Hi David, I am very sorry. I misjudged the urgency of this topic. I assumed signing the additional uid is more a "ncie to have", since pacman and wkd already works fine. I opened the ticket at https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/143 so we can create the merge requests once the new uid is fully trusted as well. I'll create new (more secure) key pairs once I have a more capable hardware key. I'll also phase out my master key once a robust web of trust has been established. Greetings, Pierre On Sat, Jan 15, 2022 at 1:37 AM David Runge via arch-dev-public <arch-dev-public@lists.archlinux.org> wrote:
Hi all,
in the past days there have been a few releases of our archlinux-keyring package, which contains the root trust of our distribution.
We have successfully switched to using keyringctl [1] to manage the keyring. From now on all changes to the keyring are done via merge requests towards the archlinux-keyring repository, as it now serves as the source of truth, whereas in the past we have been relying on the dying SKS infrastructure or the Ubuntu keyserver (which may or may not support all key types in use).
I have contacted all of you over the past months and either requested the addition of an @archlinux.org UID, the creation of a new PGP keypair or the verification of your PGP key by means of a clearsigned token.
To all that have added a new @archlinux.org UID or have created a new key, please make sure that all signatures you have received from main signing keys are also present in the current keyring (`pacman-key --list-sigs <nick>@archlinux.org`) or in the current HEAD of archlinux-keyring (`./keyringctl inspect <nick>` in a clone of the archlinux-keyring repository). If you have signatures that are not yet in the keyring, you can add them yourself [2] and do not have to wait on a main signing key holder to do it.
To all that have created a new key, please make sure to setup the correct PGP key ID in your archweb profile so that the website displays the signatures correctly [3]. If you have gained more than or equal to three main key signatures for your new PGP key and the key as well as those signatures are already available in the keyring in [core] please rebuild all of your packages using your new key and start the process of having your old key removed [4]. For the purpose of mass package rebuilding you may create a TODO [5] and use `rebuild-todo` (in the archlinux-contrib package) which makes use of our build server infrastructure.
I have not yet gotten a response from or have not yet been able to resolve my request with the following packagers (nickname in the archlinux-keyring repository): - bgyorgy - archange - arodseth - kylekeen - daurnimator - pierre - farseerfc
Please make some time to create a new key/ UID/ or get signed, as Allan would like to revoke his signing key in the near future (which may mean the inability to sign packages and mass rebuild of packages in question) as soon as the above packager signature situation has stabilized.
In case you have questions, feel free to reach out in #archlinux-staff on libera.chat or via mail. If you are interested in helping further develop keyringctl, have a look at the relevant open tickets [6].
Best, David
[1] https://gitlab.archlinux.org/archlinux/archlinux-keyring/#usage [2] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/A... [3] https://archlinux.org/master-keys/#master-sigs [4] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/R... [5] https://archlinux.org/todo/add/ [6] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues?scope=all&state=opened¬[label_name][]=new%20packager%20key¬[label_name][]=remove%20packager%20key¬[label_name][]=new%20main%20key¬[label_name][]=remove%20main%20key
-- Pierre Schmitz, https://pierre-schmitz.com