A59715F6940CF9A4E36A001876699AD6E84	daenyth
-A5CA9D5515DC2CA73DF748CA5C2E46A0F53A76ED	dan
-5696C003B0854206450C8E5BE613C09CB4440678	daniel
-40440DC037C05620984379A6761FAD69BA06C6A9	dicebot
-63F395DE2D6398BBE458F281F2DBB4931985A992	dieter
-0F334D8698881578F65D2AE55ED514A45BD5C938	djgera
-487EACC08557AD082088DABA1EB2638FF56C0C53	dreisner
-5559BC1A32B8F76B3FCCD9555FA5E5544F010D48	dwallace
-5357F3B111688D88C1D88119FCF2CB179205AC90	eric
-07DFD3A0BC213FA12EDC217559B3122E2FA915EC	faidoc
-86CFFCA918CF3AF47147588051E8B148A9999C34	foutrelis
-B5971F2C5C10A9A08C60030F786C63F330D7CB92	fyan
-717026A9D4779FC53940726640F557B731496106	aginiewicz
-F648622B1715468FD654F45CB7310AE5F04569AE	giovanni
-4D913AECD81726D9A6C74F0ADA6426DD215B37AD	guillaume
-8218F88849AAC522E94CF470A5E9288C4FA415FA	heftig
-F4DDD6DDCEC320B665F502AAE8F18BA1615137BC	ibiru
-DB2277BCD500AA3825610BDDDB323392796CA067	idevolder
-F5A361A3A13554B85E57DDDAAF7EF7873CFD4BB6	jconder
-E499C79F53C96A54E572FEE1C06086337C50773E	jelle
-A84B8DC73AB832067BE54C3C976AC6FA3B94FA10	jgc
-38EDD1886756924E1224E49524E4CDB0013C2580	jlichtblau
-8742F7535E7B394A1B048163332C9C40F40D2072	jsteel
-355BDB97ED4724E6B3A450E7A3D9562A589874AB	juergen
-8F76BEEA0289F9E1D3E229C05F946DED983D4366	juster
-7FA647CD89891DEDC060287BB9113D1ED21E1A55	kchen
-48C3B1F30DDD0FE67E516D16396E3E25BAB142C1	kkeen
-535F8C0339450F054A4D282706096A6AD1CEDDAC	lcarlier
-2E36D8620221482FC45CB7F2A91764759326B440	lfleischer
-2C118C620F02DB9AC1D0F9FA94DD2393DA2EE423	mtorromeo
-4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC	pierre
-D4DE5ABDE2A7287644EAC7E36D1A9E70E19DAA50	plewis
-44EA62ACDBC81B6A0D1FD267206CBC892D1493D2	remy
-81D7F8241DB38BC759C80FCE3A726C6170E80477	romashka
-EA84EA00866F51FB10CD19AE426991CD8406FFF3	ronald
-D921CABED130A5690EF1896E81AF739EC0711BF1	schiv
-2612B04099DBD9B9A3DD92A0456C7A9B91B842AE	schuay
-B81B051F2D7FC867AAFF35A58DBD63B82072D77A	seblu
-8840BD07FC24CB7CE394A07CCF7037A4F27FB7DA	speps
-3E518BF2526FD1979E8AAE4965C110C1EA433FC7	spupykin
-76B4192E902C0A52642C63C273B8ED52F1D357C1	stativ
-0B20CA1931F5DA3A70D0F8D2EA6836E1AB441196	stephane
-8FC15A064950A99DD1BD14DD39E4B877E62EB915	svenstaro
-34C5D94FE7E7913E86DC427E7FB1A3800C84C0A5	td123
-65EEFE022108E2B708CBFCF7F9E712E59AF5F22A	thestinger
-A314827C4E4250A204CE6E13284FC34C8E4B1A25	thomas
-FB871F0131FEA4FB5A9192B4C8880A6406361833	tomegun
-5B7E3FB71B7F10329A1C03AB771DF6627EDF681F	tpowa
-8CF934E339CAD8ABF342E822E711306E3C4F88BC	tredaelli
-39F880E50E49A4D11341E8F939E4F17F295AFBF4	ttopper
-B1F2C889CB2CCB2ADA36D963097D629E437520BD	vesa
-4A8B17E20B88ACA61860009B5CED81B7C2E5C0D2	xyne
-EC3CBE7F607D11E663149E811D1F0DC78F173680	xyne

packager-revoked-keyids

@@ -1 +0,0 @@
-BC1FBE4D2826A0B51E47ED62E2539214C6C11350	cinelli		User is no longer in possession of his key