Hi all,to mitigate different issues with the current status of PGP keyservers and to simplify the management of our keyring we worked towards exploring a new way to handle our keyring:
The idea is to have a curated keyring whose source of truth is the repository itself without relying on external component to collect the WoT. The repository will consist of atomic files representing PGP packets which a directory structure logically combines into individual certificates. The advantage is that a new signature is literally just a new independent file as a merge request against the repository which is also very easy to audit.
David and me have spent quite some time to develop keyringctl [0]. This tool will provide a convenient UX to work with, and inspect the decomposed certificates. Furthermore it will also be responsible to join all certificates into a keyring and export ownertrust and revocation status as pacman requires.
For now bootstrap the keyring directory from the old PGP data by: > ./keyringctl import --main master master-revoked > ./keyringctl import packager packager-revoked We are calling for review and testing specifically for the following: - Try to find bugs by bench testing the commands with real world use cases and files. Some usage examples: [1] - have individual people verify the pacman compatible artifacts created by the `build` command. cheers, David & Levente[0] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/merge_requests/24 [1] https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/blob/feature/curated-keyring/README.md#usage
OpenPGP_signature
Description: OpenPGP digital signature
