Hi all,

to mitigate different issues with the current status of PGP keyservers and to simplify the management of our keyring we worked towards exploring a new way to handle our keyring:

The idea is to have a curated keyring whose source of truth is the repository itself without relying on external component to collect the WoT. The repository will consist of atomic files representing PGP packets which a directory structure logically combines into individual certificates. The advantage is that a new signature is literally just a new independent file as a merge request against the repository which is also very easy to audit.

David and me have spent quite some time to develop keyringctl [0]. This tool will provide a convenient UX to work with, and inspect the decomposed certificates. Furthermore it will also be responsible to join all certificates into a keyring and export ownertrust and revocation status as pacman requires.

For now bootstrap the keyring directory from the old PGP data by:

./keyringctl import --main master master-revoked ./keyringctl import packager packager-revoked

We are calling for review and testing specifically for the following:

- Try to find bugs by bench testing the commands with real world use cases and files. Some usage examples: [1]

- have individual people verify the pacman compatible artifacts created by the `build` command.

cheers, David & Levente

[0] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/merge_requests/24 [1] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/blob/feature/cura...