summaryrefslogtreecommitdiff
path: root/sec-keys
diff options
context:
space:
mode:
authorV3n3RiX <venerix@koprulu.sector>2024-07-04 08:06:08 +0100
committerV3n3RiX <venerix@koprulu.sector>2024-07-04 08:06:08 +0100
commit2a8d2f71d1d9963368e0ef3d641d75979a689d12 (patch)
tree83e283f960ab2ebbc1a042b8ed6c37b78d47b37b /sec-keys
parent8435c842b9e8fbb2bcc80397ab3aa655000459e2 (diff)
gentoo auto-resync : 04:07:2024 - 08:06:07
Diffstat (limited to 'sec-keys')
-rw-r--r--sec-keys/Manifest.gzbin26596 -> 26596 bytes
-rw-r--r--sec-keys/openpgp-keys-gentoo-auth/Manifest2
-rw-r--r--sec-keys/openpgp-keys-gentoo-auth/openpgp-keys-gentoo-auth-20240703.ebuild28
-rw-r--r--sec-keys/openpgp-keys-gentoo-developers/Manifest4
-rw-r--r--sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231120.ebuild233
-rw-r--r--sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20240226.ebuild233
-rw-r--r--sec-keys/openpgp-keys-gentoo-release/Manifest2
-rw-r--r--sec-keys/openpgp-keys-gentoo-release/openpgp-keys-gentoo-release-20240703.ebuild53
-rw-r--r--sec-keys/openpgp-keys-jpakkane/Manifest2
-rw-r--r--sec-keys/openpgp-keys-jpakkane/metadata.xml8
-rw-r--r--sec-keys/openpgp-keys-qbittorrent/Manifest2
-rw-r--r--sec-keys/openpgp-keys-qbittorrent/metadata.xml8
-rw-r--r--sec-keys/openpgp-keys-yubico/Manifest16
-rw-r--r--sec-keys/openpgp-keys-yubico/metadata.xml9
-rw-r--r--sec-keys/openpgp-keys-yubico/openpgp-keys-yubico-20240628.ebuild57
15 files changed, 171 insertions, 486 deletions
diff --git a/sec-keys/Manifest.gz b/sec-keys/Manifest.gz
index 05ddc7e91acb..54b2a5de9684 100644
--- a/sec-keys/Manifest.gz
+++ b/sec-keys/Manifest.gz
Binary files differ
diff --git a/sec-keys/openpgp-keys-gentoo-auth/Manifest b/sec-keys/openpgp-keys-gentoo-auth/Manifest
index c661bd25c710..23f241fd35c6 100644
--- a/sec-keys/openpgp-keys-gentoo-auth/Manifest
+++ b/sec-keys/openpgp-keys-gentoo-auth/Manifest
@@ -1,3 +1,5 @@
DIST gentoo-auth.asc.20230329.gz 3371 BLAKE2B 2d4940e50c8b415f48a0fe479b95dbe1f2ab83af8eceda582ecd9386fada54126cce2fa7e509611fe8d51b14dc1638b3aa19f87fbe2b7bb8dffc91657ead2a48 SHA512 b516104e6affbcdced8aba100a0eadb82b1fc3a6cc8ed907486e30c44e78f77dabd6dc1e02383537d13a380247f315b7c53711e3b5994242a84afeca4af755fd
+DIST gentoo-auth.asc.20240703.gz 3348 BLAKE2B 0594bffecc718e0314a04f6a85c2d77d9a70d910eeea7dd1c87ba3381f0e4c0670975e2489efd289287326de0fee9284916dd60547e1cf2acf838b5da70fb0e4 SHA512 a491cac10e9a7a182b0e886ab94926f340eb1bd124142737097c7f0af8e713a4586a595638d6b08c3ccf6c873cbe9aae2dbe635b51d2b2c7adfaefdcbbc56fa1
EBUILD openpgp-keys-gentoo-auth-20230329.ebuild 786 BLAKE2B 10ffdd9503faffaaf806befb7fa73600cf9dbb2636d8164c7c098f88b627bc78e24f4b7b22d29780ea4f65bb64765d55d4097ddd311db3cf7142560085b74e34 SHA512 1f21a9f6eb74ecab1479726c8e2c6870ac28d3d799b730cdaaab2ec28b6cd6e2a761b94644d6edb9ae177cbbef296c492303337587432bf1839455656a9b92e8
+EBUILD openpgp-keys-gentoo-auth-20240703.ebuild 788 BLAKE2B a05e6b79d8555b94b9664b86b0982dae0ccf441a06e0f18a32db9111bb9091f065e7b4718a0f11685d1ad3ebdd45863c1ef5f95e714c732435c21b15ec2f3340 SHA512 3245acc47caf0a52fa40bcc4244659d5360cb74f1308f4a957849aa305b36a5f53e9cedf27b6e864306e22a75c20cbe6a7bd97cdbd59b75131fdd39c30eb30e6
MISC metadata.xml 272 BLAKE2B 583272860b0b9615e8d57fed7ced1a93035bf0c25285d230412ac7af2e48a8156c2e9d9c0581da80f913a2748eb76579b64648fd1e22ce0bc89da66aafa30809 SHA512 19c90c888b76564e32674364a753ba2d6a0b9ce6f3a97f45bb876c32f83c8206e6ec318e0960747b2003a4c3a426994f25c6b83da8b294d575f45e80c6105d89
diff --git a/sec-keys/openpgp-keys-gentoo-auth/openpgp-keys-gentoo-auth-20240703.ebuild b/sec-keys/openpgp-keys-gentoo-auth/openpgp-keys-gentoo-auth-20240703.ebuild
new file mode 100644
index 000000000000..180cd833a860
--- /dev/null
+++ b/sec-keys/openpgp-keys-gentoo-auth/openpgp-keys-gentoo-auth-20240703.ebuild
@@ -0,0 +1,28 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
+HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
+SRC_URI="
+ https://dev.gentoo.org/~mgorny/dist/openpgp-keys/gentoo-auth.asc.${PV}.gz
+"
+S=${WORKDIR}
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+
+# Keys included:
+# ABD00913019D6354BA1D9A132839FE0D796198B1
+# 18F703D702B1B9591373148C55D3238EC050396E
+# 2C13823B8237310FA213034930D132FF0FF50EEB
+
+src_install() {
+ insinto /usr/share/openpgp-keys
+ newins "gentoo-auth.asc.${PV}" gentoo-auth.asc
+ newins - gentoo-auth-ownertrust.txt <<-EOF
+ ABD00913019D6354BA1D9A132839FE0D796198B1:6:
+ EOF
+}
diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest
index a6b90d46bc02..8b15b403f0ea 100644
--- a/sec-keys/openpgp-keys-gentoo-developers/Manifest
+++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest
@@ -1,9 +1,5 @@
