condorcore-keyring/.gitlab/issue_templates/New Main Key.md
Johannes Löthberg 33fe23aecf
Replace keyserver upload requirement with keys.openpgp.org
The MIT keyserver is frequently unavailable for uploads so it no longer
make sense to block new keys based on its availability.

Once we have main-key signing tooling built into `keyringctl` this
requirement will no longer be necessary since the tooling will be able
to be run from branches already containing the necessary keys.

Signed-off-by: Johannes Löthberg <johannes@kyriasis.com>
2023-03-14 17:45:03 +01:00

3.0 KiB

/assign @archlinux/teams/main-key-holders /label ~"new main key" /title New main key of

Add a new main key

Details

  • Username:
  • PGP key ID:
  • Revocation Certificate Holder:

Checks

NOTE: The below check boxes must be checked before the accompanying merge request to add the new main key can be merged.

Owner of new key

  • The workflow for adding a new main key has been followed
  • The key pair has been validated according to the best practices
  • The data in the Details section is attached to this issue as a clearsigned document
  • The revocation certificate has been sent in an encrypted message to the revocation certificate holder
  • The public key has been uploaded to the keyserver.ubuntu.com and keys.openpgp.org keyservers, and the archlinux.org UID has been verified on the keys.openpgp.org keyserver. Optionally the key can also be uploaded to the pgp.mit.edu keyserver, but this is no longer mandatory as it's frequently flaky.
  • A merge request to add the new public key has been created

Revocation Certificate Holder

  • The revocation certificate has been verified as working and confirmed in a comment to this issue
  • The revocation certificate has been backed up on a dedicated encrypted backup storage medium

Main key holders

  • The data in the Details section is correct and signed with a valid and trusted packager key, which is already part of archlinux-keyring