Package: debian-archive-keyring
Version: 2023.4
Severity: wishlist
Tags: patch
Forwarded:
https://salsa.debian.org/release-team/debian-archive-keyring/-/merge_requests/4
Hi!
The attached patches cleans up the OpenPGP nomenclature usage (and some
other minor lateral cleanups), in package documentation and in the
keyring filenames, while providing backward compatibility symlinks for
the old names so that people can transition easily.
This should fix multiple pedantic lintian tags. :D
I initially submitted this as an MR in salsa, which I've now refreshed,
but then noticed that no MR has been merged there, so it's unclear
whether MRs there are looked after or expected (if they are not, it
would be nice to disabled them :).
I'm attaching the patches from that branch here for your convenience,
and I can close the MR if you prefer taking them from here, whatever
you prefer.
Thanks,
Guillem
From cbc947d55f6ea0fc59cf2180188868dfbf9a4ebe Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@debian.org>
Date: Tue, 24 Dec 2024 16:32:37 +0100
Subject: [PATCH 1/5] Add .gitignore files
---
.gitignore | 4 ++++
debian/.gitignore | 9 +++++++++
2 files changed, 13 insertions(+)
create mode 100644 .gitignore
create mode 100644 debian/.gitignore
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..cfa1f3b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,4 @@
+keyrings/*.gpg
+keyrings/*.lastchangeset
+trustdb.gpg
+trusted.gpg/
diff --git a/debian/.gitignore b/debian/.gitignore
new file mode 100644
index 0000000..f770619
--- /dev/null
+++ b/debian/.gitignore
@@ -0,0 +1,9 @@
+/*.debhelper
+/*.log
+/*.substvars
+/.debhelper/
+/debhelper-build-stamp
+/debian-archive-keyring-udeb/
+/debian-archive-keyring/
+/files
+/tmp/
--
2.47.1
From c411ac250c57902b98cdd1302a41b04b531dccbf Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@debian.org>
Date: Tue, 24 Dec 2024 18:39:03 +0100
Subject: [PATCH 2/5] Update maintainer documentation for trusted.gpg.d files
removal
These are now ASCII Armored files, and as such, use an .asc file
extension.
---
README.maintainer | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.maintainer b/README.maintainer
index e10d989..1c85067 100644
--- a/README.maintainer
+++ b/README.maintainer
@@ -50,7 +50,7 @@ and checking the contents of each keyring
Add an entry to debian/debian-archive-keyring.maintscript:
-rm_conffile /etc/apt/trusted.gpg.d/debian-archive-${foo}.gpg ${version}~~
+rm_conffile /etc/apt/trusted.gpg.d/debian-archive-${foo}.asc ${version}~~
Pre-build
---------
--
2.47.1
From 71b43a6e27d709b1077e02d1fbfb7be3bd79024a Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@debian.org>
Date: Tue, 24 Dec 2024 21:27:37 +0100
Subject: [PATCH 3/5] =?UTF-8?q?Use=20=C2=ABDebian=C2=BB=20instead=20of=20t?=
=?UTF-8?q?he=20odd=20=C2=ABDebian=20GNU=C2=BB=20when=20referring=20to=20t?=
=?UTF-8?q?he=20project?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
debian/copyright | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/debian/copyright b/debian/copyright
index d934ced..4fcb5cb 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-This is Debian GNU's GnuPG keyrings of archive keys.
+This is Debian GnuPG keyrings of archive keys.
This package was originally put together by Michael Vogt
<m...@debian.org>
@@ -21,7 +21,7 @@ PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License with
your Debian system, in /usr/share/common-licenses/GPL, or with the
-Debian GNU debian-archive-keyring source package as the file COPYING.
+Debian debian-archive-keyring source package as the file COPYING.
If not, write to the Free Software Foundation, Inc., 51 Franklin Street,
Fifth Floor, Boston, MA 02110-1301 USA.
--
2.47.1
From d7a5917217df3c53bd2746917d9a8f7b691a99ed Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@debian.org>
Date: Tue, 24 Dec 2024 04:29:46 +0100
Subject: [PATCH 4/5] Use OpenPGP instead of GnuPG when referring to the
specification
The name of specification is OpenPGP, and while GnuPG is currently
a widespread implementation, using a specific vendor as if was a
synonym for the specification is a disservice to the whole ecosystem,
more so now that GnuPG upstream has decided to get out of the IETF
working group and not follow the just released OpenPGP RFC.
