[arch-dev-public] Making package signing keys available in our WKD
Jonas Witschel
diabonas at archlinux.org
Tue Feb 4 16:55:18 UTC 2020
Hi everybody,
since version 5.2 pacman supports downloading the package signing keys
from our newly implemented Web Key Directory (WKD) [1]. Since the key
server network that we are currently relying on for this purpose is not
in a very healthy state any more [2], it seems like a good time to store
all PGP keys in our WKD to be independent of the key servers.
This will require an update of some the existing keys: keys in the WKD
are looked up by email address, so you need to have an user ID with an
@archlinux.org email address on your PGP key to make use of our existing
WKD (or set up a WKD on your own server in case you are using a custom
domain for your email address). I you don't have an @archlinux.org email
address yet, you can talk to the Devops team e.g. using the
#archlinux-devops IRC channel to get on set up.
To see if your key is already in our WKD, please visit [3]. If all three
columns are green, you are all set, otherwise you need to take one of
the following actions:
- If the "Has @archlinux.org UID" column is "No", you need to add an
additional UID to your PGP key:
$ gpg --edit-key YOURKEY
adduid
save
$ gpg --send-keys YOURKEY
- If the "Uses @archlinux.org email for packaging" column is "No", you
need to set the PACKAGER variable in your makepkg.conf to use your
(newly created) @archlinux.org UID. Please double-check the
configuration of all the machines you use to build packages since the
packager email address is used for the key lookup in pacman.
- If the "@archlinux.org UID is fully trusted" column is "No", your key
already has the required format, but the UID needs to be signed by at
least three master key holders. You do not need to do anything right now
(apart from maybe changing the PACKAGER variable as described in the
previous bullet point).
In order to make it easier for the master key holders to sign all the
new UIDs, it would be great if everybody could add the new UID to their
key within the next two months. I will then collect all the new and
currently untrusted UIDs and submit them to the key holders for batch
signing.
If there are any questions on adding the new UID or adjusting the
packager variable, please do not hesitate to contact me.
Cheers,
Jonas
[1] https://bugs.archlinux.org/task/63171
[2] https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
[3]
https://wiki.archlinux.org/index.php/User:Diabonas/WKD_support_by_developer_key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20200204/954fb57c/attachment.sig>
More information about the arch-dev-public
mailing list