[arch-dev-public] Updates to archlinux-keyring and signatures for packager keys
Hi all, in the past days there have been a few releases of our archlinux-keyring package, which contains the root trust of our distribution. We have successfully switched to using keyringctl [1] to manage the keyring. From now on all changes to the keyring are done via merge requests towards the archlinux-keyring repository, as it now serves as the source of truth, whereas in the past we have been relying on the dying SKS infrastructure or the Ubuntu keyserver (which may or may not support all key types in use). I have contacted all of you over the past months and either requested the addition of an @archlinux.org UID, the creation of a new PGP keypair or the verification of your PGP key by means of a clearsigned token. To all that have added a new @archlinux.org UID or have created a new key, please make sure that all signatures you have received from main signing keys are also present in the current keyring (`pacman-key --list-sigs <nick>@archlinux.org`) or in the current HEAD of archlinux-keyring (`./keyringctl inspect <nick>` in a clone of the archlinux-keyring repository). If you have signatures that are not yet in the keyring, you can add them yourself [2] and do not have to wait on a main signing key holder to do it. To all that have created a new key, please make sure to setup the correct PGP key ID in your archweb profile so that the website displays the signatures correctly [3]. If you have gained more than or equal to three main key signatures for your new PGP key and the key as well as those signatures are already available in the keyring in [core] please rebuild all of your packages using your new key and start the process of having your old key removed [4]. For the purpose of mass package rebuilding you may create a TODO [5] and use `rebuild-todo` (in the archlinux-contrib package) which makes use of our build server infrastructure. I have not yet gotten a response from or have not yet been able to resolve my request with the following packagers (nickname in the archlinux-keyring repository): - bgyorgy - archange - arodseth - kylekeen - daurnimator - pierre - farseerfc Please make some time to create a new key/ UID/ or get signed, as Allan would like to revoke his signing key in the near future (which may mean the inability to sign packages and mass rebuild of packages in question) as soon as the above packager signature situation has stabilized. In case you have questions, feel free to reach out in #archlinux-staff on libera.chat or via mail. If you are interested in helping further develop keyringctl, have a look at the relevant open tickets [6]. Best, David [1] https://gitlab.archlinux.org/archlinux/archlinux-keyring/#usage [2] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/A... [3] https://archlinux.org/master-keys/#master-sigs [4] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/R... [5] https://archlinux.org/todo/add/ [6] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues?scope=all&state=opened¬[label_name][]=new%20packager%20key¬[label_name][]=remove%20packager%20key¬[label_name][]=new%20main%20key¬[label_name][]=remove%20main%20key -- https://sleepmap.de
On 2022-01-14 21:12, David Runge via arch-dev-public wrote:
To all that have added a new @archlinux.org UID or have created a new key, please make sure that all signatures you have received from main signing keys are also present in the current keyring (`pacman-key --list-sigs <nick>@archlinux.org`) or in the current HEAD of archlinux-keyring (`./keyringctl inspect <nick>` in a clone of the archlinux-keyring repository). If you have signatures that are not yet in the keyring, you can add them yourself [2] and do not have to wait on a main signing key holder to do it.
Thanks for your work on this initiative. I see that my key has made it but the trust is only marginal: [~]$ pacman -Q archlinux-keyring archlinux-keyring 20220114-1 [~]$ pacman-key --list-sigs ainola@archlinux.org gpg: Note: trustdb not writable pub ed25519 2018-10-03 [SC] [expires: 2022-07-18] BE2DBCF2B1E3E588AC325AEAA06B49470F8E620A [snip] uid [marginal] Brett Cornwall <ainola@archlinux.org> sig 3 A06B49470F8E620A 2021-11-18 Brett Cornwall <brett@i--b.com> sig 4DC95B6D7BE9892E 2021-11-20 David Runge (Arch Linux Master Key) <dvzrv@master-key.archlinux.org> Is this expected behavior?