AUX keyring-mangler.py 3061 BLAKE2B a5acb20346c8eb4b036773562625ac39469d378a343c8bfcbb23391a61876f57aae7015f2d78e468a606330275686f2187d7a8a81a7d940a1e8329c2ea916a62 SHA512 60f7174319f77484eb389486e6f74c23a27d8211128d261497b3d095e3f7a8744c5402c29ae84a6e4833b77406e301dfd5c7b4cf8d5ffb062e298f177a1ff052
-DIST openpgp-keys-gentoo-developers-20231120-active-devs.gpg 3117324 BLAKE2B 30a10227a2970b828bb7eafe710356cea9e8983e9c808ca3bc9858e8ae9e9d8efec5a982f03101f273f82cf8ec55afcf0005b29e578ea039376bf093f2f9ab0a SHA512 70333f7647672e586eed3ae62d479d0b8bbb67e0eec2e7068cb8e2cbb60e2c5540ce8d06c08c3f80ce338824e203fddc04422eb002512eb8d5f1513a4a7b5c37
-DIST openpgp-keys-gentoo-developers-20240226-active-devs.gpg 3293697 BLAKE2B d47d351c638808e49a8d5966f532eb3cbc8c261c4667eab38731c2d072ba99bdc5d8523a6d21cb90184c760b2a13374bf3d4b470f0c0511fcd9d0e53cc462a3d SHA512 8f4c9bfc689ed7cccad039b2b06ee63285ef639a019fffd7d204017ff109ff590a1c591088c6f5bf19078e41f066a86712f3d2cd6a0735df64f5fc5086e47232
DIST openpgp-keys-gentoo-developers-20240422-active-devs.gpg 3204733 BLAKE2B b761e0f3f281545748eb8719b3ddd8eb55444090749218a579a94fddfafc735e3d36461662699fb1081fa70913d4449e51460f83d6ad10206c64ccdd313578e6 SHA512 b83232b2ed135bec63b5437aa49812b620de2de4d77874bc19b6d3caf2d7c0d295d58583b1cdc706ddc4e6d415c3391e6c6d1dc68b48556c865f36670575affe
-EBUILD openpgp-keys-gentoo-developers-20231120.ebuild 7523 BLAKE2B 2b3f5c5c1694b782ac318bdfd0dc7941ce47ed8f60fc2d715b88bf1404cd59639797e65e45891fad1aba9b456c3d356d7cadc1b79a9919cce0a8b1587364f7e5 SHA512 a013e480059fb7b0de2da5581f8d6c01b9eecb0593751fda7b57b4d4e98db2ab6b21a2aaefce7aec0c0981e6dc22fd9fc202bea6dedaf170816bd05c1031311e
-EBUILD openpgp-keys-gentoo-developers-20240226.ebuild 7523 BLAKE2B fc3aea669deecb63c8cf32445f3cecf2e5a03b58a97af4095e3419f147af43d8b69bbef3b706ee51a6ad6098717979c5effa72d1b2b60585496b15af668f2025 SHA512 6ed6217d6d866706d6206b0480d4c58ce51a12c9a2f28e4665972cf004ba672b86ae7620a12d8de76e59895d63289d69a80d77ada89d3e1edb866e705676c2ad
EBUILD openpgp-keys-gentoo-developers-20240422.ebuild 7523 BLAKE2B fc3aea669deecb63c8cf32445f3cecf2e5a03b58a97af4095e3419f147af43d8b69bbef3b706ee51a6ad6098717979c5effa72d1b2b60585496b15af668f2025 SHA512 6ed6217d6d866706d6206b0480d4c58ce51a12c9a2f28e4665972cf004ba672b86ae7620a12d8de76e59895d63289d69a80d77ada89d3e1edb866e705676c2ad
EBUILD openpgp-keys-gentoo-developers-99999999.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840
MISC metadata.xml 264 BLAKE2B 630ac0044f623dc63de725aae23da036b649a2d65331c06fbe9eb66d18ad1a4d3fd804cdffc4703500662b01272063af346680d2550f2fb6a262d6acee8c6789 SHA512 3cf1981080b4a7634537d20a3e837fa802c52ae5ee750531cc4aa3f8478cda78579375602bc058abbd75f9393f9681b79603c3ddd9af809a1e72f7336a708056
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231120.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231120.ebuild
deleted file mode 100644
index a8a3226d3007..000000000000
--- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231120.ebuild
+++ /dev/null
@@ -1,233 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{10..12} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
-if [[ ${PV} == 9999* ]] ; then
- PROPERTIES="live"
-
- BDEPEND="net-misc/curl"
-else
- SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
- KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv sparc x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND+="
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
- sec-keys/openpgp-keys-gentoo-auth
- test? (
- app-crypt/gnupg
- sys-apps/grep[pcre]
- )
-"
-
-python_check_deps() {
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_unpack() {
- if [[ ${PV} == 9999* ]] ; then
- curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die
- else
- default
- fi
-}
-
-src_compile() {
- export GNUPGHOME="${T}"/.gnupg
-
- get_gpg_keyring_dir() {
- if [[ ${PV} == 9999* ]] ; then
- echo "${WORKDIR}"
- else
- echo "${DISTDIR}"
- fi
- }
-
- local mygpgargs=(
- --no-autostart
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- mkdir "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
-
- # Convert the binary keyring into an armored one so we can process it
- edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
- edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
-
- # Now strip out the keys which are expired and/or missing a signature
- # from our L2 developer authority key
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${WORKDIR}"/gentoo-developers.asc \
- "${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
- export GNUPGHOME="${T}"/tests/.gnupg
-
- local mygpgargs=(
- # We don't have --no-autostart here because we need
- # to let it spawn an agent for the key generation.
