[arch-dev-public] Call for review: keyringctl as tooling for a curated keyring
Levente Polyak
anthraxx at archlinux.org
Tue Oct 26 00:59:03 UTC 2021
Hi all,
to mitigate different issues with the current status of PGP keyservers
and to simplify the management of our keyring we worked towards
exploring a new way to handle our keyring:
The idea is to have a curated keyring whose source of truth is the
repository itself without relying on external component to collect the
WoT. The repository will consist of atomic files representing PGP
packets which a directory structure logically combines into individual
certificates. The advantage is that a new signature is literally just a
new independent file as a merge request against the repository which is
also very easy to audit.
David and me have spent quite some time to develop keyringctl [0]. This
tool will provide a convenient UX to work with, and inspect the
decomposed certificates. Furthermore it will also be responsible to join
all certificates into a keyring and export ownertrust and revocation
status as pacman requires.
For now bootstrap the keyring directory from the old PGP data by:
> ./keyringctl import --main master master-revoked
> ./keyringctl import packager packager-revoked
We are calling for review and testing specifically for the following:
- Try to find bugs by bench testing the commands with real world use
cases and files. Some usage examples: [1]
- have individual people verify the pacman compatible artifacts created
by the `build` command.
cheers,
David & Levente
[0]
https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/merge_requests/24
[1]
https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/blob/feature/curated-keyring/README.md#usage
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20211026/64fc507f/attachment.sig>
More information about the arch-dev-public
mailing list