From a27c8b00ebf173659f22f53ce65679e94e7dfb1b Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 28 Apr 2024 11:19:41 +0200 Subject: Adding upstream version 2022.12.24. Signed-off-by: Daniel Baumann --- cheatsheets/keyring/pulling_hkp_changes.txt | 67 +++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 cheatsheets/keyring/pulling_hkp_changes.txt (limited to 'cheatsheets/keyring/pulling_hkp_changes.txt') diff --git a/cheatsheets/keyring/pulling_hkp_changes.txt b/cheatsheets/keyring/pulling_hkp_changes.txt new file mode 100644 index 0000000..bdeb1cd --- /dev/null +++ b/cheatsheets/keyring/pulling_hkp_changes.txt @@ -0,0 +1,67 @@ +Pulling changes from the HKP server +=================================== + +We run a HKP (HTTP Keyserver Protocol) keyserver to allow for public +querying on Debian keys and to allow DDs and DMs to update their keys, +i.e., sending more signatures. Updating the keyrings from this HKP +server is "pulling" HKP changes. + +There's a script call pull-updates that takes a keyring and a keyring +dir, explodes the keyring and looks for keys that have changed, then +calls update-key for each of them. This is a bit of a labour intensive +task, but it does mean we don't automatically allow things like adding +a new UID that's complete nonsense. I have some local patches to make +it a bit easier in terms of automatically generating an update.log +which is the same format as in the changelog of what was altered; I'll +commit them at some point soon. + +So, to import the HKP updates: + +$ scp kaufmann.debian.org:/srv/keyring.debian.org/keyrings-new/debian-{keyring,nonupload,maintainers}.gpg . +debian-keyring.gpg 100% 30MB 2.5MB/s 00:12 +debian-maintainers.gpg 100% 1058KB 529.1KB/s 00:02 +debian-maintainers.gpg 100% 48KB 59.6KB/s 00:00 +$ ./scripts/pull-updates debian-keyring.gpg debian-keyring-gpg/ +(...a long list of keys later...) +Updated keys are: +0x8351C3C268AC5746 0xE5273D986BE3C423 0xED1A3933B2CFCDD8 +gpg: keyring `/tmp/jetring.qGSB7NPt/secring.gpg' created +gpg: keyring `/tmp/jetring.qGSB7NPt/pubring.gpg' created +gpg: /tmp/jetring.qGSB7NPt/trustdb.gpg: trustdb created +Running gpg-diff: +0x8351C3C268AC5746 Robert Alan Larson +Are you sure you want to update this key? (y/n) +y +Updated key. +gpg: keyring `/tmp/jetring.mHhg5onR/secring.gpg' created +gpg: keyring `/tmp/jetring.mHhg5onR/pubring.gpg' created +gpg: /tmp/jetring.mHhg5onR/trustdb.gpg: trustdb created +Running gpg-diff: +0xE5273D986BE3C423 Paul Wise +Are you sure you want to update this key? (y/n) +y +Updated key. +gpg: keyring `/tmp/jetring.ZJnN1JpE/secring.gpg' created +gpg: keyring `/tmp/jetring.ZJnN1JpE/pubring.gpg' created +gpg: /tmp/jetring.ZJnN1JpE/trustdb.gpg: trustdb created +Running gpg-diff: +0xED1A3933B2CFCDD8 Philipp Kern +Are you sure you want to update this key? (y/n) +y +Updated key. + +A log of the changes is stored in updates.log: + +$ cat update.log +0x8351C3C268AC5746 Robert Alan Larson +0xE5273D986BE3C423 Paul Wise +0xED1A3933B2CFCDD8 Philipp Kern + +So, add the following to the changelog: + + * Updates from keyring.debian.org HKP interface: + 0x8351C3C268AC5746 Robert Alan Larson + 0xE5273D986BE3C423 Paul Wise + 0xED1A3933B2CFCDD8 Philipp Kern + +Repeat the process for the other downloaded keyrings -- cgit v1.2.3