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- # Check each of the keys to verify they're trusted by
- # the L2 developer key.
- mkdir -p "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
- cd "${T}"/tests || die
-
- # First, grab the L1 key, and mark it as ultimately trusted.
- edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
- edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
- # Generate a temporary key which isn't signed by anything to check
- # whether we're detecting unexpected keys.
- #
- # The test is whether this appears in the sanitised keyring we
- # produce in src_compile (it should not be in there).
- #
- # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
- %echo Generating temporary key for testing...
-
- %no-protection
- %transient-key
- %pubring ${P}-ebuild-test-key.asc
-
- Key-Type: 1
- Key-Length: 2048
- Subkey-Type: 1
- Subkey-Length: 2048
- Name-Real: Larry The Cow
- Name-Email: larry@example.com
- Expire-Date: 0
- Handle: ${P}-ebuild-test-key
-
- %commit
- %echo Temporary key generated!
- EOF
-
- # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
- # Sign a tiny file with the to-be-injected key for testing rejection below
- echo "Hello world!" > "${T}"/tests/signme || die
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
-
- edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
-
- # keyring-mangler.py should now produce a keyring *without* it
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${T}"/tests/tainted-keyring.asc \
- "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log
- assert "Key mangling in tests failed?"
-
- # Check the log to verify the injected key got detected
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"
-
- # gnupg doesn't have an easy way for us to actually just.. ask
- # if a key is known via WoT. So, sign a file using the key
- # we just made, and then try to gpg --verify it, and check exit code.
- #
- # Let's now double check by seeing if a file signed by the injected key
- # is rejected.
- if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
- die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
- fi
-
- # Bonus lame sanity check
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log
- assert "trustdb call failed!"
-
- check_trust_levels() {
- local mode=${1}
-
- while IFS= read -r line; do
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
- if [[ ${line} == *depth* ]] ; then
- depth=$(echo ${line} | grep -Po "depth: [0-9]")
- trust=$(echo ${line} | grep -Po "trust:.*")
-
- trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")
- [[ ${trust_uncalculated} == 0 ]] || ${mode}
-
- trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")
- [[ ${trust_insufficient} == 0 ]] || ${mode}
-
- trust_never=$(echo ${trust} | grep -Po "[0-9]n")
- [[ ${trust_never} == 0 ]] || ${mode}
-
- trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")
- [[ ${trust_marginal} == 0 ]] || ${mode}
-
- trust_full=$(echo ${trust} | grep -Po "[0-9]f")
- [[ ${trust_full} != 0 ]] || ${mode}
-
- trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")
- [[ ${trust_ultimate} == 1 ]] || ${mode}
-
- echo "${trust_uncalculated}, ${trust_insufficient}"
- fi
- done < "${T}"/tests/trustdb.log
- }
-
- # First, check with the bad key still in the test keyring.
- # This is supposed to fail, so we want it to return 1
- check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
-
- # Now check without the bad key in the test keyring.
- # This one should pass.
- #
- # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \
- | grep "^fpr" \
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
- local key
- for key in ${keys[@]} ; do
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
- done
-
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>"
- check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"
-
- gpgconf --kill gpg-agent || die
-}
-
-src_install() {
- insinto /usr/share/openpgp-keys
- newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
- # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
-}
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20240226.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20240226.ebuild
deleted file mode 100644
index ab693b185062..000000000000
--- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20240226.ebuild
+++ /dev/null
@@ -1,233 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{10..12} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
-if [[ ${PV} == 9999* ]] ; then
- PROPERTIES="live"
-
- BDEPEND="net-misc/curl"
-else
- SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
- KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv sparc x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND+="
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
- sec-keys/openpgp-keys-gentoo-auth
- test? (
- app-crypt/gnupg
- sys-apps/grep[pcre]
- )
-"
-
-python_check_deps() {
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_unpack() {
- if [[ ${PV} == 9999* ]] ; then
- curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die
- else
- default
- fi
-}
-
-src_compile() {
- export GNUPGHOME="${T}"/.gnupg
-
- get_gpg_keyring_dir() {
- if [[ ${PV} == 9999* ]] ; then
- echo "${WORKDIR}"
- else
- echo "${DISTDIR}"
- fi
- }
-
- local mygpgargs=(
- --no-autostart
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- mkdir "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
-
- # Convert the binary keyring into an armored one so we can process it
- edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
- edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
-
- # Now strip out the keys which are expired and/or missing a signature
- # from our L2 developer authority key
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${WORKDIR}"/gentoo-developers.asc \
- "${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
- export GNUPGHOME="${T}"/tests/.gnupg
-
- local mygpgargs=(
- # We don't have --no-autostart here because we need
- # to let it spawn an agent for the key generation.
