[arch-dev-public] Developer / TU key signing, first master key available
Hello developers / TUs, My Arch master key is available at [1] with fingerprint 6841 48BB 25B4 9E98 6A49 44C5 5184 252D 824B 18E8. Every packager, please do the following: 1) Reply to this email to thomas@master-key.archlinux.org and fully quote this email. Include your gerolde/sigurd username in the email. Sign your reply using your GPG key. 2) Upload your public key (gpg --armor --export $KEYID) to your home directory on gerolde/sigurd under the name $HOME/arch-linux-packager-key. 3) Name at least one package in the repositories already signed with your key. Sadly, this process will only prove that you are in posession of the ssh key to upload packages into the repositories. I will contact you personally afterwards if I need further identification. Please note: there are be 5 master key holders (Allan, Dan, Pierre, Ionut, me), and you need at least 3 signatures on your key so your packages will be trusted by pacman. Regards Thomas [1] https://dev.archlinux.org/~thomas/thomas_AT_master-key.archlinux.org.asc
Am 19.11.2011 15:38, schrieb Thomas Bächler:
Please note: there are be 5 master key holders (Allan, Dan, Pierre, Ionut, me), and you need at least 3 signatures on your key so your packages will be trusted by pacman.
To make things a little different I have send a mail to every packager using the mail entered into your archweb profile. If you didn't receive such a mail please contact me. Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com
On Sat, 19 Nov 2011 15:38:04 +0100 Thomas Bächler <thomas@archlinux.org> wrote:
Hello developers / TUs,
My Arch master key is available at [1] with fingerprint 6841 48BB 25B4 9E98 6A49 44C5 5184 252D 824B 18E8.
Every packager, please do the following: 1) Reply to this email to thomas@master-key.archlinux.org and fully quote this email. Include your gerolde/sigurd username in the email. Sign your reply using your GPG key. 2) Upload your public key (gpg --armor --export $KEYID) to your home directory on gerolde/sigurd under the name $HOME/arch-linux-packager-key. 3) Name at least one package in the repositories already signed with your key.
Sadly, this process will only prove that you are in posession of the ssh key to upload packages into the repositories. I will contact you personally afterwards if I need further identification.
Please note: there are be 5 master key holders (Allan, Dan, Pierre, Ionut, me), and you need at least 3 signatures on your key so your packages will be trusted by pacman.
Regards Thomas
[1] https://dev.archlinux.org/~thomas/thomas_AT_master-key.archlinux.org.asc
I have two signatures right now on my key. What about the others master key holders? Are they going to send an email like you and Pierre did? Or should we send an email to them with the same procedure? Daniel
On 11/22/2011 08:03 PM, Daniel Isenmann wrote:
On Sat, 19 Nov 2011 15:38:04 +0100 Thomas Bächler <thomas@archlinux.org> wrote:
Hello developers / TUs,
My Arch master key is available at [1] with fingerprint 6841 48BB 25B4 9E98 6A49 44C5 5184 252D 824B 18E8.
Every packager, please do the following: 1) Reply to this email to thomas@master-key.archlinux.org and fully quote this email. Include your gerolde/sigurd username in the email. Sign your reply using your GPG key. 2) Upload your public key (gpg --armor --export $KEYID) to your home directory on gerolde/sigurd under the name $HOME/arch-linux-packager-key. 3) Name at least one package in the repositories already signed with your key.
Sadly, this process will only prove that you are in posession of the ssh key to upload packages into the repositories. I will contact you personally afterwards if I need further identification.
Please note: there are be 5 master key holders (Allan, Dan, Pierre, Ionut, me), and you need at least 3 signatures on your key so your packages will be trusted by pacman.
Regards Thomas
[1] https://dev.archlinux.org/~thomas/thomas_AT_master-key.archlinux.org.asc
I have two signatures right now on my key. What about the others master key holders? Are they going to send an email like you and Pierre did?
Or should we send an email to them with the same procedure?
Daniel
me and Dan are waiting the cards holders to arrive. -- Ionuț
Am 22.11.2011 19:04, schrieb Ionut Biru:
I have two signatures right now on my key. What about the others master key holders? Are they going to send an email like you and Pierre did?
Or should we send an email to them with the same procedure?
Daniel
me and Dan are waiting the cards holders to arrive.
And Allan is away right now. This process will not complete over night, but we're on it now.
On Tue, 22 Nov 2011 19:23:30 +0100 Thomas Bächler <thomas@archlinux.org> wrote:
Am 22.11.2011 19:04, schrieb Ionut Biru:
I have two signatures right now on my key. What about the others master key holders? Are they going to send an email like you and Pierre did?
Or should we send an email to them with the same procedure?
Daniel
me and Dan are waiting the cards holders to arrive.
And Allan is away right now. This process will not complete over night, but we're on it now.
I know that this process won't complete over night, I just was wondering what the next steps are. Just reccieved the mail from you and Pierre with the statement that you need at least 3 signatures to be trusted by pacman and that's why I have asked. Just wanted to know what the status is and now I know it. ;) Thanks... Daniel
Am 22.11.2011 19:29, schrieb Daniel Isenmann:
I know that this process won't complete over night, I just was wondering what the next steps are. Just reccieved the mail from you and Pierre with the statement that you need at least 3 signatures to be trusted by pacman and that's why I have asked.
