Since !180, all keys are tried. This can indeed be useful but buries
the offending key in a long output log.
This stores a message containing the key and UID during processing and
prints them all at the end.
The MIT keyserver is frequently unavailable for uploads so it no longer
make sense to block new keys based on its availability.
Once we have main-key signing tooling built into `keyringctl` this
requirement will no longer be necessary since the tooling will be able
to be run from branches already containing the necessary keys.
Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
wkd_sync/archlinux-keyring-wkd-sync:
Ignore keys with SHA-1 self-signature (by hardcoding them in a readonly
array) so that they will not be synced from WKD.
The Arch Linux WKD setup does not contain keys with SHA-1
self-signatures anymore.
.gitlab/issue_templates/*:
Remove pierre from list of main keys.
.gitlab/merge_request_templates/*:
Use group of main key holders when assigning reviewers, instead of
listing them all separately.
keyring/packager/tpkessler/04CF0CD6F6EE93AE1896F58407D06351CA5B31BE/uid/Torsten_Kessler__tpkessler@archlinux.org_535cde49/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature by dvzrv (2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E) for tpkessler (04CF0CD6F6EE93AE1896F58407D06351CA5B31BE).
keyring/packager/bgyorgy/14E46FE5FD69F2E287E244DB632C3CC0D1C9CAF6/uid/Ballo_Gyorgy__bgyorgy@archlinux.org_9cece270/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature of dvzrv
(2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E) for bgyorgy
(14E46FE5FD69F2E287E244DB632C3CC0D1C9CAF6).
keyring/packager/alucryd/9437DD3815A7A9169E3D3946AFF5D95098BC6FF5/uid/Maxime_Gauduin__alucryd@archlinux.org_2606bf1f/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc
Add revocation for certificate by dvzrv
(2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E) on alucryd's key
(9437DD3815A7A9169E3D3946AFF5D95098BC6FF5).
... but with a reasonable delay of five minutes, and limited to three
invocations per hour. After that the service goes into failed state.
This should mitigate service failure caused by intermittent network
issues or server reboot on our side.
keyring/packager/pierre/3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C/uid/Pierre_Schmitz__pierre@archlinux.org_e7e0700e/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature of dvzrv
(2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E) for pierre
(3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C).
On Debian/Ubuntu the default shell is dash, and builds are done with
SHELL overridden to dash. Since archlinux-keyring now has Bash-isms in
the install and uninstall targets (for {} expansion), and rewriting it
to drop this is inconvenient (because we'll have to repeat the path
prefixes), hardcode the use of Bash instead.
Use /bin/bash to be compatible with distros that have not finished the
/bin -> /usr/bin migration yet.
Signed-off-by: Michel Alexandre Salim <michel@michel-slm.name>
keyring/packager/blakkheim/54C1FD273361EA514A237793F296BDE50368C6CE/uid/T.J._Townsend__blakkheim@archlinux.org_476bd08f/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature of dvzrv
(2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E) for blakkheim
(54C1FD273361EA514A237793F296BDE50368C6CE).
.gitlab-ci.yml:
Copy the WKD dir to a public dir (used by gitlab pages) directly instead
of creating the public dir and copying into it, as that is brittle.
Makefile:
Force symlinking of systemd unit for activation. If the service is
already installed and activated (symlinked) on the target system, a
non-forced symlink would fail otherwise.
.gitlab-ci.yml:
Add gitlab-ci integration to build WKD dir on tag using the `make wkd`
target per FQDN used by Arch Linux. Builds only happen on a secure
runner, the job is running in its own stage after the tests and only
runs in pipelines for tags.
keyring/packager/serebit/CAAE0C97533C35D3A0C6C34066E60E5F785A6824/uid/Campbell_Jones__for_package_signing_only___serebit@archlinux.org_55f6fd2b/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature by dvzrv
(2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E) for serebit
(CAAE0C97533C35D3A0C6C34066E60E5F785A6824).
keyring/packager/yan12125/E62545315B012B69C8C94A1D56EC201BFC794362/uid/Chih-Hsuan_Yen__yan12125@archlinux.org_fea86268/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature by dvzrv
(2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E) for yan12125
(E62545315B012B69C8C94A1D56EC201BFC794362).
There are some other changes with my current key:
* Actually revoke an unused uid
As per RFC 4880 [1], a revocation signature (sigclass 0x30) "should
have a later creation date than that certificate." However, somehow in
my keyring I have certificates newer than the previous revocation
signature. As a result, that uid is not marked as revoked by gpg. I
created a new revocation signature to fix that.