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- # Check each of the keys to verify they're trusted by
- # the L2 developer key.
- mkdir -p "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
- cd "${T}"/tests || die
-
- # First, grab the L1 key, and mark it as ultimately trusted.
- edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
- edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
- # Generate a temporary key which isn't signed by anything to check
- # whether we're detecting unexpected keys.
- #
- # The test is whether this appears in the sanitised keyring we
- # produce in src_compile (it should not be in there).
- #
- # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
- %echo Generating temporary key for testing...
-
- %no-protection
- %transient-key
- %pubring ${P}-ebuild-test-key.asc
-
- Key-Type: 1
- Key-Length: 2048
- Subkey-Type: 1
- Subkey-Length: 2048
- Name-Real: Larry The Cow
- Name-Email: larry@example.com
- Expire-Date: 0
- Handle: ${P}-ebuild-test-key
-
- %commit
- %echo Temporary key generated!
- EOF
-
- # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
- # Sign a tiny file with the to-be-injected key for testing rejection below
- echo "Hello world!" > "${T}"/tests/signme || die
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
-
- edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
-
- # keyring-mangler.py should now produce a keyring *without* it
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${T}"/tests/tainted-keyring.asc \
- "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log
- assert "Key mangling in tests failed?"
-
- # Check the log to verify the injected key got detected
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"
-
- # gnupg doesn't have an easy way for us to actually just.. ask
- # if a key is known via WoT. So, sign a file using the key
- # we just made, and then try to gpg --verify it, and check exit code.
- #
- # Let's now double check by seeing if a file signed by the injected key
- # is rejected.
- if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
- die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
- fi
-
- # Bonus lame sanity check
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log
- assert "trustdb call failed!"
-
- check_trust_levels() {
- local mode=${1}
-
- while IFS= read -r line; do
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
- if [[ ${line} == *depth* ]] ; then
- depth=$(echo ${line} | grep -Po "depth: [0-9]")
- trust=$(echo ${line} | grep -Po "trust:.*")
-
- trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")
- [[ ${trust_uncalculated} == 0 ]] || ${mode}
-
- trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")
- [[ ${trust_insufficient} == 0 ]] || ${mode}
-
- trust_never=$(echo ${trust} | grep -Po "[0-9]n")
- [[ ${trust_never} == 0 ]] || ${mode}
-
- trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")
- [[ ${trust_marginal} == 0 ]] || ${mode}
-
- trust_full=$(echo ${trust} | grep -Po "[0-9]f")
- [[ ${trust_full} != 0 ]] || ${mode}
-
- trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")
- [[ ${trust_ultimate} == 1 ]] || ${mode}
-
- echo "${trust_uncalculated}, ${trust_insufficient}"
- fi
- done < "${T}"/tests/trustdb.log
- }
-
- # First, check with the bad key still in the test keyring.
- # This is supposed to fail, so we want it to return 1
- check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
-
- # Now check without the bad key in the test keyring.
- # This one should pass.
- #
- # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \
- | grep "^fpr" \
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
- local key
- for key in ${keys[@]} ; do
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
- done
-
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>"
- check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"
-
- gpgconf --kill gpg-agent || die