Use OpenPGP to refer both to the specification and its artifacts.
---
debian/control | 10 +++++-----
debian/copyright | 2 +-
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/debian/control b/debian/control
index 6af283a..0b2f9a4 100644
--- a/debian/control
+++ b/debian/control
@@ -14,9 +14,9 @@ Package: debian-archive-keyring
Architecture: all
Multi-Arch: foreign
Depends: ${misc:Depends}
-Description: GnuPG archive keys of the Debian archive
+Description: OpenPGP archive certificates of the Debian archive
The Debian project digitally signs its Release files. This package
- contains the archive keys used for that.
+ contains the archive certificates used for that.
Package: debian-archive-keyring-udeb
Package-Type: udeb
@@ -25,7 +25,7 @@ Architecture: all
Section: debian-installer
Depends: ${misc:Depends}
Recommends: gpgv-udeb
-Description: GnuPG keys of the Debian archive
+Description: OpenPGP archive certificates of the Debian archive
The Debian project digitally signs its Release files. This package
- contains the archive keys used for that, in a minimal form for use
- in the installer.
+ contains the archive certificates used for that, in a minimal form
+ for use in the installer.
diff --git a/debian/copyright b/debian/copyright
index 4fcb5cb..904a77e 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-This is Debian GnuPG keyrings of archive keys.
+This is Debian OpenPGP keyrings of archive certificates.
This package was originally put together by Michael Vogt
<m...@debian.org>
--
2.47.1
From 17c653ad964a3e81519f83e1d3a0704be737e4f6 Mon Sep 17 00:00:00 2001
From: Guillem Jover <guil...@debian.org>
Date: Tue, 24 Dec 2024 04:35:30 +0100
Subject: [PATCH 5/5] Rename keyrings from .gpg to .pgp
These keyrings contain OpenPGP certificates, and are not vendor
specific, so naming them with an extension after GnuPG in detriment
to the other multiple OpenPGP implementations does not promote
the interoperability one would expect from that ecosystem.
Given that these files are API, and will have external references,
we add backwards compatibility symlinks for now, but which should
be considered deprecated and should eventually (in the future) be
obsoleted and removed.
We leave trustdb.gpg alone, as that's a GnuPG specific artifact,
which would go away if the OpenPGP tooling used would change.
---
.gitignore | 3 +-
Makefile | 76 +++++++++++--------
README | 4 +-
README.maintainer | 26 +++----
active-keys/{index.gpg => index.pgp} | 0
debian/debian-archive-keyring-udeb.install | 3 +
debian/debian-archive-keyring-udeb.postinst | 5 +-
...gpg.asc => debian-archive-keyring.pgp.asc} | 0
...sc => debian-archive-removed-keys.pgp.asc} | 0
removed-keys/{index.gpg => index.pgp} | 0
team-members/{index.gpg => index.pgp} | 0
11 files changed, 67 insertions(+), 50 deletions(-)
rename active-keys/{index.gpg => index.pgp} (100%)
rename keyrings/{debian-archive-keyring.gpg.asc => debian-archive-keyring.pgp.asc} (100%)
rename keyrings/{debian-archive-removed-keys.gpg.asc => debian-archive-removed-keys.pgp.asc} (100%)
rename removed-keys/{index.gpg => index.pgp} (100%)
rename team-members/{index.gpg => index.pgp} (100%)
diff --git a/.gitignore b/.gitignore