* Make @archlinux.org the primary UID
[1] https://datatracker.ietf.org/doc/html/rfc4880
wkd_sync/archlinux-keyring-wkd-sync.service.in:
Replace use of explicit script location (i.e. /usr/bin) with
SCRIPT_TARGET_DIR placeholder.
Makefile:
Create WKD sync service file from input file, replacing the
SCRIPT_TARGET_DIR placeholder with $SCRIPT_TARGET_DIR.
wkd_sync/archlinux-keyring-wkd-sync.service -> wkd_sync/archlinux-keyring-wkd-sync.service.in:
This allows using the file as input file, where overriding keywords can
be done using sed.
Makefile:
Change Makefile to allow installation of keyring data, systemd units and
scripts more configurable.
This allows user provided overrides via KEYRING_TARGET_DIR,
SCRIPT_TARGET_DIR, SYSTEMD_SYSTEM_UNIT_DIR.
Instead of relying on wildcards, rely on specifically named files, as
this can be reused also in the uninstall target without issue and
provides a clearer overview of what will be installed/uninstalled.
Specifically only make use of DESTDIR in the install and uninstall
targets, which allows easier overrides.
Extend uninstall target to also remove WKD sync related script and
systemd units.
keyring/packager/dvzrv/991F6E3F0765CF6295888586139B09DA5BF0D338/uid/David_Runge__dvzrv@archlinux.org_d2ad250f/certification/D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C.asc:
Add main key signature by anthraxx for dvzrv on key 991F6E3F0765CF6295888586139B09DA5BF0D338.
keyring/packager/muflone/CAA1D2323A05219AA2F01AA4E642299183ED727E/*:
Revoke signature on muflone@archlinux.org for
CAA1D2323A05219AA2F01AA4E642299183ED727E.
.gitlab-ci.yml:
Add pkgconf and systemd to the list of packages, that are installed
before executing the build and install targets. They are required to
retrieve the correct path for systemd's system units.
wkd_sync/archlinux-keyring-wkd-sync.timer:
Add timer which triggers archlinux-keyring-wkd-sync.service to
persistently refresh existing PGP keys of archlinux-keyring weekly with
up to 12h of randomized delay.
wkd_sync/archlinux-keyring-wkd-sync:
Add script to refresh existing keys of archlinux-keyring on user
systems based on the state of the distribution's Web Key Directory
(WKD).
Invalid or revoked keys are ignored.
Instead of simply string matching a line, we now traverse the packet as
a tree and match the path based on a depth first search.
While traversing, we support logical OR and current depth * wildcard
processed as a component based query expression.
Callee's are adjusted to specifically select the appropriate Issuer at
the correct depth.
Fixes#185
keyring/packager/muflone/42DFAFB7C03B2E4E7BBDBA69930B82BFC2BDA011/uid/Fabio_Castelli__Muflone___Arch_Linux___muflone@archlinux.org_3db85507/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature by `2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E` for
`muflone@archlinux.org` on `42DFAFB7C03B2E4E7BBDBA69930B82BFC2BDA011`.
keyring/packager/arodseth/8A9BC5819C54FEB3DC2A9B48C32217F6F13FF192/uid/Alexander_F._Rodseth__xyproto@archlinux.org_0d098e0d/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature of dvzrv for xyproto's key with the ID 8A9BC5819C54FEB3DC2A9B48C32217F6F13FF192.
.gitlab-ci.yml:
Remove legacy keyword 'cobertura' and use the gitlab >= 15 based
`coverage_report` which is used to specify format and path to coverage
XML.
keyring/packager/farseerfc/CE536327AED18EABC3B99A17F4AA4E0ED2568E87/uid/Jiachen_YANG__Arch_Linux_Packager_Signing_Key___farseerfc@archlinux.org_30efed36/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for `CE536327AED18EABC3B99A17F4AA4E0ED2568E87`.
keyring/packager/dvzrv/991F6E3F0765CF6295888586139B09DA5BF0D338/uid/David_Runge__dvzrv@archlinux.org_d2ad250f/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for PGP key with ID
`991F6E3F0765CF6295888586139B09DA5BF0D338`.
keyring/packager/archange/69DA34D78FE0EFD596AC6D049D893EC4DAAF9129/uid/Bruno_Pagani__archange@archlinux.org_4d5b885f/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature from dvzrv for archange.
libkeyringctl/{keyring,sequoia,util}.py:
As Iterable and Iterator are only used for type hints, switch to using
typing.{Iterable,Iterator} instead of
collections.abc.{Iterable,Iterator} for Python < 3.9.0, as older Python
interpreters will otherwise raise TypeError.
