"Fossies" - the Fresh Open Source Software Archive

Member "install-tl-20231127/tlpkg/gpg/tl-key-extension.txt" (11 Sep 2022, 2395 Bytes) of package /linux/misc/install-tl-unx.tar.gz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. 
    1 $Id: tl-key-extension.txt 64337 2022-09-11 00:37:43Z preining $
    2 (Public domain.)
    3 
    4 How to update TeX Live distribution signing key
    5 ===============================================
    6 
    7 This must be done every year! It's not optional.
    8 
    9 shut down networking service
   10 
   11 cp gpg directory from USB stick to computer
   12 
   13 export GNUPGHOME=...<COPY OF USBSTICK gpg directory>
   14 export KEYID=0xC78B82D8C79512F79CC0D7C80D5E5D9106BAB6BC
   15 gpg --edit-key $KEYID
   16 > key 2
   17 	# selects the expiring key, check!
   18 > expire
   19 > 16m
   20 	# choose something after the release of the next TL
   21 > save
   22 
   23 # export public key for import into svn and TUG account
   24 gpg -a --export $KEYID > texlive.asc
   25 
   26 # update USB drive with new stuff, remove from home,
   27 
   28 rm -rf $GNUPGHOME
   29 unset GNUPGHOME
   30 
   31 # send keys
   32 # make sure that .gnupg/dirmngr.conf does NOT contain hkp-cacert lines!!!
   33 
   34 # keys.openpgp.org
   35 gpg --export $KEYID |  curl -T - https://keys.openpgp.org
   36 # this will give an URL to associate key with email, visit it!
   37 
   38 # ubuntu key server
   39 gpg --send-key --keyserver hkp://keyserver.ubuntu.com:80 $KEYID
   40 
   41 
   42 
   43 # update TeX Live repository
   44 export GNUPGHOME=/home/texlive/Master/tlpkg/gpg # wherever svn checkout
   45 # use gpg version 1 here!!!
   46 gpg1 --import texlive.asc
   47 
   48 svn commit
   49 
   50 
   51 # on the TUG server (needs the exported public key in
   52 # texlive.asc, see above how to export it)
   53 gpg --homedir /home/texlive/.gnupg --import texlive.asc
   54 
   55 # can view that .asc with:
   56 gpg --homedir /home/texlive/.gnupg texlive.asc
   57 
   58 # update web-accessible public key, keeping old files but updating symlink:
   59 cp texlive.asc ~www/texlive/files/texlive`date +%Y`.asc
   60 ln -s texlive`date +%Y`.asc ~www/texlive/files/texlive.asc
   61 
   62 More info: 
   63 . tlgpg runs a gpg command with the above TL .gnupg directory, etc.
   64 
   65 . tl-sign-file (uses tlgpg) is used to sign texlive.tlpdb.sha512.
   66 
   67 . tlgpg-verify foo[.asc] will check for expired key, per below.
   68   tl-sign-file uses this to make sure it is not signing with an expired key.
   69 
   70 . (tl)gpg foo.asc will sometimes report expiration info.
   71 
   72 . given files updated in Master/tlpkg/gpg, can export into asc:
   73 gpg --homedir ..../Master/tlpkg/gpg --export -a 0x0D5E5D9106BAB6BC >tl.asc
   74 
   75 . gpg --verify --verbose foo.asc reports some info.
   76 
   77 . but exit status is zero even with expired keys; to check,
   78   use --status-file and inspect:
   79 gpg --verify --verbose --status-file=/tmp/st foo.asc
   80 
   81 . see tlgpg, tl-sign-file, TLCrypto.pm for full implementation.