Just wanted to know what the status is and now I know it. ;)
Thanks... Daniel
Next steps, as far as I know: 1) Wait until everyone has at least 3 signatures. 2) Import the master keys using pacman-key. 3) --lsign-key the master keys using pacman-key. 4) Set the trust level of the master keys to "marginal" using pacman-key --edit-key. 5) Set your SigLevel in pacman.conf to TrustedOnly (which is also the default, unless you configured 'Never' or 'TrustAll').
Il 22/11/2011 19:04, Ionut Biru ha scritto:
me and Dan are waiting the cards holders to arrive.
OK, I have two signatures too. I will be waiting for Ionut and Dan signatures. Allan, is he waiting for the cards holders too? -- Arch Linux Developer http://www.archlinux.org http://www.archlinux.it
Am 22.11.2011 19:24, schrieb Giovanni Scafora:
Il 22/11/2011 19:04, Ionut Biru ha scritto:
me and Dan are waiting the cards holders to arrive.
OK, I have two signatures too. I will be waiting for Ionut and Dan signatures. Allan, is he waiting for the cards holders too?
I think Allan didn't want to use the OpenPGP Smartcard, but his computer instead. As I said, he is currently away.
Am Sat, 19 Nov 2011 15:38:04 +0100 schrieb Thomas Bächler <thomas@archlinux.org>:
Hello developers / TUs,
My Arch master key is available at [1] with fingerprint 6841 48BB 25B4 9E98 6A49 44C5 5184 252D 824B 18E8.
Every packager, please do the following: 1) Reply to this email to thomas@master-key.archlinux.org and fully quote this email. Include your gerolde/sigurd username in the email. Sign your reply using your GPG key. 2) Upload your public key (gpg --armor --export $KEYID) to your home directory on gerolde/sigurd under the name $HOME/arch-linux-packager-key. 3) Name at least one package in the repositories already signed with your key.
Sadly, this process will only prove that you are in posession of the ssh key to upload packages into the repositories. I will contact you personally afterwards if I need further identification.
Please note: there are be 5 master key holders (Allan, Dan, Pierre, Ionut, me), and you need at least 3 signatures on your key so your packages will be trusted by pacman.
Regards Thomas
[1] https://dev.archlinux.org/~thomas/thomas_AT_master-key.archlinux.org.asc
Moin Thomas. Mit Pierre bin ich ja schon durch. Der Key liegt in meinem Homedir auf Gerolde. Username andyrtr. Den Fingerprint, den Pierre haben wollte, brauchst Du nicht? gnutls, LibO, mesa sind von mir signiert. Such Dir was aus. Brauchst Du noch was? Andy
Hi all, here is a little status update. So far I have issued 67 signatures in total for 36 Developers and Trusted Users. 10 people haven't reported back and another 11 haven't even managed to publish their key yet. I created a graph of our web of trust as it looks now (using sig2dot; thanks Dan): https://users.archlinux.de/~pierre/tmp/sigs.png Greetings, Pierre -- Pierre Schmitz, http://pierre-schmitz.com
Am 23.11.2011 17:12, schrieb Pierre Schmitz:
Hi all,
here is a little status update. So far I have issued 67 signatures in total for 36 Developers and Trusted Users. 10 people haven't reported back and another 11 haven't even managed to publish their key yet.
I created a graph of our web of trust as it looks now (using sig2dot; thanks Dan): https://users.archlinux.de/~pierre/tmp/sigs.png
I am pretty sure I have way less than 36 replies so far.
On Wed, Nov 23, 2011 at 10:12 AM, Pierre Schmitz <pierre@archlinux.de> wrote:
Hi all,
here is a little status update. So far I have issued 67 signatures in total for 36 Developers and Trusted Users. 10 people haven't reported back and another 11 haven't even managed to publish their key yet.
I created a graph of our web of trust as it looks now (using sig2dot; thanks Dan): https://users.archlinux.de/~pierre/tmp/sigs.png
What happened to the colors? -Dan
Am 23.11.2011 20:13, schrieb Dan McGee:
On Wed, Nov 23, 2011 at 10:12 AM, Pierre Schmitz <pierre@archlinux.de> wrote:
Hi all,
here is a little status update. So far I have issued 67 signatures in total for 36 Developers and Trusted Users. 10 people haven't reported back and another 11 haven't even managed to publish their key yet.
I created a graph of our web of trust as it looks now (using sig2dot; thanks Dan): https://users.archlinux.de/~pierre/tmp/sigs.png
What happened to the colors?
-Dan
I found black fonts on a darkgray background hard to read: https://users.archlinux.de/~pierre/tmp/sigs-color.png Btw: I'll keep both graphs updated for now. -- Pierre Schmitz, http://pierre-schmitz.com
participants (7)
-
Andreas Radke
-
Dan McGee
-
Daniel Isenmann
-
Giovanni Scafora
-
Ionut Biru
-
Pierre Schmitz
-
Thomas Bächler