Arch Linux CondorCore repo PGP keyring
Go to file
Levente Polyak f908838822
fix(trust): do not count revoked main keys for packager trust
If a main key is revoked we do not want to use those keys to count
the required trust threshold.
2022-02-25 21:36:35 +01:00
.gitlab Cleanup old superseded workflow, script and key material 2022-01-12 20:51:30 +01:00
keyring New Master Key of Giancarlo Razzolini 2022-02-13 10:26:38 -03:00
libkeyringctl fix(trust): do not count revoked main keys for packager trust 2022-02-25 21:36:35 +01:00
tests fix(trust): do not count revoked main keys for packager trust 2022-02-25 21:36:35 +01:00
.editorconfig chore(editorconfig): sync line length with flake8 config to 120 chars 2021-11-30 22:54:10 +01:00
.flake8 Add flake8 configuration 2021-11-30 22:54:06 +01:00
.gitignore .gitignore: Add coverage and pycache 2021-11-30 22:54:14 +01:00
.gitlab-ci.yml gitlab: invoke ci target for advanced checks on new keys 2022-01-13 21:10:51 +01:00
CONTRIBUTING.md feature(ci): run keyring integrity check if keyring or code changes 2021-11-30 22:54:15 +01:00
keyringctl chore(keyringctl): modularize the code for overview and testing 2021-11-30 22:54:12 +01:00
LICENSE Add GPL-3.0-or-later license file 2021-07-29 07:48:34 +02:00
Makefile fix(make): use proper dependency tracking for the build output 2021-11-30 22:54:17 +01:00
pyproject.toml Include files for coverage instead of omitting others 2022-01-11 11:04:43 +01:00
README.md README: fix formatting 2022-01-11 13:19:24 +01:00

archlinux-keyring

The archlinux-keyring project holds PGP packet material and tooling (keyringctl) to create the distribution keyring for Arch Linux. The keyring is used by pacman to establish the web of trust for the packagers of the distribution.

The PGP packets describing the main signing keys can be found below the keyring/main directory, while those of the packagers are located below the keyring/packager directory.

Requirements

The following packages need to be installed to be able to create a PGP keyring from the provided data structure and to install it:

Build:

  • make
  • findutils

Runtime:

  • python
  • sequoia-sq

Optional:

  • hopenpgp-tools (verify)
  • sq-keyring-linter (verify)
  • git (ci)

Usage

Build

Build all PGP artifacts (keyring, ownertrust, revoked files) to the build directory

./keyringctl build

Import

Import a new packager key by deriving the username from the filename.

./keyringctl import <username>.asc

Alternatively import a file or directory and override the username

./keyringctl import --name <username> <file_or_directory...>

Updates to existing keys will automatically derive the username from the known fingerprint.

./keyringctl import <file_or_directory...>

Main key imports support the same options plus a mandatory --main

./keyringctl import --main <username>.asc

Export

Export the whole keyring including main and packager to stdout

./keyringctl export

Limit to specific certs using an output file

./keyringctl export <username_or_fingerprint_or_directory...> --output <filename>

List

List all certificates in the keyring

./keyringctl list

Only show a specific main key

./keyringctl list --main <username_or_fingerprint...>

Inspect

Inspect all certificates in the keyring

./keyringctl inspect

Only inspect a specific main key

./keyringctl inspect --main <username_or_fingerprint_or_directory...>

Verify

Verify certificates against modern expectations and assumptions

./keyringctl verify <username_or_fingerprint_or_directory...>

Installation

To install archlinux-keyring system-wide use the included Makefile:

make install

Contribute

Read our contributing guide to learn more about guidelines and how to provide fixes or improvements for the code base.

Releases

Releases of archlinux-keyring are created by its current maintainer Christian Hesse. Tags are signed using the PGP key with the ID 02FD1C7A934E614545849F19A6234074498E9CEE.

To verify a tag, first import the relevant PGP key:

gpg --auto-key-locate wkd --search-keys eworm@archlinux.org

Afterwards a tag can be verified from a clone of this repository:

git verify-tag <tag>

License

Archlinux-keyring is licensed under the terms of the GPL-3.0-or-later (see LICENSE).