On Fri, Jan 14, 2022 at 04:57:00PM -0800, Brett Cornwall via arch-dev-public wrote:
On 2022-01-14 21:12, David Runge via arch-dev-public wrote:
To all that have added a new @archlinux.org UID or have created a new key, please make sure that all signatures you have received from main signing keys are also present in the current keyring (`pacman-key --list-sigs <nick>@archlinux.org`) or in the current HEAD of archlinux-keyring (`./keyringctl inspect <nick>` in a clone of the archlinux-keyring repository). If you have signatures that are not yet in the keyring, you can add them yourself [2] and do not have to wait on a main signing key holder to do it.
Thanks for your work on this initiative.
I see that my key has made it but the trust is only marginal:
[~]$ pacman -Q archlinux-keyring archlinux-keyring 20220114-1 [~]$ pacman-key --list-sigs ainola@archlinux.org gpg: Note: trustdb not writable pub ed25519 2018-10-03 [SC] [expires: 2022-07-18] BE2DBCF2B1E3E588AC325AEAA06B49470F8E620A [snip] uid [marginal] Brett Cornwall <ainola@archlinux.org> sig 3 A06B49470F8E620A 2021-11-18 Brett Cornwall <brett@i--b.com> sig 4DC95B6D7BE9892E 2021-11-20 David Runge (Arch Linux Master Key) <dvzrv@master-key.archlinux.org>
Is this expected behavior?
No it's not :) It seems like you haven't pulled the signature from Florian which is on your issue. But you still need one signature for full trust. This means you still need to sign packages with the brett@i--b.com UID. -- Morten Linderud PGP: 9C02FF419FECBE16
On 2022-01-14 16:57:00 (-0800), Brett Cornwall via arch-dev-public wrote:
On 2022-01-14 21:12, David Runge via arch-dev-public wrote:
To all that have added a new @archlinux.org UID or have created a new key, please make sure that all signatures you have received from main signing keys are also present in the current keyring (`pacman-key --list-sigs <nick>@archlinux.org`) or in the current HEAD of archlinux-keyring (`./keyringctl inspect <nick>` in a clone of the archlinux-keyring repository). If you have signatures that are not yet in the keyring, you can add them yourself [2] and do not have to wait on a main signing key holder to do it.
Thanks for your work on this initiative.
I see that my key has made it but the trust is only marginal:
[~]$ pacman -Q archlinux-keyring archlinux-keyring 20220114-1 [~]$ pacman-key --list-sigs ainola@archlinux.org gpg: Note: trustdb not writable pub ed25519 2018-10-03 [SC] [expires: 2022-07-18] BE2DBCF2B1E3E588AC325AEAA06B49470F8E620A [snip] uid [marginal] Brett Cornwall <ainola@archlinux.org> sig 3 A06B49470F8E620A 2021-11-18 Brett Cornwall <brett@i--b.com> sig 4DC95B6D7BE9892E 2021-11-20 David Runge (Arch Linux Master Key) <dvzrv@master-key.archlinux.org>
Your @archlinux.org UID currently has marginal trust, as it is only signed by one main signing key (needs three signatures for full trust). Your other UID still has full trust though, which means that your key in general is still fully trusted! However, we would like to have signatures on the @archlinux.org UID only in the future of course :) If you have received more signatures for your @archlinux.org UID by now, you can add those via a merge request (see previous email). Best, David -- https://sleepmap.de
On Fri, Jan 14, 2022 at 09:12:37PM +0100, David Runge via arch-dev-public wrote:
If you have gained more than or equal to three main key signatures for your new PGP key and the key as well as those signatures are already available in the keyring in [core] please rebuild all of your packages using your new key and start the process of having your old key removed [4].
For the purpose of mass package rebuilding you may create a TODO [5] and use `rebuild-todo` (in the archlinux-contrib package) which makes use of our build server infrastructure.
