[arch-dev-public] Updates to archlinux-keyring and signatures for packager keys

Pierre Schmitz pierre at archlinux.de
Sat Jan 15 12:42:00 UTC 2022

Hi David,

I am very sorry. I misjudged the urgency of this topic. I assumed
signing the additional uid is more a "ncie to have", since pacman and
wkd already works fine. I opened the ticket at
so we can create the merge requests once the new uid is fully trusted
as well.

I'll create new (more secure) key pairs once I have a more capable
hardware key. I'll also phase out my master key once a robust web of
trust has been established.



On Sat, Jan 15, 2022 at 1:37 AM David Runge via arch-dev-public
<arch-dev-public at lists.archlinux.org> wrote:
> Hi all,
> in the past days there have been a few releases of our archlinux-keyring
> package, which contains the root trust of our distribution.
> We have successfully switched to using keyringctl [1] to manage the
> keyring. From now on all changes to the keyring are done via merge
> requests towards the archlinux-keyring repository, as it now serves as
> the source of truth, whereas in the past we have been relying on the
> dying SKS infrastructure or the Ubuntu keyserver (which may or may not
> support all key types in use).
> I have contacted all of you over the past months and either requested
> the addition of an @archlinux.org UID, the creation of a new PGP keypair
> or the verification of your PGP key by means of a clearsigned token.
> To all that have added a new @archlinux.org UID or have created a new
> key, please make sure that all signatures you have received from main
> signing keys are also present in the current keyring (`pacman-key
> --list-sigs <nick>@archlinux.org`) or in the current HEAD of
> archlinux-keyring (`./keyringctl inspect <nick>` in a clone of the
> archlinux-keyring repository). If you have signatures that are not yet
> in the keyring, you can add them yourself [2] and do not have to wait on
> a main signing key holder to do it.
> To all that have created a new key, please make sure to setup the
> correct PGP key ID in your archweb profile so that the website displays
> the signatures correctly [3].
> If you have gained more than or equal to three main key signatures for
> your new PGP key and the key as well as those signatures are already
> available in the keyring in [core] please rebuild all of your packages
> using your new key and start the process of having your old key removed
> [4].
> For the purpose of mass package rebuilding you may create a TODO [5] and
> use `rebuild-todo` (in the archlinux-contrib package) which makes use of
> our build server infrastructure.
> I have not yet gotten a response from or have not yet been able to
> resolve my request with the following packagers (nickname in the
> archlinux-keyring repository):
> - bgyorgy
> - archange
> - arodseth
> - kylekeen
> - daurnimator
> - pierre
> - farseerfc
> Please make some time to create a new key/ UID/ or get signed, as Allan
> would like to revoke his signing key in the near future (which may mean
> the inability to sign packages and mass rebuild of packages in
> question) as soon as the above packager signature situation has
> stabilized.
> In case you have questions, feel free to reach out in #archlinux-staff
> on libera.chat or via mail.
> If you are interested in helping further develop keyringctl, have a look
> at the relevant open tickets [6].
> Best,
> David
> [1] https://gitlab.archlinux.org/archlinux/archlinux-keyring/#usage
> [2] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Add-a-new-Signature
> [3] https://archlinux.org/master-keys/#master-sigs
> [4] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Remove-a-packager-key
> [5] https://archlinux.org/todo/add/
> [6] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues?scope=all&state=opened&not[label_name][]=new%20packager%20key&not[label_name][]=remove%20packager%20key&not[label_name][]=new%20main%20key&not[label_name][]=remove%20main%20key
> --
> https://sleepmap.de

Pierre Schmitz, https://pierre-schmitz.com

More information about the arch-dev-public mailing list