Automate PGP keyring issues

archlinux / archweb

Arch Linux website code

https://archlinux.org

GNU General Public License v2.0

317 stars 128 forks source link

Automate PGP keyring issues #109

Open jelly opened 6 years ago

jelly commented 6 years ago

When a Trusted User or Developer steps down, his key may be left in the archlinux-keyring package. There is no automation to revoke this key or update the keyring package, so there should be some automation in place to handle this :)

Some scenario's which can be automated:

When a key is in the keyring but there is no archweb entry, report an issue.
When a fingerprint is registered in archweb but not in the keyring, report an issue
When a key is almost expired report an issue.The issues can be shown in archweb or mailed to a mailing list.

jelly commented 6 years ago

#!/usr/bin/python

from datetime import datetime, timedelta

import gnupg

gpg = gnupg.GPG(gnupghome='/etc/pacman.d/gnupg')
now = datetime.now()

for key in gpg.list_keys():
    expires = key['expires']
    # No expiry date
    if expires == '':
        continue

    expired = datetime.fromtimestamp(int(expires))
    if now > expired - timedelta(days=200):
        for uid in key['uids']:
            print(uid)
        print("Expired: {}".format(expired))

jelly commented 6 years ago

Archweb already stores the expired date:

from datetime import timedelta
from django.utils import timezone

from devel.models import DeveloperKey

now = timezone.now()

for key in DeveloperKey.objects.all():
    # No expiry
    if key.expires is None:
        continue

    if now > key.expires - timedelta(days=200):
        print(key.owner)

AladW commented 5 years ago

When a key is almost expired report an issue. The issues can be shown in archweb or mailed to a mailing list.

Since key issues (almost expired or key/UID revocation) can be related to issues with a specific email address, I think an external place where these are displayed (or may be easily checked by the packager) is indeed a good idea.

I suppose you could also have the packager leave a secondary email address to where such issues are mailed to, if such is reasonable to implement. (Besides the email address left in the flyspray profile, assuming by issues you mean bugs.archlinux.org issues)

jelly commented 5 years ago

There are two checks required: One for Package packages with almost expired keys, this can be handled in archweb but won't be fast:

from main.models import Package
from devel.models import MasterKey, DeveloperKey, PGPSignature, StaffGroup, UserProfile

pkg = Package.objects.first()
sig = pkg.signature
matching_key = DeveloperKey.objects.select_related('owner').get(key=sig.key_id, owner_id__isnull=False)

Then check if any matching_key.expires

To check if a packager's keys are expired will be a more difficult task. Archweb does not know which key is used for signing since there can be multiple subkeys which might be expired. Archweb should therefore check if there is any valid signing subkey for this user with at least 3 signatures.