159 lines
3.5 KiB
Markdown
159 lines
3.5 KiB
Markdown
# condorcore-keyring
|
|
|
|
The archlinux-keyring project holds PGP packet material and tooling
|
|
(`keyringctl`) to create the distribution keyring for Arch Linux.
|
|
The keyring is used by pacman to establish the web of trust for the packagers
|
|
of the distribution.
|
|
|
|
The PGP packets describing the main signing keys can be found below the
|
|
[keyring/main](keyring/main) directory, while those of the packagers are located below the
|
|
[keyring/packager](keyring/packager) directory.
|
|
|
|
## Requirements
|
|
|
|
The following packages need to be installed to be able to create a PGP keyring
|
|
from the provided data structure and to install it:
|
|
|
|
Build:
|
|
|
|
* make
|
|
* findutils
|
|
* pkgconf
|
|
* systemd
|
|
|
|
Runtime:
|
|
|
|
* python
|
|
* sequoia-sq >= 0.31.0
|
|
|
|
Optional:
|
|
|
|
* hopenpgp-tools (verify)
|
|
* git (ci)
|
|
|
|
## Usage
|
|
|
|
### Build
|
|
|
|
Build all PGP artifacts (keyring, ownertrust, revoked files) to the build directory
|
|
```bash
|
|
./keyringctl build
|
|
```
|
|
|
|
### Import
|
|
|
|
Import a new packager key by deriving the username from the filename.
|
|
```bash
|
|
./keyringctl import <username>.asc
|
|
```
|
|
|
|
Alternatively import a file or directory and override the username
|
|
```bash
|
|
./keyringctl import --name <username> <file_or_directory...>
|
|
```
|
|
|
|
Updates to existing keys will automatically derive the username from the known fingerprint.
|
|
```bash
|
|
./keyringctl import <file_or_directory...>
|
|
```
|
|
|
|
Main key imports support the same options plus a mandatory `--main`
|
|
```bash
|
|
./keyringctl import --main <username>.asc
|
|
```
|
|
|
|
### Export
|
|
|
|
Export the whole keyring including main and packager to stdout
|
|
```bash
|
|
./keyringctl export
|
|
```
|
|
|
|
Limit to specific certs using an output file
|
|
```bash
|
|
./keyringctl export <username_or_fingerprint_or_directory...> --output <filename>
|
|
```
|
|
|
|
### List
|
|
|
|
List all certificates in the keyring
|
|
```bash
|
|
./keyringctl list
|
|
```
|
|
|
|
Only show a specific main key
|
|
```bash
|
|
./keyringctl list --main <username_or_fingerprint...>
|
|
```
|
|
|
|
### Inspect
|
|
|
|
Inspect all certificates in the keyring
|
|
```bash
|
|
./keyringctl inspect
|
|
```
|
|
|
|
Only inspect a specific main key
|
|
```bash
|
|
./keyringctl inspect --main <username_or_fingerprint_or_directory...>
|
|
```
|
|
|
|
### Verify
|
|
|
|
Verify certificates against modern expectations and assumptions
|
|
```bash
|
|
./keyringctl verify <username_or_fingerprint_or_directory...>
|
|
```
|
|
|
|
## Installation
|
|
|
|
To install archlinux-keyring system-wide use the included `Makefile`:
|
|
|
|
```bash
|
|
make install
|
|
```
|
|
|
|
## Contribute
|
|
|
|
Read our [contributing guide](CONTRIBUTING.md) to learn more about guidelines and
|
|
how to provide fixes or improvements for the code base.
|
|
|
|
## Releases
|
|
|
|
[Releases of
|
|
archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/tags)
|
|
are exclusively created by [keyring maintainers](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/project_members?with_inherited_permissions=exclude).
|
|
|
|
The tags are signed with one of the following legitimate keys:
|
|
|
|
```
|
|
condorbs master key <contacto@condorbs.net>
|
|
5972 44DB EA52 EC6E FE5F 36A4 FDD4 2A59 FD43 C07B
|
|
|
|
Kevin Muñoz (CyberSecurity Engineer) <kmunoz@condorbs.net>
|
|
2B9D 22B4 1F2A F104 2BFC E73A 3CA0 B9DF 1BE7 CE09
|
|
|
|
Jesus Martin Ortega Martinez (Sysadmin/Backend Developer) <jortega@condorbs.net>
|
|
9E64 6BB0 630C 8FD1 8ACD 1554 1B93 E6A7 66CD 229D
|
|
|
|
```
|
|
|
|
To verify a tag, first import the relevant PGP keys:
|
|
|
|
```bash
|
|
gpg --auto-key-locate wkd --search-keys <email-from-above>
|
|
```
|
|
|
|
Afterwards a tag can be verified from a clone of this repository. Please note
|
|
that one **must** check the used key of the signature against the legitimate
|
|
keys listed above:
|
|
|
|
```bash
|
|
git verify-tag <tag>
|
|
```
|
|
|
|
## License
|
|
|
|
Archlinux-keyring is licensed under the terms of the **GPL-3.0-or-later** (see
|
|
[LICENSE](LICENSE)).
|