From 4ed1a6e1d4fcb1ba272a4fb3931b33d1c6fbee0d Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 13 Apr 2024 16:25:47 +0200 Subject: Adding upstream version 2023.12.24. Signed-off-by: Daniel Baumann --- cheatsheets/keyring/pulling_hkp_changes.txt | 82 +++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 cheatsheets/keyring/pulling_hkp_changes.txt (limited to 'cheatsheets/keyring/pulling_hkp_changes.txt') diff --git a/cheatsheets/keyring/pulling_hkp_changes.txt b/cheatsheets/keyring/pulling_hkp_changes.txt new file mode 100644 index 0000000..67969c6 --- /dev/null +++ b/cheatsheets/keyring/pulling_hkp_changes.txt @@ -0,0 +1,82 @@ +Pulling changes from the HKP server +=================================== + +We run a HKP (HTTP Keyserver Protocol) keyserver to allow for public +querying on Debian keys and to allow DDs and DMs to update their keys, +i.e., sending more signatures. Updating the keyrings from this HKP +server is "pulling" HKP changes. + +There's a script call pull-updates that takes a keyring and a keyring +dir, explodes the keyring and looks for keys that have changed, then +calls update-key for each of them. This is a bit of a labour intensive +task, but it does mean we don't automatically allow things like adding +a new UID that's complete nonsense. I have some local patches to make +it a bit easier in terms of automatically generating an update.log +which is the same format as in the changelog of what was altered; I'll +commit them at some point soon. + +So, to import the HKP updates, we pull the keyrings first from: + + kaufmann.debian.org:/srv/keyring.debian.org/keyrings-new/debian-{keyring,nonupload,maintainers}.gpg + +and second, from: + + kaufmann.debian.org:/srv/keyring.debian.org/pending-updates/debian-{keyring,nonupload,maintainers}.gpg + +$ scp kaufmann.debian.org:/srv/keyring.debian.org/keyrings-new/debian-{keyring,nonupload,maintainers}.gpg . +debian-keyring.gpg 100% 30MB 2.5MB/s 00:12 +debian-maintainers.gpg 100% 1058KB 529.1KB/s 00:02 +debian-maintainers.gpg 100% 48KB 59.6KB/s 00:00 +$ for i in keyring nonupload maintainers; do ./scripts/pull-updates debian-${i}.gpg debian-${i}-gpg/ +(...a long list of keys later...) +Updated keys are: +0x8351C3C268AC5746 0xE5273D986BE3C423 0xED1A3933B2CFCDD8 +gpg: keyring `/tmp/jetring.qGSB7NPt/secring.gpg' created +gpg: keyring `/tmp/jetring.qGSB7NPt/pubring.gpg' created +gpg: /tmp/jetring.qGSB7NPt/trustdb.gpg: trustdb created +Running gpg-diff: +0x8351C3C268AC5746 Robert Alan Larson +Are you sure you want to update this key? (y/n) +y +Updated key. +gpg: keyring `/tmp/jetring.mHhg5onR/secring.gpg' created +gpg: keyring `/tmp/jetring.mHhg5onR/pubring.gpg' created +gpg: /tmp/jetring.mHhg5onR/trustdb.gpg: trustdb created +Running gpg-diff: +0xE5273D986BE3C423 Paul Wise +Are you sure you want to update this key? (y/n) +y +Updated key. +gpg: keyring `/tmp/jetring.ZJnN1JpE/secring.gpg' created +gpg: keyring `/tmp/jetring.ZJnN1JpE/pubring.gpg' created +gpg: /tmp/jetring.ZJnN1JpE/trustdb.gpg: trustdb created +Running gpg-diff: +0xED1A3933B2CFCDD8 Philipp Kern +Are you sure you want to update this key? (y/n) +y +Updated key. + +In this process, we must check the changes we pull in "make sense" — +keys should not add unrelated UIDs, weaker subkeys, or excessive +amounts of signatures. + +A log of the changes is stored in updates.log: + +$ cat update.log +0x8351C3C268AC5746 Robert Alan Larson +0xE5273D986BE3C423 Paul Wise +0xED1A3933B2CFCDD8 Philipp Kern + +So, add the following to the changelog: + + * Updates from keyring.debian.org HKP interface: + 0x8351C3C268AC5746 Robert Alan Larson + 0xE5273D986BE3C423 Paul Wise + 0xED1A3933B2CFCDD8 Philipp Kern + +Repeat the process for the other downloaded keyrings. + +After processing the second set of keys (at kaufmann's +/srv/keyring.debian.org/pending-updates), the three keyrings should be +removed (as they are checked to be empty when updating the keyrings at +kaufmann -- see infrastructure/kaufmann.txt) -- cgit v1.2.3