Hi all, to mitigate different issues with the current status of PGP keyservers and to simplify the management of our keyring we worked towards exploring a new way to handle our keyring: The idea is to have a curated keyring whose source of truth is the repository itself without relying on external component to collect the WoT. The repository will consist of atomic files representing PGP packets which a directory structure logically combines into individual certificates. The advantage is that a new signature is literally just a new independent file as a merge request against the repository which is also very easy to audit. David and me have spent quite some time to develop keyringctl [0]. This tool will provide a convenient UX to work with, and inspect the decomposed certificates. Furthermore it will also be responsible to join all certificates into a keyring and export ownertrust and revocation status as pacman requires. For now bootstrap the keyring directory from the old PGP data by:
./keyringctl import --main master master-revoked ./keyringctl import packager packager-revoked
We are calling for review and testing specifically for the following: - Try to find bugs by bench testing the commands with real world use cases and files. Some usage examples: [1] - have individual people verify the pacman compatible artifacts created by the `build` command. cheers, David & Levente [0] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/merge_requests/24 [1] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/blob/feature/cura...