On 17 July 2015 at 15:36, Rich Freeman <ri...@gentoo.org> wrote: > On Fri, Jul 17, 2015 at 12:42 AM, Brian Dolbec <dol...@gentoo.org> wrote: >> >> I don't know tbh, most are already signed, with the git migration, the >> strongly recommended commit signing will become MANDATORY. >> >> So, we are at 50 devs with valid gpg keys now, with 200 more gpg keys >> listed in LDAP that fail to meet the new spec. PLEASE fix them or >> create new keys... > > How does somebody know whether their key meets the spec or not? I > looked at the gentoo-keys website and didn't see any simple way to > check. > > There was documentation on the gkeys utility for checking keys, but I > ran into a few issues with this. First, it can't be installed on a > stable system with mirrorselect.
The use of keys should be by counter signature, when pushing the counter signature service should check if signature is valid and dev key is valid using the internal ldap for example, and counter sign with its own key and add timestamp. Users should trust only the counter signature service key which is formal and should be valid for long time. This is yet another reason why it is best to not use signature within git but remain the signed manifest. When commit one can sign the manifest, send the manifest to the counter signature service and obtain a formal signed manifest to be committed into tree. Using signed manifest also reduce the merge conflict, survive rebase, enable code review without loosing original signer and will enable future migration to other technology. Regards, Alon