summaryrefslogtreecommitdiffstats
path: root/cheatsheets/keyring/pulling_hkp_changes.txt
blob: 67969c632d210d5b375853a9ffd302bfcfff087a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
Pulling changes from the HKP server
===================================

We run a HKP (HTTP Keyserver Protocol) keyserver to allow for public
querying on Debian keys and to allow DDs and DMs to update their keys,
i.e., sending more signatures. Updating the keyrings from this HKP
server is "pulling" HKP changes.

There's a script call pull-updates that takes a keyring and a keyring
dir, explodes the keyring and looks for keys that have changed, then
calls update-key for each of them. This is a bit of a labour intensive
task, but it does mean we don't automatically allow things like adding
a new UID that's complete nonsense. I have some local patches to make
it a bit easier in terms of automatically generating an update.log
which is the same format as in the changelog of what was altered; I'll
commit them at some point soon.

So, to import the HKP updates, we pull the keyrings first from:

    kaufmann.debian.org:/srv/keyring.debian.org/keyrings-new/debian-{keyring,nonupload,maintainers}.gpg

and second, from:

    kaufmann.debian.org:/srv/keyring.debian.org/pending-updates/debian-{keyring,nonupload,maintainers}.gpg

$ scp kaufmann.debian.org:/srv/keyring.debian.org/keyrings-new/debian-{keyring,nonupload,maintainers}.gpg .
debian-keyring.gpg        100%   30MB   2.5MB/s   00:12    
debian-maintainers.gpg	  100% 1058KB 529.1KB/s   00:02    
debian-maintainers.gpg	  100%   48KB  59.6KB/s   00:00    
$ for i in keyring nonupload maintainers; do ./scripts/pull-updates debian-${i}.gpg debian-${i}-gpg/
(...a long list of keys later...)
Updated keys are:
0x8351C3C268AC5746  0xE5273D986BE3C423  0xED1A3933B2CFCDD8
gpg: keyring `/tmp/jetring.qGSB7NPt/secring.gpg' created
gpg: keyring `/tmp/jetring.qGSB7NPt/pubring.gpg' created
gpg: /tmp/jetring.qGSB7NPt/trustdb.gpg: trustdb created
Running gpg-diff:
0x8351C3C268AC5746 Robert Alan Larson <blarson>
Are you sure you want to update this key? (y/n)
y
Updated key.
gpg: keyring `/tmp/jetring.mHhg5onR/secring.gpg' created
gpg: keyring `/tmp/jetring.mHhg5onR/pubring.gpg' created
gpg: /tmp/jetring.mHhg5onR/trustdb.gpg: trustdb created
Running gpg-diff:
0xE5273D986BE3C423 Paul Wise <pabs>
Are you sure you want to update this key? (y/n)
y
Updated key.
gpg: keyring `/tmp/jetring.ZJnN1JpE/secring.gpg' created
gpg: keyring `/tmp/jetring.ZJnN1JpE/pubring.gpg' created
gpg: /tmp/jetring.ZJnN1JpE/trustdb.gpg: trustdb created
Running gpg-diff:
0xED1A3933B2CFCDD8 Philipp Kern <pkern>
Are you sure you want to update this key? (y/n)
y
Updated key.

In this process, we must check the changes we pull in "make sense" —
keys should not add unrelated UIDs, weaker subkeys, or excessive
amounts of signatures.

A log of the changes is stored in updates.log:

$ cat update.log
0x8351C3C268AC5746 Robert Alan Larson <blarson>
0xE5273D986BE3C423 Paul Wise <pabs>
0xED1A3933B2CFCDD8 Philipp Kern <pkern>

So, add the following to the changelog:

  * Updates from keyring.debian.org HKP interface:
    0x8351C3C268AC5746 Robert Alan Larson <blarson>
    0xE5273D986BE3C423 Paul Wise <pabs>
    0xED1A3933B2CFCDD8 Philipp Kern <pkern>

Repeat the process for the other downloaded keyrings.

After processing the second set of keys (at kaufmann's
/srv/keyring.debian.org/pending-updates), the three keyrings should be
removed (as they are checked to be empty when updating the keyrings at
kaufmann -- see infrastructure/kaufmann.txt)