Just to be a bit fun and showcasing contrib tooling. You don't actually *need* to create a TODO for rebuild-todo. You can pipe a search from `pkgsearch` (also from contrib, previously named co-maintainers) directly into `rebuild-todo`. $ pkgsearch -p Foxboron -r community | rebuild-todo --community -m "package rebuild" - This would rebuild all my packages from communtiy. pkgsearch is a bit slow, but I promise that it works :) Please do note that `rebuild-todo` won't necessarily keep track of what it has and hasn't rebuilt. Also do note you need to specify the repositories since `rebuild-todo` doesn't understand where packages belong :) Hopefully I'll get some more tooling improvements done for package rebuilds. But this is already quite neat and handy. -- Morten Linderud PGP: 9C02FF419FECBE16
Hi David, I am very sorry. I misjudged the urgency of this topic. I assumed signing the additional uid is more a "ncie to have", since pacman and wkd already works fine. I opened the ticket at https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/143 so we can create the merge requests once the new uid is fully trusted as well. I'll create new (more secure) key pairs once I have a more capable hardware key. I'll also phase out my master key once a robust web of trust has been established. Greetings, Pierre On Sat, Jan 15, 2022 at 1:37 AM David Runge via arch-dev-public <arch-dev-public@lists.archlinux.org> wrote:
Hi all,
in the past days there have been a few releases of our archlinux-keyring package, which contains the root trust of our distribution.
We have successfully switched to using keyringctl [1] to manage the keyring. From now on all changes to the keyring are done via merge requests towards the archlinux-keyring repository, as it now serves as the source of truth, whereas in the past we have been relying on the dying SKS infrastructure or the Ubuntu keyserver (which may or may not support all key types in use).
I have contacted all of you over the past months and either requested the addition of an @archlinux.org UID, the creation of a new PGP keypair or the verification of your PGP key by means of a clearsigned token.
To all that have added a new @archlinux.org UID or have created a new key, please make sure that all signatures you have received from main signing keys are also present in the current keyring (`pacman-key --list-sigs <nick>@archlinux.org`) or in the current HEAD of archlinux-keyring (`./keyringctl inspect <nick>` in a clone of the archlinux-keyring repository). If you have signatures that are not yet in the keyring, you can add them yourself [2] and do not have to wait on a main signing key holder to do it.
To all that have created a new key, please make sure to setup the correct PGP key ID in your archweb profile so that the website displays the signatures correctly [3]. If you have gained more than or equal to three main key signatures for your new PGP key and the key as well as those signatures are already available in the keyring in [core] please rebuild all of your packages using your new key and start the process of having your old key removed [4]. For the purpose of mass package rebuilding you may create a TODO [5] and use `rebuild-todo` (in the archlinux-contrib package) which makes use of our build server infrastructure.
I have not yet gotten a response from or have not yet been able to resolve my request with the following packagers (nickname in the archlinux-keyring repository): - bgyorgy - archange - arodseth - kylekeen - daurnimator - pierre - farseerfc
Please make some time to create a new key/ UID/ or get signed, as Allan would like to revoke his signing key in the near future (which may mean the inability to sign packages and mass rebuild of packages in question) as soon as the above packager signature situation has stabilized.
In case you have questions, feel free to reach out in #archlinux-staff on libera.chat or via mail. If you are interested in helping further develop keyringctl, have a look at the relevant open tickets [6].
Best, David
[1] https://gitlab.archlinux.org/archlinux/archlinux-keyring/#usage [2] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/A... [3] https://archlinux.org/master-keys/#master-sigs [4] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/R... [5] https://archlinux.org/todo/add/ [6] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues?scope=all&state=opened¬[label_name][]=new%20packager%20key¬[label_name][]=remove%20packager%20key¬[label_name][]=new%20main%20key¬[label_name][]=remove%20main%20key
-- Pierre Schmitz, https://pierre-schmitz.com
participants (4)
-
Brett Cornwall
-
David Runge
-
Morten Linderud
-
Pierre Schmitz