-}
-
-src_install() {
- insinto /usr/share/openpgp-keys
- newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
- # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
-}
diff --git a/sec-keys/openpgp-keys-gentoo-release/Manifest b/sec-keys/openpgp-keys-gentoo-release/Manifest
index 54a8e3c99321..4dc1e87afe61 100644
--- a/sec-keys/openpgp-keys-gentoo-release/Manifest
+++ b/sec-keys/openpgp-keys-gentoo-release/Manifest
@@ -1,4 +1,6 @@
DIST gentoo-release-test-sigs-20190224.tar.gz 3235 BLAKE2B 924c69a62d5321716f536144f0607bd3ec4a65d76be492adc729864fd9bef82df0086541ae13034a83152ea0c8dc3cbd168be6cff111a3484128a22cbc8ef1d4 SHA512 f8cc2e84bedbdf14ace6abe4aacf8f0c9810c77ff6ae0fac301829d9d4d5cf0c128a76516c773ac993879215bcdb0aab097e1e7e747d8e1a7c4cfc815bd4d3e6
DIST gentoo-release.asc.20230329.gz 16462 BLAKE2B 3ee5a2b9442731ff4498b448c5defe07b6fb299196f31445ba934360fff295150c0bcac037be01a1e5db97f00de1ccbfdb3a7abbf4ad0ff069d95ab42e28e680 SHA512 6e0720b0894dd80b19b769731aaa1862266371ad45c7d9e0fc9df173454b7d8b0f345dd16a47e3034d8ab34c50c3818a305f863af83edaaf7421f25bb03f4ad4
+DIST gentoo-release.asc.20240703.gz 18710 BLAKE2B 2436319e0fc05432ea08e7828a337551de0b37783c4376e3249ed132c29d394376fb2e5f36281299cb251473ecb2b2240f75e2b7bdefa02ff35cc1ca4250c515 SHA512 1e17dfb0c626044a50ffc410fc515ea64d9ed53c53c70c046a6ebaf59a8991885c1f7dadb3366334fa840b91882f825a0878988a43a43adec0f10b1a22b4f7ee
EBUILD openpgp-keys-gentoo-release-20230329.ebuild 1427 BLAKE2B 6568600740ab8156f9d3deb794734b5a240cdd2b12fde07b1959b9204ffd49c8c30266acc81943e9733c1d0b43121b924323f03956cc3eac2e6070a38df3b1a2 SHA512 fa67c23dbaa6a6889ad127210ca4ca9683642fb1f348dc0f47b8d477d303f9e25ae1e25abe9c5e5bc281ccb9c80ce28743c9569bd45d36c557c411fb7a684639
+EBUILD openpgp-keys-gentoo-release-20240703.ebuild 1436 BLAKE2B cd515bc16cd4467d5e5d4d457ac4c0f6029ac90efdfd4d0bacc9d4935653ff5d427c3d1c5d7500665beea69362ad35d5a39bbf88d73ac4fc5441bed66b3ae5a4 SHA512 8ab3f6f12c60c4da3f1d41676cc6274295e0a07ced0dd6f52d8462837ecba9c67c2c5a23d88149ef79a32b12a87535b1cbb2f2f77b988f3fbdf099dfc833fe54
MISC metadata.xml 272 BLAKE2B 583272860b0b9615e8d57fed7ced1a93035bf0c25285d230412ac7af2e48a8156c2e9d9c0581da80f913a2748eb76579b64648fd1e22ce0bc89da66aafa30809 SHA512 19c90c888b76564e32674364a753ba2d6a0b9ce6f3a97f45bb876c32f83c8206e6ec318e0960747b2003a4c3a426994f25c6b83da8b294d575f45e80c6105d89
diff --git a/sec-keys/openpgp-keys-gentoo-release/openpgp-keys-gentoo-release-20240703.ebuild b/sec-keys/openpgp-keys-gentoo-release/openpgp-keys-gentoo-release-20240703.ebuild
new file mode 100644
index 000000000000..f12dad573b64
--- /dev/null
+++ b/sec-keys/openpgp-keys-gentoo-release/openpgp-keys-gentoo-release-20240703.ebuild
@@ -0,0 +1,53 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="OpenPGP keys used for Gentoo releases (snapshots, stages)"
+HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
+SRC_URI="
+ https://dev.gentoo.org/~mgorny/dist/openpgp-keys/gentoo-release.asc.${PV}.gz
+ test? (
+ https://dev.gentoo.org/~mgorny/dist/openpgp-keys/gentoo-release-test-sigs-20190224.tar.gz
+ )
+"
+S=${WORKDIR}
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="test"
+RESTRICT="!test? ( test )"
+
+BDEPEND="
+ test? ( app-crypt/gnupg )
+"
+
+# Keys included:
+# DCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D
+# D99EAC7379A850BCE47DA5F29E6438C817072058
+# 13EBBDBEDE7A12775DFDB1BABB572E0E2D182910
+# EF9538C9E8E64311A52CDEDFA13D0EF1914E7A72
+
+src_test() {
+ local old_umask=$(umask)
+ umask 077
+
+ local -x GNUPGHOME=${T}/.gnupg
+ mkdir "${GNUPGHOME}" || die
+ einfo "Importing keys ..."
+ gpg --import "gentoo-release.asc.${PV}" || die "Key import failed"
+
+ local f
+ for f in gentoo-release-test-sigs*/*.asc; do
+ einfo "Testing ${f##*/} ..."
+ gpg -q --trust-model always --verify "${f}" || die "Verification failed on ${f}"
+ done
+
+ umask "${old_umask}"
+}
+
+src_install() {
