[arch-dev-public] Call for review: keyringctl as tooling for a curated keyring

Levente Polyak anthraxx at archlinux.org
Tue Oct 26 00:59:03 UTC 2021

Hi all,

to mitigate different issues with the current status of PGP keyservers 
and to simplify the management of our keyring we worked towards 
exploring a new way to handle our keyring:

The idea is to have a curated keyring whose source of truth is the 
repository itself without relying on external component to collect the 
WoT. The repository will consist of atomic files representing PGP 
packets which a directory structure logically combines into individual 
certificates. The advantage is that a new signature is literally just a 
new independent file as a merge request against the repository which is 
also very easy to audit.

David and me have spent quite some time to develop keyringctl [0]. This 
tool will provide a convenient UX to work with, and inspect the 
decomposed certificates. Furthermore it will also be responsible to join 
all certificates into a keyring and export ownertrust and revocation 
status as pacman requires.

For now bootstrap the keyring directory from the old PGP data by:

 > ./keyringctl import --main master master-revoked
 > ./keyringctl import packager packager-revoked

We are calling for review and testing specifically for the following:

- Try to find bugs by bench testing the commands with real world use
   cases and files. Some usage examples: [1]

- have individual people verify the pacman compatible artifacts created
   by the `build` command.

David & Levente

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20211026/64fc507f/attachment.sig>

More information about the arch-dev-public mailing list