.gitlab/issue_templates/*:
Replace allan with grazzolini when assigning tickets or when addressing
main key holders.
Streamline the checkbox system, by relying on less interaction from the
main key holders side if possible (e.g. checks on new keys are done
automatically in a merge request, so have contributors open the merge
request).
Add more documentation on what needs to be edited and how to provide
data exactly (e.g. keyid format, clearsigned document).
keyring/packager/alucryd/95220BE99CE6FF778AE0DC670F65C7D881506130/uid/Maxime_Gauduin__alucryd@archlinux.org_2606bf1f/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Main key signature by dvzrv for alucryd (95220BE99CE6FF778AE0DC670F65C7D88150613).
keyring/main/grazzolini/*:
Add new main key with ID `159F3A43AEB246C5746C033814BC4F30B3B92EBA` by
Giancarlo Razzolini.
* new-mk-grazzolini:
New Master Key of Giancarlo Razzolini
keyring/packager/pierre/4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC/uid/Pierre_Schmitz__pierre@archlinux.org_e7e0700e/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add dvzrv main key signature for pierre.
Relates to #143
keyring/packager/daurnimator/954A3772D62EF90E4B31FBC6C91A9911192C187A/uid/Daurnimator__daurnimator@archlinux.org_2baa8b1a/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add dvzrv main key signature for daurnimator
keyring/packager/muflone/CAA1D2323A05219AA2F01AA4E642299183ED727E/uid/Fabio_Castelli__Muflone___Arch_Linux___muflone@archlinux.org_3db85507/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add dvzrv main key signature for muflone.
Relates to #114
This invokes the dedicated ci keyringctl command that is responsible
to check with sq-keyring-linter and hokey when completely unknown
new keys are added to the keyring.
pyproject.toml:
Use specific include for files to use in the coverage report instead of
relying on a list of omitted files (which may grow over time and not
cover all use-cases).
keyring/packager/anatolik/8E1992167465DB5FB045557CB02854ED753E0F1F/uid/Anatol_Pomozov__Arch_Linux_developer_account___anatolik@archlinux.org_00db9eb5/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for anatolik.
https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/137
keyring/packager/jleclanche/169704C6FB490C6892C7F23C37E0AF1FDA48F373/uid/Jerome_Leclanche__jleclanche@archlinux.org_11de0d03/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for jleclanche.
https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/123
keyring/packager/dvzrv/C7E7849466FE2358343588377258734B41C31549/uid/David_Runge__dvzrv@archlinux.org_d2ad250f/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc
Add main key signature for dvzrv.
keyring/packager/artafinde/B4B759625D4633430B74877059E43E106B247368/uid/Leonidas_Spyropoulos__artafinde@archlinux.org_60c8c94e/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for artafinde.
keyring/packager/nicohood/97312D5EB9D7AE7D0BD4307351DAE9B7C1AE9161/uid/NicoHood__nicohood@archlinux.org_bad775c3/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for nicohood.
keyring/packager/cbehan/25ACE777F62C5E5ACBF2C0474E532176DBAD6F47/uid/Connor_Behan__cbehan@archlinux.org_f24a7748/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for cbehan.
keyring/packager/ainola/BE2DBCF2B1E3E588AC325AEAA06B49470F8E620A/uid/Brett_Cornwall__ainola@archlinux.org_90fec327/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for ainola.
keyring/packager/coderobe/54EB4D6DB209862C8945CACCED84945B35B2555C/uid/Robin_Broda__Arch_Linux___coderobe@archlinux.org_6ce6c858/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signatuer for coderobe.
keyring/packager/xyne/D89FAAEB4CECAFD199A2F5E612C6F735F7A9A519/uid/Xyne.__Replaces_EC3CBE7F607D11E663149E811D1F0DC78F173680.___xyne@archlinux.org_7b075f4f/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signatuer for xyne.
keyring/packager/seblu/B81B051F2D7FC867AAFF35A58DBD63B82072D77A/uid/Sebastien_Luttringer__seblu@archlinux.org_2339bc81/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for seblu.
keyring/packager/tensor5/A667E8A1B61D07A50FC430DF69DF1F2EB44B05BE/uid/Nicola_Squartini__tensor5@archlinux.org_42ff807f/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for tensor5.
keyring/packager/dbermond/80247D99EABD3A4D1E3A1836E85B8683EB48BC95/uid/Daniel_Bermond__dbermond@archlinux.org_b01455c5/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for dbermond.
