Hello all, We're very pleased to announce the first official release of the Gentoo Keys toolkit.
What is the Gentoo Keys project? ========================= Gentoo Keys is a Python based project that aims to manage the OpenPGP keys used for validation on users and Gentoo's infrastructure servers. It is a toolkit that helps the community establish the trust between the users and developers. Gentoo Keys can verify OpenPGP keys used for Gentoo's release media, packages and other OpenPGP signed documents, i.e LiveDVDs, LiveCD's , stage* releases, Gentoo tree ebuild commits, layman repositories list. Gentoo Keys project consists of three tools: * gkeys * gkeys-gen * gkeys-ldap. Tools ==== gkeys-ldap ---------------- Is the tool that is going to be used internally in Gentoo infrastructure. It performs LDAP look-ups to all the developers and generates the so called seed files[1]. gkeys --------- Is the major tool that manages the seed files and the keyrings[2] of the developers. This tool is also going to be used for file signing and verification. In addition it can generate binary keyrings based on selected keys which then can be signed and distributed to the user base. gkeys-gen -------------- Is the tool that generates OpenPGP keys based on the recommended specifications of the Gentoo council approved GLEP 63[3]. We have written an extensive guide on how to generate a GLEP 63 based OpenPGP key: https://wiki.gentoo.org/wiki/Project:Gentoo-keys/Generating_GLEP_63_based_OpenPGP_keys Glossary ======= [1] Seed files: A JSON file that contains the trusted users with their keys. [2] Keyrings: A collection of trusted OpenPGP keys. [3] GLEP 63: https://wiki.gentoo.org/wiki/GLEP:63 Automated Checks =============== As of today, we insist all the Gentoo Developers to start creating GLEP 63 based OpenPGP keys. In the following months we are going to start running a suite of automated checks in all the developers OpenPGP keys. Some of the checks are for: * Invalid keys * Expired keys * Revoked keys * GLEP63 requirements for keys It is also worth mentioning that the following tools can be used from users too. The Gentoo Keys project also aims to extend the usability of the toolkit to the overlays so everyone can manage their own web of trust and support signed files. Installation ======== gkeys -------- emerge app-crypt/gkeys Note: app-crypt/gentoo-keys package contains the Gentoo release keyrings and it is auto-fetched by app-crypt/gkeys package. gkeys-gen --------------- emerge app-crypt/gkeys-gen Feedback ======= For comments and suggestions feel free to contact us in <gkeys AT gentoo DOT org> or join the #gentoo-keys IRC channel on Freenode. Patches are always welcome! Official project page: https://wiki.gentoo.org/wiki/Project:Gentoo-keys Source code: https://github.com/gentoo/gentoo-keys On behalf of the Gentoo Keys team, Pavlos Ratis