+ insinto /usr/share/openpgp-keys
+ newins "gentoo-release.asc.${PV}" gentoo-release.asc
+}
diff --git a/sec-keys/openpgp-keys-jpakkane/Manifest b/sec-keys/openpgp-keys-jpakkane/Manifest
index 9b6384cc9aa4..6ef941ed22f2 100644
--- a/sec-keys/openpgp-keys-jpakkane/Manifest
+++ b/sec-keys/openpgp-keys-jpakkane/Manifest
@@ -1,3 +1,3 @@
DIST jpakkane-20231105.gpg 3918 BLAKE2B a4e9db8a302d4271c8692e74e78027321b8603376fa44c2813806a91200523eed507ef8c24b0fdcbfe239093f7b3795c6a47a439dd2745b6aaae71a726a4bc04 SHA512 55a75551780d14617baf9a39a56c267cf6d83f11468400d19eefec5328c8246158b638defc1d5fab5583f4e7a79215935c18bf7846913a879e991356cd49cf2b
EBUILD openpgp-keys-jpakkane-20231105.ebuild 584 BLAKE2B 4032618939756bab686d12dca7de16b63a6cd4237311254247e7b2d37e0e237ab1f247ed8942b8cb382db25626bb25d7082e2ae1b29d22c07df4af5b6171bb6a SHA512 5adb19779a29db3c7afa0a9095a8266cfce1a82993af91b73b85b6c812aafed14e26258786b06dd653ed1a99e3130e0f8b10c956214786ca80340b7342c87a88
-MISC metadata.xml 397 BLAKE2B fe5f6ec010a2c933ab8f094f4d0b5eed5874a6f862502ddca50d44bfb25d493f87c21cceb18f39f592e1a93660735da8f41ba93008619f6e702342c661d6505c SHA512 6415963d0c1545e4e4b6464e231cf7f7c7fe20d2088ea8c55e05c168777f4a8fa9405a7fdd8f552d4b0f87fce7dff3a1232f8247f4a530cc94bc61d70b98b5c1
+MISC metadata.xml 249 BLAKE2B e0a7bf8ad5d4ff96d6ae8d2a2984b3a4f9d2b4b4e8e8e597d2ef4dbc91a79e8dc7cd2b6193b88183d06a2652490de25694261f54b6acb061205cb22a7fe7d201 SHA512 1f2bf54b95c45f68bc898c90b6751344bf32d7f1f88395b8449b2226428e27e9610a4e3e2fdab6dc342f32e370cb77aafbf94cdc1f91ae458f7339826d1cb98a
diff --git a/sec-keys/openpgp-keys-jpakkane/metadata.xml b/sec-keys/openpgp-keys-jpakkane/metadata.xml
index 667a16a60d08..b8e59eca0e4a 100644
--- a/sec-keys/openpgp-keys-jpakkane/metadata.xml
+++ b/sec-keys/openpgp-keys-jpakkane/metadata.xml
@@ -1,12 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
- <maintainer type="person" proxied="yes">
- <email>eschwartz93@gmail.com</email>
+ <maintainer type="person">
+ <email>eschwartz@gentoo.org</email>
<name>Eli Schwartz</name>
</maintainer>
- <maintainer type="project" proxied="proxy">
- <email>proxy-maint@gentoo.org</email>
- <name>Proxy Maintainers</name>
- </maintainer>
</pkgmetadata>
diff --git a/sec-keys/openpgp-keys-qbittorrent/Manifest b/sec-keys/openpgp-keys-qbittorrent/Manifest
index a8098c4f0d2b..afcb7bee4d17 100644
--- a/sec-keys/openpgp-keys-qbittorrent/Manifest
+++ b/sec-keys/openpgp-keys-qbittorrent/Manifest
@@ -1,3 +1,3 @@
DIST qBittorrent-20161227.asc 5716 BLAKE2B a1502b631c50a603e6b2c5ad73c801bf3963320d0330dbaabb5f4e15646ead61c81b40fc38561d41269849c23bbc4081ac9769b11d790ff06b1d93f4b48e7e18 SHA512 1e30158bb15462787d0f5dea04c9cbb51fffa4e3de14cc9faad4e01a5e5e77896a32ba5ee244e68eb389bf6cc4dfbef7137560a63118a77007c04ddb6139ffe6
EBUILD openpgp-keys-qbittorrent-20161227.ebuild 517 BLAKE2B 44ba680290650abc0a48ca12d1bb009e691f6ca73e6a082cd53450a40eb388ea7cdeb044748917159005f309f6c2efae77fd2ff541a91b17071aeb366af01753 SHA512 76d06af0fabae0e3de699ec219ebf791bcc7850cead3fa4936325301c9f1fbef4c9b062d5a43031fdc08b1f514b7d7c6cbd0fc9b7ec83ec6093a3dbc967524b2
-MISC metadata.xml 397 BLAKE2B fe5f6ec010a2c933ab8f094f4d0b5eed5874a6f862502ddca50d44bfb25d493f87c21cceb18f39f592e1a93660735da8f41ba93008619f6e702342c661d6505c SHA512 6415963d0c1545e4e4b6464e231cf7f7c7fe20d2088ea8c55e05c168777f4a8fa9405a7fdd8f552d4b0f87fce7dff3a1232f8247f4a530cc94bc61d70b98b5c1
+MISC metadata.xml 249 BLAKE2B e0a7bf8ad5d4ff96d6ae8d2a2984b3a4f9d2b4b4e8e8e597d2ef4dbc91a79e8dc7cd2b6193b88183d06a2652490de25694261f54b6acb061205cb22a7fe7d201 SHA512 1f2bf54b95c45f68bc898c90b6751344bf32d7f1f88395b8449b2226428e27e9610a4e3e2fdab6dc342f32e370cb77aafbf94cdc1f91ae458f7339826d1cb98a
diff --git a/sec-keys/openpgp-keys-qbittorrent/metadata.xml b/sec-keys/openpgp-keys-qbittorrent/metadata.xml
index 667a16a60d08..b8e59eca0e4a 100644
--- a/sec-keys/openpgp-keys-qbittorrent/metadata.xml