keyring/packager/jlichtblau/38EDD1886756924E1224E49524E4CDB0013C2580/uid/Jaroslav_Lichtblau__svetlemodry@archlinux.org_12feb151/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for jlichtblau.
keyring/packager/lfleischer/2E36D8620221482FC45CB7F2A91764759326B440/uid/Lukas_Fleischer__Arch_Linux___lfleischer@archlinux.org_876710fa/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for lfleischer.
keyring/packager/juergen/209A36D43CE2E87DA861FC58539DFD48135182EF/uid/Jurgen_Hotzel__Arch_Linux_Developer_Key___juergen@archlinux.org_ab80fc95/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for juergen.
keyring/packager/lcarlier/535F8C0339450F054A4D282706096A6AD1CEDDAC/uid/Laurent_Carlier__lordheavym@archlinux.org_a72d7b01/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for lcarlier.
keyring/packager/kpcyrd/64B13F7117D6E07D661BBCE0FE763A64F5E54FD6/uid/kpcyrd__kpcyrd@archlinux.org_05f09dd3/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for kpcyrd.
keyring/packager/andrewSC/601F20F1D1BBBF4A78CF5B6DF6B1610B3ECDBC9F/uid/Andrew_Crerar__crerar@archlinux.org_1627868e/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for andrewSC.
keyring/packager/sangy/903BAB73640EB6D65533EFF3468F122CE8162295/uid/Santiago_Torres-Arias__santiago@archlinux.org_6c66fb1a/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for sangy.
keyring/packager/polyzen/04DC3FB1445FECA813C27EFAEA4F7B321A906AD9/uid/Daniel_M._Capella__polyzen@archlinux.org_baf25f25/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for polyzen.
keyring/packager/rgacogne/A4CBEA7974898599195E4FEC46EC46F39F3E2EF1/uid/Remi_Gacogne__rgacogne@archlinux.org_56f61a3b/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for rgacogne.
keyring/packager/kgizdov/0A9DDABB64B993D82AD45E4F32EAB0A976938292/uid/Konstantin_Gizdov__Arch_Linux___kgizdov@archlinux.org_0b9ef17d/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for kgizdov.
keyring/packager/tpowa/5B7E3FB71B7F10329A1C03AB771DF6627EDF681F/uid/Tobias_Powalowski__tpowa@archlinux.org_9a5dc15f/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for tpowa.
keyring/packager/grazzolini/ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB/uid/Giancarlo_Razzolini__grazzolini___grazzolini@archlinux.org_c1113025/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for grazzolini.
keyring/packager/shibumi/6DAF7B808F9DF25139620000D21461E3DFE2060D/uid/Christian_Rebischke__Arch_Linux_Security_Team-Member___Chris.Rebischke@archlinux.org_7d9474e2/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for shibumi.
keyring/packager/remy/44EA62ACDBC81B6A0D1FD267206CBC892D1493D2/uid/Remy_Oudompheng__remy@archlinux.org_05dc492d/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for remy.
keyring/packager/raster/04F7A0E31E08D3E08D39AFEBD147F94364295E8C/uid/Carsten_Haitzler__raster@archlinux.org_02b5c9a5/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for raster.
keyring/packager/foxboron/C100346676634E80C940FB9E9C02FF419FECBE16/uid/Morten_Linderud__foxboron@archlinux.org_52506fee/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for foxboron.
keyring/packager/bluewind/CFA6AF15E5C74149FC1D8C086D1655C14CE1C13E/uid/Florian_Pritz__bluewind@archlinux.org_02e4c8b2/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for bluewind.
keyring/packager/arojas/9D74DF6F91B7BDABD5815CA84AC5588F941C2A25/uid/Antonio_Rojas__arojas@archlinux.org_0857f6fd/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for arojas.
keyring/packager/alucryd/9437DD3815A7A9169E3D3946AFF5D95098BC6FF5/uid/Maxime_Gauduin__alucryd@archlinux.org_2606bf1f/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for alucryd.
keyring/packager/jsteel/8742F7535E7B394A1B048163332C9C40F40D2072/uid/Jonathan_Steel__jsteel@archlinux.org_f62ee297/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for jsteel.
keyring/packager/jelle/E499C79F53C96A54E572FEE1C06086337C50773E/uid/Jelle_van_der_Waa__jelle@archlinux.org_b484b992/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for jelle.
keyring/packager/andyrtr/ADC8A1FCC15E01D45310419E94657AB20F2A092B/uid/Andreas_Radke__andyrtr@archlinux.org_c12ef6dc/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for andyrtr.