index cfa1f3b..672e2b9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
keyrings/*.gpg
keyrings/*.lastchangeset
+keyrings/*.pgp
trustdb.gpg
-trusted.gpg/
+trusted.pgp/
diff --git a/Makefile b/Makefile
index 6d1a763..e169295 100644
--- a/Makefile
+++ b/Makefile
@@ -1,72 +1,82 @@
-TRUSTED-LIST := $(patsubst active-keys/add-%,trusted.gpg/debian-archive-%.gpg,$(wildcard active-keys/add-*))
-TMPRING := trusted.gpg/build-area
+TRUSTED-LIST := $(patsubst active-keys/add-%,trusted.pgp/debian-archive-%.pgp,$(wildcard active-keys/add-*))
+TMPRING := trusted.pgp/build-area
GPG_OPTIONS := --no-options --no-default-keyring --no-auto-check-trustdb --trustdb-name ./trustdb.gpg
-build: verify-indices keyrings/debian-archive-keyring.gpg keyrings/debian-archive-removed-keys.gpg verify-results $(TRUSTED-LIST)
+build: verify-indices keyrings/debian-archive-keyring.pgp keyrings/debian-archive-removed-keys.pgp verify-results $(TRUSTED-LIST)
-verify-indices: keyrings/team-members.gpg
+verify-indices: keyrings/team-members.pgp
gpg ${GPG_OPTIONS} \
- --keyring keyrings/team-members.gpg \
- --verify active-keys/index.gpg active-keys/index
+ --keyring keyrings/team-members.pgp \
+ --verify active-keys/index.pgp active-keys/index
gpg ${GPG_OPTIONS} \
- --keyring keyrings/team-members.gpg \
- --verify removed-keys/index.gpg removed-keys/index
+ --keyring keyrings/team-members.pgp \
+ --verify removed-keys/index.pgp removed-keys/index
-verify-results: keyrings/team-members.gpg keyrings/debian-archive-keyring.gpg keyrings/debian-archive-removed-keys.gpg
+verify-results: keyrings/team-members.pgp keyrings/debian-archive-keyring.pgp keyrings/debian-archive-removed-keys.pgp
gpg ${GPG_OPTIONS} \
- --keyring keyrings/team-members.gpg --verify \
- keyrings/debian-archive-keyring.gpg.asc \
- keyrings/debian-archive-keyring.gpg
+ --keyring keyrings/team-members.pgp --verify \
+ keyrings/debian-archive-keyring.pgp.asc \
+ keyrings/debian-archive-keyring.pgp
gpg ${GPG_OPTIONS} \
- --keyring keyrings/team-members.gpg --verify \
- keyrings/debian-archive-removed-keys.gpg.asc \
- keyrings/debian-archive-removed-keys.gpg
+ --keyring keyrings/team-members.pgp --verify \
+ keyrings/debian-archive-removed-keys.pgp.asc \
+ keyrings/debian-archive-removed-keys.pgp
#FIXME: Do we need to verify the created keyrings in trusted.gpg.d, too?
# Maybe "just" checking that no key is added if we merge, but how…
-keyrings/debian-archive-keyring.gpg: active-keys/index
+keyrings/debian-archive-keyring.pgp: active-keys/index
jetring-build -I $@ active-keys
gpg ${GPG_OPTIONS} --no-keyring --import-options import-export --import < $@ > $@.tmp
mv -f $@.tmp $@
+ ln -s $(notdir $@) $(patsubst %.pgp,%.gpg,$@)
-keyrings/debian-archive-removed-keys.gpg: removed-keys/index
+keyrings/debian-archive-removed-keys.pgp: removed-keys/index
jetring-build -I $@ removed-keys
gpg ${GPG_OPTIONS} --no-keyring --import-options import-export --import < $@ > $@.tmp
mv -f $@.tmp $@
+ ln -s $(notdir $@) $(patsubst %.pgp,%.gpg,$@)
-keyrings/team-members.gpg: team-members/index
+keyrings/team-members.pgp: team-members/index
jetring-build -I $@ team-members
gpg ${GPG_OPTIONS} --no-keyring --import-options import-export --import < $@ > $@.tmp
mv -f $@.tmp $@
