[arch-dev-public] Updates to archlinux-keyring and signatures for packager keys

Fri Jan 14 20:12:37 UTC 2022

Hi all,

in the past days there have been a few releases of our archlinux-keyring
package, which contains the root trust of our distribution.

We have successfully switched to using keyringctl [1] to manage the
keyring. From now on all changes to the keyring are done via merge
requests towards the archlinux-keyring repository, as it now serves as
the source of truth, whereas in the past we have been relying on the
dying SKS infrastructure or the Ubuntu keyserver (which may or may not
support all key types in use).

I have contacted all of you over the past months and either requested
the addition of an @archlinux.org UID, the creation of a new PGP keypair
or the verification of your PGP key by means of a clearsigned token.

To all that have added a new @archlinux.org UID or have created a new
key, please make sure that all signatures you have received from main
signing keys are also present in the current keyring (`pacman-key
--list-sigs <nick>@archlinux.org`) or in the current HEAD of
archlinux-keyring (`./keyringctl inspect <nick>` in a clone of the
archlinux-keyring repository). If you have signatures that are not yet
in the keyring, you can add them yourself [2] and do not have to wait on
a main signing key holder to do it.

To all that have created a new key, please make sure to setup the
correct PGP key ID in your archweb profile so that the website displays
the signatures correctly [3].
If you have gained more than or equal to three main key signatures for
your new PGP key and the key as well as those signatures are already
available in the keyring in [core] please rebuild all of your packages
using your new key and start the process of having your old key removed
[4].
For the purpose of mass package rebuilding you may create a TODO [5] and
use `rebuild-todo` (in the archlinux-contrib package) which makes use of
our build server infrastructure.

I have not yet gotten a response from or have not yet been able to
resolve my request with the following packagers (nickname in the
archlinux-keyring repository):
- bgyorgy
- archange
- arodseth
- kylekeen
- daurnimator
- pierre
- farseerfc

Please make some time to create a new key/ UID/ or get signed, as Allan
would like to revoke his signing key in the near future (which may mean
the inability to sign packages and mass rebuild of packages in
question) as soon as the above packager signature situation has
stabilized.

In case you have questions, feel free to reach out in #archlinux-staff
on libera.chat or via mail.
If you are interested in helping further develop keyringctl, have a look
at the relevant open tickets [6].

Best,
David

[1] https://gitlab.archlinux.org/archlinux/archlinux-keyring/#usage
[2] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Add-a-new-Signature
[3] https://archlinux.org/master-keys/#master-sigs
[4] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Remove-a-packager-key
[5] https://archlinux.org/todo/add/
[6] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues?scope=all&state=opened&not[label_name][]=new%20packager%20key&not[label_name][]=remove%20packager%20key&not[label_name][]=new%20main%20key&not[label_name][]=remove%20main%20key

-- 
https://sleepmap.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20220114/69e79543/attachment.sig>