+++ b/sec-keys/openpgp-keys-qbittorrent/metadata.xml
@@ -1,12 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
- <maintainer type="person" proxied="yes">
- <email>eschwartz93@gmail.com</email>
+ <maintainer type="person">
+ <email>eschwartz@gentoo.org</email>
<name>Eli Schwartz</name>
</maintainer>
- <maintainer type="project" proxied="proxy">
- <email>proxy-maint@gentoo.org</email>
- <name>Proxy Maintainers</name>
- </maintainer>
</pkgmetadata>
diff --git a/sec-keys/openpgp-keys-yubico/Manifest b/sec-keys/openpgp-keys-yubico/Manifest
index 8e816207f714..d8c1059895df 100644
--- a/sec-keys/openpgp-keys-yubico/Manifest
+++ b/sec-keys/openpgp-keys-yubico/Manifest
@@ -11,5 +11,19 @@ DIST yubico-20230825-9AA9BDB11BB1B99A21285A330664A76954265E8C.asc 58800 BLAKE2B
DIST yubico-20230825-9E885C0302F9BB9167529C2D5CBA11E6ADC7BCD1.asc 20244 BLAKE2B e8e48028ee7e93d9f7cde04cfec1e44cadec9b84e47bc702442a5d2f4388f57228a44bab8ecb24cfcfd12977e3ddac46bb31f24a7fe4c944806c2f5ccab029cd SHA512 d5cee7d2f85724c297cb7556f258e6f2cc1302ab6aa43c2f1f3a7ab8063f1977303e7579f811bc3ae76bbc8bee54f713ba862cbaa16fe2c9453beb93b9cebd30
DIST yubico-20230825-AF511D2CBC0F973E5D308054325C8E4AE2E6437D.asc 12253 BLAKE2B 03d0083cd8fd00ee0fcc85ca0cbddb3963220a73dde717321dcca5e21c9a4e77371a37618ed74ec4ca9dd7b38a779f8772e0a3d560c2048d8bb0dc6e1d585512 SHA512 fcdf7238c2be765ccb430e39cda9022d1441dfce8ecda3fff5b2667579da0d8761a2229e2849284c45f6acf0410f9333ce81d842d157b3cc74f7fdfd55d1b02f
DIST yubico-20230825-B70D62AA6A31AD6B9E4F9F4BDC8888925D25CA7A.asc 41265 BLAKE2B 3b27fd1f8504ccba5b7237a7567ed8980fe6c2df99abc1fce2baebeed4afca268728e0ac4d7a612f6e8569e1d079c900bd3f01b15c3c4222ced802852846f9c8 SHA512 c8892a67a77541263ed5bb69fa69738fede314fe95896527085fa99c10bc86938b8524bf2a83c90b2b01acee6c69cfc1f604a1c3f9706eab5b75ffa7d1a35e80
+DIST yubico-20240628-0A3B0262BCA1705307D5FF06BCA00FD4B2168C0A.asc 24405 BLAKE2B d0d09d778dba7b4cbae6d6246db725f06eb13a2984b6c017b13335aea53f701cbfabea166ed3ae3fcfdaab6861dfa627ef2e112470ddea380c4b384c739b3e73 SHA512 b601cd86c530c206bb1b3957426486a83cbc77e3c5b159686152ddf95566c9229cc6371378b217cd411dc9bb00d950225d4c7976e00964d505f5fe1d61cb6840
+DIST yubico-20240628-1D7308B0055F5AEF36944A8F27A9C24D9588EA0F.asc 42592 BLAKE2B 3b69ed8a85486648fa7b767a87277c7b8a546d9d8f4fd8c65e0501900e4e9f676bc28b4ff7f99a0f78352bc2eaa82b297c40940dca4a8cdd97b7d4c0e83c9af8 SHA512 2b98fbde89733b576c9597d07c988674609fd1bd015a8aabe7051cc8324fb3bfa05f1ba40ae520a3fdecc4404d621d1ec8e921349e4be80a06d97ebafc17e652
+DIST yubico-20240628-1DC4BA2872525B3F2FE8207F5D9C760A3FB51707.asc 7134 BLAKE2B f27926c15079377a35e0b294e74d2d12913572ff018d249f9d8096fc943a3f3525e1d5ed8e454e9d35000d06760f69f34209f9e11189781f326feaae11c5c1c4 SHA512 1e598955a6ce204136925957f282ce1bcaa63d7caf22452a2e837ae2146ba5b74e8c1b36cd399c3343dbd8f6e63b3f0517965d5ad338a388b3d42e8e59d74cab
+DIST yubico-20240628-20EE325B86A81BCBD3E56798F04367096FBA95E8.asc 17270 BLAKE2B bf66bb7289decdcb68d320bda5fc4fdc87a267d42d049cee0780ce23c4c308dc13447dbbf027eed30ed61fb2c24f78815a90b42a509da0393e93a953766056b0 SHA512 6cb35456d0d0aa60dce4c0fe3c574e461a17b3b6386c2b2d0d3a58dfdcede37bf3f84a36b8c87fc1b8d32b655fc778e801d5857d8b85f308b10f69d3cf8a0f6f
+DIST yubico-20240628-355C8C0186CC96CBA49F9CD8DAA17C2953914D9D.asc 28959 BLAKE2B f1a1043ecc4fc299487486098b9f8d41f4a2e160526c6f71bbc49284c1846eda4c50035833c95d7729bcde86de005ecabef0ba88fa9d2a59c86978cef05771c4 SHA512 8aaac5dda433b8057ebc1e898f144e04dbc9373619e236988f29df94a4d66bf72a721148685beade1d17dcd5f4922eb57cf729be20ebcba5729c9c3c4444e059
+DIST yubico-20240628-57A9DEED4C6D962A923BB691816F3ED99921835E.asc 70458 BLAKE2B 82b2d384fb924ed56af60f434e2da85663756ca8708a01e0ce6f4314191da3be227f78e3af28ed62cb15753c722acb1b2b76d31615b7f462b34f60e7a0bbb6c9 SHA512 493660a82142cce435994a8b9f24a53a37fe98c2f2ced08c358c7e92267e652d333cc2ae57f6e1ab2356c5e3f8218e155f03f1877b34c5c676f33b6b27f462ce