keyring/packager/FFY00/3DCE51D60930EBA47858BA4146F633CBB0EB4BF2/uid/Filipe_Lains__FFY00___lains@archlinux.org_dbd13ab3/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for FFY00.
keyring/packager/heftig/A2FF3A36AAA56654109064AB19802F8B0D70FC30/uid/Jan_Alexander_Steffens__heftig___heftig@archlinux.org_85a5903b/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main signture for heftig.
keyring/packager/fyan/B5971F2C5C10A9A08C60030F786C63F330D7CB92/uid/Felix_Yan__felixonmars@archlinux.org_659e86de/certification/2AC0A42EFB0B5CBC7A0402ED4DC95B6D7BE9892E.asc:
Add main key signature for fyan.
De-duplicate not needed certifications by cleaning the keyring after
import to remove old files when processing revocations. This basically
adds the functionality compared to import-clean.
Declare the whole keyring data as well as the code as input dependency
for the build target. This way we can properly depend on the build
target for installation without forcing rebuilding on every invocation.
A rebuild will be triggered if either the keyring or the source code
creating the build output changes.
The directories are added to the source dependencies on purpose to
guarantee that changes like deleted files will result in a rebuild.
The mtime of the build directory is force updated on every run to allow
make to track the output artifacts mtime compared against the
dependencies.
libkeyringctl/keyring.py:
Simplify `convert_certificate()` by splitting out the conversion of
signature packets to `convert_signature_packet()` and the persistence of
packet material to `persist_key_material()`.
Add `convert_pubkey_signature_packet()`,
`convert_uid_signature_packet()` and
`convert_subkey_signature_packet()` to deal with the conversion of
public key signatures, UID signatures and subkey signatures
(respectively).
tests/test_keyring.py:
Add tests for `convert_certificate()`, `convert_signature_packet()`,
`convert_{pubkey,uid,subkey}_signature_packet()` and
`persist_subkey_revocations()`.
libkeyringctl/keyring.py:
Change `get_packets_from_path()` to use full conditional statements
which is easier to cover in tests.
tests/test_keyring.py:
Add simple tests for `get_packets_from_path()`,
`get_packets_from_listing()`, `export()` and `build()`.
tests/test_keyring.py:
Add tests for `is_pgp_fingerprint()`,
`transform_{fingerprint,username}_to_keyring_path()`,
`derive_username_from_fingerprint()` and get_fingerprints_from_paths()`.
tests/conftest.py:
Add `valid_fingerprint()` and `valid_subkey_fingerprint()` fixtures to
produce a generic "valid" PGP fingerprint string.
Add the `invalid_fingerprint()` fixture to generate a set of "invalid"
fingerprint strings.
This moves all verify code to an own module and adds support to check
all packet files in the structure for integrity. This is done by parsing
assumptions like packet kind, type, issuer and location etc.
CalledProcessError returns bytes for our invocations, the fix that
decoded bytes of stdout was purely to make the mocked test happy while
breaking the actual usage. Restore the behavior and fix the wrong mocked
data.
pyproject.toml:
Set specific source for `toolscoverage.paths` (as we only provide one
module).
Set `tools.coverage.run.relative_files` to true (although it is still
bug riddled and does not seem to work as advertized in regards to xml
output: https://github.com/nedbat/coveragepy/issues/963,
https://github.com/nedbat/coveragepy/issues/1147).
Set `tool.coverage.xml.output`, so we don't have to provide it on the
commandline.
Makefile:
Do not provide an output file to the coverage xml call, as we do that in
configuration now.
tests/test_sequoia.py:
Add unit tests for `keyring_split()`, `keyring_merge()`,
`packet_split()`, `packet_join()`, `inspect()`, `packet_dump()`,
`packet_dump_field()`, `packet_signature_creation_time()`, and
`latest_certification()`.
This feature allows to import from a piped fd like:
> ./keyringctl import --name foobar <(gpg --export foo@bar)
We achieve this even with hidepid by taking the naive approach of
copying the processes fd source to a tempfile and pass around latter.
Otherwise the PGP trust and revocation status file will not match our
expectations. A single applied revocation to this directory structure
should be checked either way.
We can later create TODO's to have at least two revocations for the keys
that would otherwise be still trusted and then change this value.
Currently only newly added certificates will be checked against the
expectations as existing keys are not all fully compatible with those
assumptions. New certificates are determined by using
$CI_MERGE_REQUEST_DIFF_BASE_SHA as the base,
Handle missing or wrong certificate paths in a way that does not lead to
a blocking command by reading from stdin. Instead throw either file not
found errors or expect optional outputs.