-$(TRUSTED-LIST) :: trusted.gpg/debian-archive-%.gpg : active-keys/add-% active-keys/index
- mkdir -p $(TMPRING) trusted.gpg
+$(TRUSTED-LIST) :: trusted.pgp/debian-archive-%.pgp : active-keys/add-% active-keys/index
+ mkdir -p $(TMPRING) trusted.pgp
grep -F $(shell basename $<) -- active-keys/index > $(TMPRING)/index
cp $< $(TMPRING)
jetring-build -I $@ $(TMPRING)
rm -rf $(TMPRING)
gpg ${GPG_OPTIONS} --no-keyring --import-options import-export --import < $@ > $@.tmp
mv -f $@.tmp $@
+ ln -s $(notdir $@) $(patsubst %.pgp,%.gpg,$@)
clean:
- rm -f keyrings/debian-archive-keyring.gpg \
- keyrings/debian-archive-keyring.gpg~ \
- keyrings/debian-archive-keyring.gpg.lastchangeset
- rm -f keyrings/debian-archive-removed-keys.gpg \
- keyrings/debian-archive-removed-keys.gpg~ \
- keyrings/debian-archive-removed-keys.gpg.lastchangeset
- rm -f keyrings/team-members.gpg \
- keyrings/team-members.gpg~ \
- keyrings/team-members.gpg.lastchangeset
- rm -rf $(TMPRING) trusted.gpg trustdb.gpg
+ rm -f keyrings/debian-archive-keyring.pgp \
+ keyrings/debian-archive-keyring.pgp~ \
+ keyrings/debian-archive-keyring.pgp.lastchangeset \
+ keyrings/debian-archive-keyring.gpg \
+ $(EOL)
+ rm -f keyrings/debian-archive-removed-keys.pgp \
+ keyrings/debian-archive-removed-keys.pgp~ \
+ keyrings/debian-archive-removed-keys.pgp.lastchangeset \
+ keyrings/debian-archive-removed-keys.gpg \
+ $(EOL)
+ rm -f keyrings/team-members.pgp \
+ keyrings/team-members.pgp~ \
+ keyrings/team-members.pgp.lastchangeset
+ rm -rf $(TMPRING) trusted.pgp trustdb.gpg
rm -f keyrings/*.cache
install: build
install -d $(DESTDIR)/usr/share/keyrings/
- cp trusted.gpg/debian-archive-*.gpg $(DESTDIR)/usr/share/keyrings/
- cp keyrings/debian-archive-keyring.gpg $(DESTDIR)/usr/share/keyrings/
- cp keyrings/debian-archive-removed-keys.gpg $(DESTDIR)/usr/share/keyrings/
+ cp trusted.pgp/debian-archive-*.pgp $(DESTDIR)/usr/share/keyrings/
+ cp -a trusted.pgp/debian-archive-*.gpg $(DESTDIR)/usr/share/keyrings/
+ cp keyrings/debian-archive-keyring.pgp $(DESTDIR)/usr/share/keyrings/
+ cp -a keyrings/debian-archive-keyring.gpg $(DESTDIR)/usr/share/keyrings/
+ cp keyrings/debian-archive-removed-keys.pgp $(DESTDIR)/usr/share/keyrings/
+ cp -a keyrings/debian-archive-removed-keys.gpg $(DESTDIR)/usr/share/keyrings/
install -d $(DESTDIR)/etc/apt/trusted.gpg.d/
cp $(shell find apt-trusted-asc/ -name '*.asc' -type f) $(DESTDIR)/etc/apt/trusted.gpg.d/
diff --git a/README b/README
index fdaf14c..2c5f35c 100644
--- a/README
+++ b/README
@@ -15,10 +15,10 @@ A quick overview about this package:
The signatures of acquired Release files is checked against this
key database. It hence contains all keys of releases that are still
supported and need to be active.
-* /usr/share/keyrings/debian-archive-keyring.gpg:
+* /usr/share/keyrings/debian-archive-keyring.pgp:
A keyring including all actively used keys to sign Release files in
our supported releases is shipped in /usr/share/keyrings.
-* /usr/share/keyrings/debian-archive-removed-keys.gpg:
+* /usr/share/keyrings/debian-archive-removed-keys.pgp:
A keyring including all keys used by previous releases, which are
no longer supported. These keys are no longer used to sign
Release files.
