From 62b5358a9c238a670434893973a88f884a20d70f Mon Sep 17 00:00:00 2001 From: "Wladimir J. van der Laan" Date: Tue, 6 Feb 2018 15:48:56 +0100 Subject: [PATCH] Merge #11909: contrib: Replace developer keys with list of pgp fingerprints fabb72b contrib: Remove xpired 522739F6 key (MarcoFalke) faeab66 contrib: Replace developer keys with list of pgp fingerprints (MarcoFalke) Pull request description: Having to host a copy of the keys in this repo was a common source of discussion and distraction, caused by problems such as: * Outdated keys. Unclear whether and when to replace by fresh copies. * Unclear when to add a key of a new developer or Gitian builder. The problems are solved by * Having no keys but only the fingerprints * Adding a rule of thumb, when to add a new key Moving the keys to a different repo solves none of these issues, but since the keys are not bound to releases or git branches of Bitcoin Core, they should live somewhere else. Obviously, all keys are hosted and distributed on key servers, but were added to the repo solely for convenience and redundancy. Moving the mirror of those keys to a different repo makes it less distracting to update them -- let's say -- prior to every major release. I updated our `doc/release-process.md` to reflect the new location. DEPENDS_ON https://github.com/bitcoin-core/gitian.sigs/pull/621 Tree-SHA512: c00795a07603190e26dc4526f6ce11e492fb048dc7ef54b38f859b77dcde25f58ec4449f5cf3f85a5e9c2dd2743bde53f7ff03c8eccf0d75d51784a6b164e47d --- contrib/builder-keys/README.md | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/contrib/builder-keys/README.md b/contrib/builder-keys/README.md index c883b3fa6f..e31ac6fa87 100644 --- a/contrib/builder-keys/README.md +++ b/contrib/builder-keys/README.md @@ -1,15 +1,26 @@ -PGP keys -======== +## PGP keys of builders and Developers -This folder contains the public keys of developers and active contributors. +The file `keys.txt` contains fingerprints of the public keys of builders and +active developers. The keys are mainly used to sign git commits or the build results of builds. -You can import the keys into gpg as follows. Also, make sure to fetch the -latest version from the key server to see if any key was revoked in the -meantime. +The most recent version of each pgp key can be found on most pgp key servers. + +Fetch the latest version from the key server to see if any key was revoked in +the meantime. +To fetch the latest version of all pgp keys in your gpg homedir, ```sh -gpg --import ./*.pgp gpg --refresh-keys ``` + +To fetch keys of builders and active developers, feed the list of fingerprints +of the primary keys into gpg: + +```sh +while read fingerprint keyholder_name; do gpg --keyserver hkp://subset.pool.sks-keyservers.net --recv-keys ${fingerprint}; done < ./keys.txt +``` + +Add your key to the list if you provided Guix attestations for two major or +minor releases of Dash Core.