When importing a non reduced keyring the certifications were not
deterministic for keys that have multiple certifications per issuer.
This was for example the case for self certifications to extend the
expiry time. Before this commit a random certification could remain the
final one which would lead to a non up to date keyring and a potentially
expired key.
We duplicated resolving usernames and fingerprints to actual keyring
paths in multiple places. De-duplicate the code by using dedicated
functions to do this job.
All modern tooling already reads type hinting from the signatures
instead of the docstring and supports annotating the parameter
accordingly. Remove the duplicated data to avoid out of sync
documentation.
The API makes more sense to return (trusted,revoked) as the caller can
simply derive all certificates by joining the two sets.
To simplify the functions, some code has been replaced to use helper
methods to flatten the nested loops.
By collecting the matching usernames to all fingerprints we are able to
enrich the output of `inspect` to show the usernames next to the
certifications.
This aids initial imports of keyrings that contain multiple certificates
by allowing keyring_split to enforce preserving the filenames. This is
achieved by moving each split keyring into unique sub directories where
the original input filename remains unique.
When we import new packet data, always allow overwrites of the final
packet files. This may happen when importing from multiple files that
provide the same packets, which is fine as they should still yield to
the same results.
This allows an easy to use cli which invokes the export function to get
the keyring and uses the ownertrust and revoke functions to write all
artifacts into a target directory.
This gives more control over the export command that may be useful to
export a single packager to import it into gpg. This will also give more
flexibility to chain this function to the future verify stage.
By default the command exports the whole keyring directory.
Both commands are basically doing the same with the same params except
the target directory differs. Lets condense this behavior by using a
single subcommand with a boolean options.
Move the name cascade to derive the username into the
`convert_certificate` function which allows to use the
certificate_fingerprint directly instead of trying to find it by
splitting the certificate one more time before converting.
The certificate fingerprint in the convert function remains always the
same as we only process a single certificate and loop outside over
multiple keyrings. Therefor remove that layer from the data structures
and implicitly simplify all the assignments and usages.
keyringctl:
Add `get_fingerprints_from_import_source()` to derive all fingerprints
of PGP public keys found in the import source.
Add `get_fingerprints_from_decomposed_dir()` to derive all fingerprints
of PGP public keys found in a directory structure holding decomposed PGP
packet data.
Add `get_fingerprints()` to derive a set of fingerprints of PGP public
keys provided through `get_fingerprints_from_import_source()` and
`get_fingerprints_from_decomposed_dir()`.
Change `convert()` and `convert_certificate()` to accept an optional set
of strings (`fingerprint_filter`) that may be used as a filter for
valid fingerprints when considering certifications.
Change `__main__` to call `convert()` when importing keys to packager or
main dir, providing `fingerprint_filter` which will attempt to look up
fingerprints in the source as well as the target.
keyringctl:
Add `derive_user_from_target()` to derive the username from an existing
public key in the target directory when importing (updates to) an
already known key.
Change `convert()` to either use a custom name override (if provided), a
username derived from target dir (if existing) or the file name of the
to be imported file as username.
.gitlab-ci.yml:
Add rule to run `make lint` if `keyringctl` changes in a merge request.
Add integration stage to always attempt to build and install the keyring
in a containerized environment.
keyringctl:
Use black to format the file, isort to auto-sort all imports.
Remove commented code and (for now) ignore the high complexity in
`convert()` so that flake8 can be used.
keyringctl:
Change `persist_certifications()` to not attempt to read UID binding
signatures for a given UID, if it does not exist and instead output an
error message.
keyringctl:
Change `convert()` to create the target directory including parents.
Change `export_keyring()` to create the output directory and its
parents before outputting data into it.
Remove `keyring_import()` as its functionality is covered by using
`convert()` directly with different subcommands.
Change `__main__` to define `import-main` and `import-packager`
subcommands instead of `import` and to add an `export-keyring`
subcommand. Remove the explicit creation of target dirs (it is now
implemented in `convert()` and `export_keyring()`.
Instead of partially dealing with strings that contain slashes lets just
use the path builder interface by using the operator for every sub path
layer in a uniform way.
This avoids potential issues with wrapped runtime like ipython or pdb
that try to invoke functions at exit and access the current working
directory, which will ultimately lead to an error in case we deleted it
before changing the current working directory.
Lets use sequoia as well to split an input into individual certificates
instead of creating a custom made function for this job.
Pass down the name of the original input file to `convert_certificate`
in case no override has been defined.
keyringctl:
Add documentation to all functions.
