Hi David, I am very sorry. I misjudged the urgency of this topic. I assumed signing the additional uid is more a "ncie to have", since pacman and wkd already works fine. I opened the ticket at https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues/143 so we can create the merge requests once the new uid is fully trusted as well.
I'll create new (more secure) key pairs once I have a more capable hardware key. I'll also phase out my master key once a robust web of trust has been established. Greetings, Pierre On Sat, Jan 15, 2022 at 1:37 AM David Runge via arch-dev-public <arch-dev-public@lists.archlinux.org> wrote: > > Hi all, > > in the past days there have been a few releases of our archlinux-keyring > package, which contains the root trust of our distribution. > > We have successfully switched to using keyringctl [1] to manage the > keyring. From now on all changes to the keyring are done via merge > requests towards the archlinux-keyring repository, as it now serves as > the source of truth, whereas in the past we have been relying on the > dying SKS infrastructure or the Ubuntu keyserver (which may or may not > support all key types in use). > > I have contacted all of you over the past months and either requested > the addition of an @archlinux.org UID, the creation of a new PGP keypair > or the verification of your PGP key by means of a clearsigned token. > > To all that have added a new @archlinux.org UID or have created a new > key, please make sure that all signatures you have received from main > signing keys are also present in the current keyring (`pacman-key > --list-sigs <nick>@archlinux.org`) or in the current HEAD of > archlinux-keyring (`./keyringctl inspect <nick>` in a clone of the > archlinux-keyring repository). If you have signatures that are not yet > in the keyring, you can add them yourself [2] and do not have to wait on > a main signing key holder to do it. > > To all that have created a new key, please make sure to setup the > correct PGP key ID in your archweb profile so that the website displays > the signatures correctly [3]. > If you have gained more than or equal to three main key signatures for > your new PGP key and the key as well as those signatures are already > available in the keyring in [core] please rebuild all of your packages > using your new key and start the process of having your old key removed > [4]. > For the purpose of mass package rebuilding you may create a TODO [5] and > use `rebuild-todo` (in the archlinux-contrib package) which makes use of > our build server infrastructure. > > > I have not yet gotten a response from or have not yet been able to > resolve my request with the following packagers (nickname in the > archlinux-keyring repository): > - bgyorgy > - archange > - arodseth > - kylekeen > - daurnimator > - pierre > - farseerfc > > Please make some time to create a new key/ UID/ or get signed, as Allan > would like to revoke his signing key in the near future (which may mean > the inability to sign packages and mass rebuild of packages in > question) as soon as the above packager signature situation has > stabilized. > > In case you have questions, feel free to reach out in #archlinux-staff > on libera.chat or via mail. > If you are interested in helping further develop keyringctl, have a look > at the relevant open tickets [6]. > > Best, > David > > [1] https://gitlab.archlinux.org/archlinux/archlinux-keyring/#usage > [2] > https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Add-a-new-Signature > [3] https://archlinux.org/master-keys/#master-sigs > [4] > https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/workflows/Remove-a-packager-key > [5] https://archlinux.org/todo/add/ > [6] > https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/issues?scope=all&state=opened¬[label_name][]=new%20packager%20key¬[label_name][]=remove%20packager%20key¬[label_name][]=new%20main%20key¬[label_name][]=remove%20main%20key > > -- > https://sleepmap.de -- Pierre Schmitz, https://pierre-schmitz.com
