The archlinux-keyring project holds PGP packet material and tooling
(keyringctl) to create the distribution keyring for Arch Linux.
The keyring is used by pacman to establish the web of trust for the packagers
of the distribution.
The PGP packets describing the main signing keys can be found below the keyring/main directory, while those of the packagers are located below the keyring/packager directory.
The following packages need to be installed to be able to create a PGP keyring from the provided data structure and to install it:
Build:
- make
- findutils
- pkgconf
- systemd
Runtime:
- python
- sequoia-sq
Optional:
- hopenpgp-tools (verify)
- sq-keyring-linter (verify)
- git (ci)
Build all PGP artifacts (keyring, ownertrust, revoked files) to the build directory
./keyringctl buildImport a new packager key by deriving the username from the filename.
./keyringctl import <username>.ascAlternatively import a file or directory and override the username
./keyringctl import --name <username> <file_or_directory...>Updates to existing keys will automatically derive the username from the known fingerprint.
./keyringctl import <file_or_directory...>Main key imports support the same options plus a mandatory --main
./keyringctl import --main <username>.ascExport the whole keyring including main and packager to stdout
./keyringctl exportLimit to specific certs using an output file
./keyringctl export <username_or_fingerprint_or_directory...> --output <filename>List all certificates in the keyring
./keyringctl listOnly show a specific main key
./keyringctl list --main <username_or_fingerprint...>Inspect all certificates in the keyring
./keyringctl inspectOnly inspect a specific main key
./keyringctl inspect --main <username_or_fingerprint_or_directory...>Verify certificates against modern expectations and assumptions
./keyringctl verify <username_or_fingerprint_or_directory...>To install archlinux-keyring system-wide use the included Makefile:
make installRead our contributing guide to learn more about guidelines and how to provide fixes or improvements for the code base.
Releases of archlinux-keyring are exclusively created by keyring maintainers.
The tags are signed with one of the following legitimate keys:
Christian Hesse <[email protected]>
02FD 1C7A 934E 6145 4584 9F19 A623 4074 498E 9CEE
David Runge <[email protected]>
C7E7 8494 66FE 2358 3435 8837 7258 734B 41C3 1549
Pierre Schmitz <[email protected]>
4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC
Florian Pritz <[email protected]>
CFA6 AF15 E5C7 4149 FC1D 8C08 6D16 55C1 4CE1 C13E
Giancarlo Razzolini <[email protected]>
ECCA C84C 1BA0 8A6C C8E6 3FBB F22F B1D7 8A77 AEAB
Levente Polyak <[email protected]>
E240 B57E 2C46 30BA 768E 2F26 FC1B 547C 8D81 72C8
Morten Linderud <[email protected]>
C100 3466 7663 4E80 C940 FB9E 9C02 FF41 9FEC BE16
To verify a tag, first import the relevant PGP keys:
gpg --auto-key-locate wkd --search-keys <email-from-above>Afterwards a tag can be verified from a clone of this repository. Please note that one must check the used key of the signature against the legitimate keys listed above:
git verify-tag <tag>Archlinux-keyring is licensed under the terms of the GPL-3.0-or-later (see LICENSE).