Change the inlined functions `convert()` and `alphanum_key()` in
`natural_sort_path()` to rely on type Union[int, str] instead of type
Any.
Change `convert_certificate()` to derive the username using the stem of
the provided certificate.
keyringctl:
Add `temp_join_keys()` to generically join PGP packets in a directory
below a temporary directory.
Add `get_all_and_revoked_certs()` to retrieve a tuple containing a list
of all public key fingerprints and a list of all self-revoked public key
fingerprints in a list of paths.
Add `export_ownertrust()` to export a list of fingerprints of
non-revoked public keys to a file that can be imported using `gpg
--import-ownertrust`.
Add `export_revoked()` to export the fingerprints of all self-revoked
public keys and the fingerprints of public keys that have been revoked
by third party signing keys (the latter is still fairly naive).
Change `export_keyring()` to make use of `temp_join_keys()` for
preparing main signing keys and general keys for the export to file. Add
integration for exporting ownertrust and revoker status (using
`export_ownertrust()` and `export_revoked()`, respectively).
Change `__main__` by extending the export_parser by a `-m`/ `--main`
argument to provide one or multiple files or directories, that serve as
the signing authority for key material located below `-s`/ `--source`.
Add a `-p`/ `--pacman-integration` to provide the means to export
ownertrust and revoker status on demand.
keyringctl:
Add `persist_uids()` to write User ID related packets: User-ID and
PositiveCertifications (UID binding signatures).
Rename `persist_basic_key()` to `persist_public_key()` and change it to
only persist the PublicKey packet.
Change `persist_{certifications,revocations}()` to persist the
certificates to a key-specific 'uids' subdirectory per PublicKey.
Change `convert_certificate()` to rename `uid_binding_sig` to
`uid_bind_sigs`. Simplify the logic for signature related data
assignments.
keyringctl:
Add `persist_subkeys()` and `persist_subkey_revocations()` to persist
the Public-Subkeys and the SubkeyRevocations of a root key out into a
dedicated directory structure below the respective Public-Key.
Change `persist_basic_key()` to not persist the Public-Subkeys and
SubkeyRevocations of a root key anymore and to output debug information
before writing to file.
Change `convert_certificate()` to refer to Public-Subkeys and
PublicSubkeyBinding as `subkeys` and `subkey_binding_sigs`
(respectively) and to explicitly refer to the main certificate
fingerprint when aggregating the data about them. Add
`subkey_revocations` to track any SubkeyRevocations of a given
Public-Subkey, so that it can be persisted to file.
keyringctl:
Change `packet_join()` to add documentation and a `force` parameter with
which sq's force parameter may be toggled (defaults to False).
Add `export_keyring()` to allow writing all provided PGP packet files to
a single output file using `sq keyring merge`.
Change `__main__` to add an `export` subcommand to allow for providing
multiple input sources and one output file. Add an optional `-f/--force`
parameter that can be used to force subcommands that support it. Remove
the unused `start_dir` variable. Move the creation of `target_dir` below
the context that creates the working directory and only create it when
using the `convert` or `import` subcommands (as it is not used
otherwise).
Call `export_keyring()` when using the `export` subcommand.
keyringctl:
Add `sanitize_certificate_file()` to potentially split per-user input
files that contain more than one certificate.
Change `packet_split()` to add documentation and rename the key
parameter to certificate, as it is more generic.
Change `convert_certificate()` to use named parameters when calling
`packet_split()`.
Change `convert()` to call `convert_certificate()` on a list of
sanitized certificates (generated using `sanitized_certificate_file()`)
to be able to deal with multi-certificate files per user.
keyringctl:
Change `__main__` to create the `target_dir` before calling any further
function that relies on it.
Change `convert()` to require the `target_dir` to be not None and to
create all username based target directories before using
`shutil.copytree()` to copy all sources to their respective target
directories when iterating over the paths to persist. This has the
upside, that updates to a target directory structure can be done on the
fly (overwriting existing data), which is not possible with
`shutil.move()`.
keyringctl:
Change `convert_certificates()` to use a more descriptive
`name_override` parameter in its signature to allow the overriding of
the username directory name into which key material is persisted.
Distinguish between the per-username directory and the eventual key
material directory. Instead of the key directory return the username
directory.
Change the `persist*` functions to use the `key_dir` instead of the
`root_dir` terminology as well.
Change `convert()` to optionally allow a `name_override` as well and use
that in the calls to `convert_certificate()`. Make the moving of files
more robust, by at least allowing to move the per-key directories for a
username, if the username target directory exists already. NOTE: This
needs expansion for the use-case where existing files should be
updated/extended by new files.
