Merge #11909: contrib: Replace developer keys with list of pgp fingerprints

fabb72b contrib: Remove xpired 522739F6 key (MarcoFalke)
faeab66 contrib: Replace developer keys with list of pgp fingerprints (MarcoFalke)

Pull request description:

  Having to host a copy of the keys in this repo was a common source of discussion and distraction, caused by problems such as:

  * Outdated keys. Unclear whether and when to replace by fresh copies.
  * Unclear when to add a key of a new developer or Gitian builder.

  The problems are solved by
  * Having no keys but only the fingerprints
  * Adding a rule of thumb, when to add a new key

  <strike>Moving the keys to a different repo solves none of these issues, but since the keys are not bound to releases or git branches of Bitcoin Core, they should live somewhere else.

  Obviously, all keys are hosted and distributed on key servers, but were added to the repo solely for convenience and redundancy.

  Moving the mirror of those keys to a different repo makes it less distracting to update them -- let's say -- prior to every major release.

  I updated our `doc/release-process.md` to reflect the new location.

  DEPENDS_ON https://github.com/bitcoin-core/gitian.sigs/pull/621
  </strike>

Tree-SHA512: c00795a07603190e26dc4526f6ce11e492fb048dc7ef54b38f859b77dcde25f58ec4449f5cf3f85a5e9c2dd2743bde53f7ff03c8eccf0d75d51784a6b164e47d
This commit is contained in:
Wladimir J. van der Laan 2018-02-06 15:48:56 +01:00 committed by Konstantin Akimov
parent 1ff42b40e3
commit 62b5358a9c
No known key found for this signature in database
GPG Key ID: 2176C4A5D01EA524

View File

@ -1,15 +1,26 @@
PGP keys ## PGP keys of builders and Developers
========
This folder contains the public keys of developers and active contributors. The file `keys.txt` contains fingerprints of the public keys of builders and
active developers.
The keys are mainly used to sign git commits or the build results of builds. The keys are mainly used to sign git commits or the build results of builds.
You can import the keys into gpg as follows. Also, make sure to fetch the The most recent version of each pgp key can be found on most pgp key servers.
latest version from the key server to see if any key was revoked in the
meantime. Fetch the latest version from the key server to see if any key was revoked in
the meantime.
To fetch the latest version of all pgp keys in your gpg homedir,
```sh ```sh
gpg --import ./*.pgp
gpg --refresh-keys gpg --refresh-keys
``` ```
To fetch keys of builders and active developers, feed the list of fingerprints
of the primary keys into gpg:
```sh
while read fingerprint keyholder_name; do gpg --keyserver hkp://subset.pool.sks-keyservers.net --recv-keys ${fingerprint}; done < ./keys.txt
```
Add your key to the list if you provided Guix attestations for two major or
minor releases of Dash Core.