834329 – Add more L2 keys: "Gentoo Authority Key L2 for Infra"

Bug 834329 - Add more L2 keys: "Gentoo Authority Key L2 for Infra"

Summary: Add more L2 keys: "Gentoo Authority Key L2 for Infra"

Status:	IN_PROGRESS

Alias:	None

Product:	Gentoo Infrastructure
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Infrastructure

URL:
Whiteboard:
Keywords:

Duplicates (1):	912377 (view as bug list)
Depends on:
Blocks:

Reported:	2022-02-28 02:13 UTC by Robin Johnson
Modified:	2024-05-05 23:46 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robin Johnson archtester

2022-02-28 02:13:45 UTC

per IRC discussion.

Introduce a L2 key that signs users who have gentooAccess=infra.group in their LDAP.

It should ALSO revoke signatures if a user is removed from that ldap group, and/or retires from Gentoo.

Comment 1 Robin Johnson archtester

2023-08-17 19:18:27 UTC

*** Bug 912377 has been marked as a duplicate of this bug. ***

Comment 2 Michał Górny archtester

2023-08-19 15:37:57 UTC

I've updated autosign to allow customizing the filter expression.

Basically make a separate GNUPGHOME with the new key, set the following envvar:

  AUTOSIGN_FILTER='(&(gentooStatus=active)(gentooAccess=infra.group))'

and run autosign.bash with GNUPGHOME set.

Comment 3 Robin Johnson archtester

2024-04-19 06:34:01 UTC

This is partially rolled out now.

The missing steps:
- load the L1 key from offline environment, to sign the L2-infra key; send that signature to the keyservers.
- enable sending keys

Comment 4 Robin Johnson archtester

2024-05-05 23:46:05 UTC

This should be working, but the keys aren't being pushed from the L2 signer properly.