Add an additional argument to the 'convert' argparse parser to allow
users to override the target username directory name.
keyringctl:
Change `persist_direct_sigs()` to track a sig_type parameter in its
signature so that the output directory of the direct signatures can be
altered.
Change `convert_certificate()` to set a `direct_revocations` variable,
that is used to track KeyRevocations for root keys. Extend the logic to
make use of `add_packet_to_direct_sigs()` to set a list of
KeyRevocations for a given root key. Eventually call
`persist_direct_sigs()` with `direct_revocations` and a custom
`sig_type` to persist the revocation certificates.
keyringctl:
Rename `persist_direct_keys()` to `persist_direct_sigs()` as it is now
not only handling the persistence of DirectKeys but also *Certifications
directly on a root key (those without an explicit User ID).
Add inline function `add_packet_to_direct_sigs()` to
`convert_certificate()` to generically add direct signatures on a root
key, grouped by issuer.
Change `convert_certificate()` to add Certifications on a root key
(without a specified User ID) to the list of direct_sigs, so that they
are persisted alongside any existing DirectKeys.
Remove breakpoints from `persist_certifications()` as they are no longer
reached. The function is now solely used for Certifications on User IDs.
keyringctl:
Add `persist_basic_key()`, `persist_direct_keys()`,
`persist_certifications()` and `persist_revocations()` to allow for
dedicated writing of basic key material, direct key signatures,
per UID certificates and per UID revocations (respectively).
Change `convert_certificate()` to call the new dedicated write functions
instead of implementing the functionality.
Change `convert_certificate()` to raise on missing current_packet_key
when trying to work on signature files (this is unlikely to occur,
unless the input data is somehow broken, but it keeps the linter happy).
Change `convert_certificate()` to handle direct_keys by issuer on a
given root key (DirectKey signatures by the same issuer are combined).
Change the argparse subparser for the 'convert' command to include a
help text.
As the SKS infrastructure is offline for good, we need to switch to
keyserver.ubuntu.com for the time being.
The Ubuntu keyservers to not support EC keys, thus we have to ignore
failure when refreshing keys.
.gitlab/issue_templates/*.md:
Set the title in all issue templates.
Add an explicit identifier (MODIFY) to all parts of the template where
modification is required by the user.
Extend the main key removal template by more specific steps for the main
key holders and keyring maintainer.
.gitlab/issue_templates/Remove Packager Key.md:
Add a subsection for main key holders that specifically tracks the
status on the key signature revocation.
.gitlab/issue_templates/New Packager Key.md:
Extend the Checks section by a subsection specifically for main key
holders, that ensures all main key holders have validated and signed a
new packager key (with the help of checkboxes).
Clarify wording in the keyring maintainer related subsection.
.gitlab/issue_templates/New Main Key.md:
Add issue template for adding a new main key.
.gitlab/issue_templates/New Packager Key.md:
Add issue template for adding a new packager key.
.gitlab/issue_templates/Remove Main Key.md:
Add issue template for removing a main key.
.gitlab/issue_templates/Remove Packager Key.md:
Add issue template for removing a packager key.
... and get latest changes, including:
* revocation of stativ's packager key
* revocation of thomas' master key (dan and giovanni loose full
trust, but no single package is signed by their key)
* new key of dvzrv
are exclusively created by [keyring maintainers](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/project_members?with_inherited_permissions=exclude).
The tags are signed with one of the following legitimate keys:
```
Christian Hesse <eworm@archlinux.org>
02FD 1C7A 934E 6145 4584 9F19 A623 4074 498E 9CEE
David Runge <dvzrv@archlinux.org>
991F 6E3F 0765 CF62 9588 8586 139B 09DA 5BF0 D338
Pierre Schmitz <pierre@archlinux.org>
4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC
Florian Pritz <bluewind@archlinux.org>
CFA6 AF15 E5C7 4149 FC1D 8C08 6D16 55C1 4CE1 C13E
Giancarlo Razzolini <grazzolini@archlinux.org>
ECCA C84C 1BA0 8A6C C8E6 3FBB F22F B1D7 8A77 AEAB
Levente Polyak <anthraxx@archlinux.org>
E240 B57E 2C46 30BA 768E 2F26 FC1B 547C 8D81 72C8
Morten Linderud <foxboron@archlinux.org>
C100 3466 7663 4E80 C940 FB9E 9C02 FF41 9FEC BE16
```
To verify a tag, first import the relevant PGP keys:
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.