archweb icon indicating copy to clipboard operation
archweb copied to clipboard

Published 20 hours ago verified publisher icon archlinux

Automate PGP keyring issues

Open jelly opened this issue 6 years ago • 4 comments

When a Trusted User or Developer steps down, his key may be left in the archlinux-keyring package. There is no automation to revoke this key or update the keyring package, so there should be some automation in place to handle this :)

Some scenario's which can be automated:

  • When a key is in the keyring but there is no archweb entry, report an issue.
  • When a fingerprint is registered in archweb but not in the keyring, report an issue
  • When a key is almost expired report an issue.The issues can be shown in archweb or mailed to a mailing list.

jelly avatar May 11 '18 18:05 jelly 

#!/usr/bin/python

from datetime import datetime, timedelta

import gnupg

gpg = gnupg.GPG(gnupghome='/etc/pacman.d/gnupg')
now = datetime.now()

for key in gpg.list_keys():
    expires = key['expires']
    # No expiry date
    if expires == '':
        continue

    expired = datetime.fromtimestamp(int(expires))
    if now > expired - timedelta(days=200):
        for uid in key['uids']:
            print(uid)
        print("Expired: {}".format(expired))

jelly avatar Aug 09 '18 07:08 jelly

Archweb already stores the expired date:

from datetime import timedelta
from django.utils import timezone

from devel.models import DeveloperKey

now = timezone.now()

for key in DeveloperKey.objects.all():
    # No expiry
    if key.expires is None:
        continue

    if now > key.expires - timedelta(days=200):
        print(key.owner)

jelly avatar Aug 09 '18 07:08 jelly

When a key is almost expired report an issue. The issues can be shown in archweb or mailed to a mailing list.

Since key issues (almost expired or key/UID revocation) can be related to issues with a specific email address, I think an external place where these are displayed (or may be easily checked by the packager) is indeed a good idea.

I suppose you could also have the packager leave a secondary email address to where such issues are mailed to, if such is reasonable to implement. (Besides the email address left in the flyspray profile, assuming by issues you mean bugs.archlinux.org issues)

AladW avatar Oct 15 '18 16:10 AladW

There are two checks required: One for Package packages with almost expired keys, this can be handled in archweb but won't be fast:

from main.models import Package
from devel.models import MasterKey, DeveloperKey, PGPSignature, StaffGroup, UserProfile

pkg = Package.objects.first()
sig = pkg.signature
matching_key = DeveloperKey.objects.select_related('owner').get(key=sig.key_id, owner_id__isnull=False)

Then check if any matching_key.expires

To check if a packager's keys are expired will be a more difficult task. Archweb does not know which key is used for signing since there can be multiple subkeys which might be expired. Archweb should therefore check if there is any valid signing subkey for this user with at least 3 signatures.

jelly avatar Oct 21 '18 14:10 jelly