diff --git a/README.maintainer b/README.maintainer
index 1c85067..4caf87f 100644
--- a/README.maintainer
+++ b/README.maintainer
@@ -4,21 +4,21 @@ Maintainer notes
Adding a new team member key
----------------------------
-make keyrings/team-members.gpg
-gpg --no-default-keyring --keyring keyrings/team-members.gpg \
+make keyrings/team-members.pgp
+gpg --no-default-keyring --keyring keyrings/team-members.pgp \
--no-auto-check-trustdb --import $KEYFILE
-jetring-gen keyrings/team-members.gpg~ keyrings/team-members.gpg \
+jetring-gen keyrings/team-members.pgp~ keyrings/team-members.pgp \
"add adsb (ID: C5CE5DC2C542CD59)"
jetring-accept team-members/ add-C5CE5DC2C542CD59
Adding a new archive key
------------------------
-make keyrings/debian-archive-keyring.gpg
-gpg --no-default-keyring --keyring keyrings/debian-archive-keyring.gpg \
+make keyrings/debian-archive-keyring.pgp
+gpg --no-default-keyring --keyring keyrings/debian-archive-keyring.pgp \
--no-auto-check-trustdb --import $KEYFILE
-jetring-gen keyrings/debian-archive-keyring.gpg~ \
- keyrings/debian-archive-keyring.gpg \
+jetring-gen keyrings/debian-archive-keyring.pgp~ \
+ keyrings/debian-archive-keyring.pgp \
"add jessie automatic key (security)"
mv add-9D6D8F6BC857C906 add-jessie-security-automatic
jetring-accept active-keys/ add-jessie-security-automatic
@@ -34,17 +34,17 @@ Removing an archive key
Copy the corresponding entry from active-keys/index to removed-keys/index
Move active-keys/add-$foo to removed-keys/
-gpg --detach-sign --output removed-keys/index.gpg --armor --sign \
+gpg --detach-sign --output removed-keys/index.pgp --armor --sign \
removed-keys/index
Remove the relevant entry from active-keys/index
-gpg --detach-sign --output active-keys/index.gpg --armor --sign \
+gpg --detach-sign --output active-keys/index.pgp --armor --sign \
active-keys/index
Confirm that the result was as expected by:
make clean
-make keyrings/debian-archive-keyring.gpg
-make keyrings/debian-archive-removed-keys.gpg
+make keyrings/debian-archive-keyring.pgp
+make keyrings/debian-archive-removed-keys.pgp
and checking the contents of each keyring
@@ -55,7 +55,7 @@ rm_conffile /etc/apt/trusted.gpg.d/debian-archive-${foo}.asc ${version}~~
Pre-build
---------
-gpg --armor --detach-sign keyrings/debian-archive-keyring.gpg
+gpg --armor --detach-sign keyrings/debian-archive-keyring.pgp
If any keys were removed:
-gpg --armor --detach-sign keyrings/debian-archive-removed-keys.gpg
+gpg --armor --detach-sign keyrings/debian-archive-removed-keys.pgp
diff --git a/active-keys/index.gpg b/active-keys/index.pgp
similarity index 100%
rename from active-keys/index.gpg
rename to active-keys/index.pgp
diff --git a/debian/debian-archive-keyring-udeb.install b/debian/debian-archive-keyring-udeb.install
index c2e9cdd..b5d4ac1 100644
--- a/debian/debian-archive-keyring-udeb.install
+++ b/debian/debian-archive-keyring-udeb.install
@@ -1,3 +1,6 @@
+usr/share/keyrings/debian-archive-keyring.pgp
usr/share/keyrings/debian-archive-keyring.gpg
+usr/share/keyrings/debian-archive-*-automatic.pgp
usr/share/keyrings/debian-archive-*-automatic.gpg
+usr/share/keyrings/debian-archive-*-stable.pgp
usr/share/keyrings/debian-archive-*-stable.gpg
diff --git a/debian/debian-archive-keyring-udeb.postinst b/debian/debian-archive-keyring-udeb.postinst
index 210e258..3ad1d0d 100644
--- a/debian/debian-archive-keyring-udeb.postinst
+++ b/debian/debian-archive-keyring-udeb.postinst
@@ -2,5 +2,8 @@
set -e
DIR=/usr/share/keyrings
if [ ! -e $DIR/archive.gpg ]; then
- ln -s debian-archive-keyring.gpg $DIR/archive.gpg
+ ln -s debian-archive-keyring.pgp $DIR/archive.gpg
+fi
+if [ ! -e $DIR/archive.pgp ]; then
+ ln -s debian-archive-keyring.pgp $DIR/archive.pgp
fi
diff --git a/keyrings/debian-archive-keyring.gpg.asc b/keyrings/debian-archive-keyring.pgp.asc
similarity index 100%
rename from keyrings/debian-archive-keyring.gpg.asc
rename to keyrings/debian-archive-keyring.pgp.asc
diff --git a/keyrings/debian-archive-removed-keys.gpg.asc b/keyrings/debian-archive-removed-keys.pgp.asc
similarity index 100%
rename from keyrings/debian-archive-removed-keys.gpg.asc
rename to keyrings/debian-archive-removed-keys.pgp.asc
diff --git a/removed-keys/index.gpg b/removed-keys/index.pgp
similarity index 100%
rename from removed-keys/index.gpg
rename to removed-keys/index.pgp
diff --git a/team-members/index.gpg b/team-members/index.pgp
similarity index 100%
rename from team-members/index.gpg
rename to team-members/index.pgp
--
2.47.1
