R&D effort: `brl fetch` public key management

[paradigm]

brl fetch should eventually cryptographically verify the software it is bootstrapping. As preliminary research for this effort, we'll need to populate the information in the table below.

Feel free to comment with additional information and I'll update the table accordingly.

The fields are:

• distro: self explanatory
• bootstrap resource: whatever it is brl fetch grabs directly which we'll need to verify. This includes things like packages, tarballs, and ISO9660 files. The reason we need to know this is that different public keys might be used to verify different things. ISOs might use a different key from packages, for example.
• public key location: we need some public key to bootstrap the process. Where do we find it? This could be a project website that hosts it, or a distro provided package that contains it.
• key update method: I don't want to have to roll out brl updates every time any distro updates its keys. We'll need to have brl fetch be able to use existing keys to grab new ones. How do we do this?
• portable resource validation method: how do we actually use the key to validate the resource, particularly when we don't have any of the distro-specific tooling (yet).
• notes: self explanatory

distro	bootstrap resource	public key location	key update method	portable resource validation method	notes
alpine	alpine-format package	https://alpinelinux.org/keys/			https://wiki.alpinelinux.org/wiki/Upgrade_to_repository_main
arch	arch-format package	https://archlinux.org/master-keys/			https://wiki.archlinux.org/index.php/Pacman/Package_signing
arch-32	arch-format package
arch-arm	arch-format package
artix	arch-format package
centos	rpm-format package	centos-pkg-keys package	download/extract package		https://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/s1-check-rpm-sig.html
clear	clear manifest file?
crux	iso
debian	debian-format package				https://wiki.debian.org/SecureApt
devuan	debian-format package
devuan	debian-format package
exherbo	userland tarball
fedora	rpm-format package	fedora-pkg-keys package	download/extract package		https://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/s1-check-rpm-sig.html
gentoo	userland tarball				https://wiki.gentoo.org/wiki/Project:Portage/Repository_verification
kiss	userland tarball				https://github.com/kisslinux/kiss/issues/60
manjaro	arch-format package
raspbian	debian-format package
slackware	slackware-format package
solus	solus-format package
ubuntu	debian-format package
void	void-format package

[bobbbay]

Note for Gentoo: Gentoo Wiki Notes for KISS: GitHub Issue

[lpuv]

This could maybe help for alpine

[lpuv]

Alpine keys