Arch Linux CondorCore repo PGP keyring
Go to file
2023-09-04 08:45:00 -05:00
.gitlab Replace keyserver upload requirement with keys.openpgp.org 2023-03-14 17:45:03 +01:00
keyring update marginal signatures to masterkeys 2023-09-03 18:08:40 -05:00
libkeyringctl update maintainers keys 2023-09-03 12:54:49 -05:00
maintainers update maintainers keys 2023-09-03 12:50:54 -05:00
tests Fix formatting in tests 2023-02-25 16:18:34 +01:00
wkd_sync Collect failed keys and print them at the end 2023-03-20 16:24:49 +01:00
.editorconfig Use spaces instead of tabs in files 2022-07-29 14:36:46 +02:00
.flake8 Add flake8 configuration 2021-11-30 22:54:06 +01:00
.gitignore .gitignore: Add coverage and pycache 2021-11-30 22:54:14 +01:00
.gitlab-ci.yml Rename wkd_build to pages 2022-09-02 19:04:02 +02:00
CONTRIBUTING.md Remove reference to AUTHORS file 2022-07-31 22:55:33 +02:00
keyringctl keyringctl: use python3 in shebang 2022-06-08 15:42:08 +02:00
LICENSE Add GPL-3.0-or-later license file 2021-07-29 07:48:34 +02:00
Makefile Remove extra forward slash from archlinux-keyring-wkd-sync.service 2023-03-20 14:28:13 +01:00
pyproject.toml Include files for coverage instead of omitting others 2022-01-11 11:04:43 +01:00
README.md update Readme 2023-09-04 08:45:00 -05:00

condorcore-keyring

The archlinux-keyring project holds PGP packet material and tooling (keyringctl) to create the distribution keyring for Arch Linux. The keyring is used by pacman to establish the web of trust for the packagers of the distribution.

The PGP packets describing the main signing keys can be found below the keyring/main directory, while those of the packagers are located below the keyring/packager directory.

Requirements

The following packages need to be installed to be able to create a PGP keyring from the provided data structure and to install it:

Build:

  • make
  • findutils
  • pkgconf
  • systemd

Runtime:

  • python
  • sequoia-sq >= 0.31.0

Optional:

  • hopenpgp-tools (verify)
  • git (ci)

Usage

Build

Build all PGP artifacts (keyring, ownertrust, revoked files) to the build directory

./keyringctl build

Import

Import a new packager key by deriving the username from the filename.

./keyringctl import <username>.asc

Alternatively import a file or directory and override the username

./keyringctl import --name <username> <file_or_directory...>

Updates to existing keys will automatically derive the username from the known fingerprint.

./keyringctl import <file_or_directory...>

Main key imports support the same options plus a mandatory --main

./keyringctl import --main <username>.asc

Export

Export the whole keyring including main and packager to stdout

./keyringctl export

Limit to specific certs using an output file

./keyringctl export <username_or_fingerprint_or_directory...> --output <filename>

List

List all certificates in the keyring

./keyringctl list

Only show a specific main key

./keyringctl list --main <username_or_fingerprint...>

Inspect

Inspect all certificates in the keyring

./keyringctl inspect

Only inspect a specific main key

./keyringctl inspect --main <username_or_fingerprint_or_directory...>

Verify

Verify certificates against modern expectations and assumptions

./keyringctl verify <username_or_fingerprint_or_directory...>

Installation

To install archlinux-keyring system-wide use the included Makefile:

make install

Contribute

Read our contributing guide to learn more about guidelines and how to provide fixes or improvements for the code base.

Releases

Releases of archlinux-keyring are exclusively created by keyring maintainers.

The tags are signed with one of the following legitimate keys:

condorbs master key <contacto@condorbs.net>
5972 44DB EA52 EC6E FE5F 36A4 FDD4 2A59 FD43 C07B

Kevin Muñoz (CyberSecurity Engineer) <kmunoz@condorbs.net>
2B9D 22B4 1F2A F104 2BFC E73A 3CA0 B9DF 1BE7 CE09

Jesus Martin Ortega Martinez (Sysadmin/Backend Developer) <jortega@condorbs.net>
9E64 6BB0 630C 8FD1 8ACD 1554 1B93 E6A7 66CD 229D

To verify a tag, first import the relevant PGP keys:

gpg --auto-key-locate wkd --search-keys <email-from-above>

Afterwards a tag can be verified from a clone of this repository. Please note that one must check the used key of the signature against the legitimate keys listed above:

git verify-tag <tag>

License

Archlinux-keyring is licensed under the terms of the GPL-3.0-or-later (see LICENSE).