+DIST yubico-20240628-78D997D53E9C0A2A205392ED14A19784723C9988.asc 3817 BLAKE2B f45e54530c072033b308fb9d6b41cadd25a1eb8de0fc653a67ca6d0142af69f33e8080f3840471f732d199655cdd1548c95c662ce69993b2db9c595d84845cbc SHA512 2a667e35d9933b17abbfef8fe015557b5164e7af752b6639dcf0353c23adb09656bfef9f63bfdbc1bb6845e7233c7192ac380e621c591b02f054e16d829b0a24
+DIST yubico-20240628-7FBB6186957496D58C751AC20E777DD85755AA4A.asc 28557 BLAKE2B d450afcf23e068c9720c04ca292e5a49bfb4664a9fbe856f36bf5f7977877f0e7ab9fe0996e7353d99c7228eed3ff42941f6d1b0571fa19e5a1919190a794b0d SHA512 0f3d501a3def675defe73fdc1a7ad5d99c4baeb96acf63dae8ccd4f4b1316d8c68b1c309c733dc16f85c17a1f308d0a1c4f6c61f36a0642a1f2946eaa5de9588
+DIST yubico-20240628-8D0B4EBA9345254BCEC0E843514F078FF4AB24C3.asc 22919 BLAKE2B 067364f6be1e130910354927ac636962252b3181da9ee00a1cd1e25d36bba9ec371d548aeb1771182f4da98885144c379ba0f1a2759983d16e079853bf56e437 SHA512 90196a80a5e7fcc8148b050e956f6cbc7d147e5fe25df8f7d66dd007d86f99e4a7f3f3f9e1d489a58be19e6041293dbc9553f0720bb9dc7f828dcb389c4aea53
+DIST yubico-20240628-9AA9BDB11BB1B99A21285A330664A76954265E8C.asc 58800 BLAKE2B 3c870e856a6628a1855cd183db8aaea072190e9e4069dc4cc6db0e1b37c3f4663ed7567be1999cdfe13aa379db5ac7a4d34198a853ac0c48517c876241046183 SHA512 4b99bf0a03d70b3e393ed1bfdf23335fe350e5dbf7d29f19f55c08bfbbda4b91e6b756b3e34f16f282eda21bc981d6079c835905fc41532e6ea88fd3c987a899
+DIST yubico-20240628-9E885C0302F9BB9167529C2D5CBA11E6ADC7BCD1.asc 20244 BLAKE2B e8e48028ee7e93d9f7cde04cfec1e44cadec9b84e47bc702442a5d2f4388f57228a44bab8ecb24cfcfd12977e3ddac46bb31f24a7fe4c944806c2f5ccab029cd SHA512 d5cee7d2f85724c297cb7556f258e6f2cc1302ab6aa43c2f1f3a7ab8063f1977303e7579f811bc3ae76bbc8bee54f713ba862cbaa16fe2c9453beb93b9cebd30
+DIST yubico-20240628-AF511D2CBC0F973E5D308054325C8E4AE2E6437D.asc 15357 BLAKE2B e193d3d8272a0bf94282bb020c444bfe854c5bc7f769501773bf8c6f9bac6b3e922b514e7abd997d3147c89f0a628831fa47aa644b7071e3a4ecd4e2fe2d3d12 SHA512 76a9dcf1de29708d670155653d6a43359ca2bcc1162d4ef54a4dd08eb4474d6cb1a43c2e2b9ff2aa6fe816cd4ffb3cf5e58bfc17285de315d449b8de60970f1c
+DIST yubico-20240628-B70D62AA6A31AD6B9E4F9F4BDC8888925D25CA7A.asc 41265 BLAKE2B 3b27fd1f8504ccba5b7237a7567ed8980fe6c2df99abc1fce2baebeed4afca268728e0ac4d7a612f6e8569e1d079c900bd3f01b15c3c4222ced802852846f9c8 SHA512 c8892a67a77541263ed5bb69fa69738fede314fe95896527085fa99c10bc86938b8524bf2a83c90b2b01acee6c69cfc1f604a1c3f9706eab5b75ffa7d1a35e80
EBUILD openpgp-keys-yubico-20230825.ebuild 3313 BLAKE2B f7564f0cd63edab589e153312188c486d3c896056ad6f9f79f0c1d35d83a35348604173754a5181cdb8689670a2ef8a7d49b2a5f0f35594dc183efff178b34e1 SHA512 b04dad91859a7c023f3fb0124ec6484f9fdabf3d57051b70311e7bc618a1bc9d05fa57b875ca12b717ac0cfba285fd6e9f3405cfef84923004fa41a0a3bad691
-MISC metadata.xml 192 BLAKE2B fef49cb9e1dda8063c379e650d4897670410d2c0641f469b8a200d5e7ec8d3f505e692277d03b583790cb1340ece9c2e8f7e7c9ff5080d42a2e0ef3fc7138a44 SHA512 bece454b8da734c7a28ce25f8080b3fca56332e57cde854c50f0b884ba3836f1af7782a1ee9f63e6aeff4830e2bca71c5c466471fc82eee75339565aab6495d5
+EBUILD openpgp-keys-yubico-20240628.ebuild 3313 BLAKE2B b69a30b0b5df13da6e1b07cc3814e0d8efffaee2e5689d48aa28bbac02ebd5ba23bfe6a88e12a0f483425115856e27f3dd3eb0e4744aa980cd81774b0eb5055b SHA512 36d9075dc39243cc82ee5c465a3dd672c42185caa9e92d9e97af417ee916578059408135ea371e6a1b4437783f054f51a7dcd59e28fa777579646e70ed5a1fe5
+MISC metadata.xml 435 BLAKE2B 5d509357798922e3436d5d281c293c55be636293e4be81fde64262306f5a8e64dc0d857e8e0e07fb9af6c2a0331699d279e4f35efaf782d0e652437452365115 SHA512 26c658d908c28f0b97290d8ee88ca57f324a4b5bd04565bbd00ae20c0475793348fd3ad822de04a3f1cf278c720c2752a00194fee44146b21b5a426163123f46
diff --git a/sec-keys/openpgp-keys-yubico/metadata.xml b/sec-keys/openpgp-keys-yubico/metadata.xml
index c3bda71eefca..63089be7ad8a 100644
--- a/sec-keys/openpgp-keys-yubico/metadata.xml
+++ b/sec-keys/openpgp-keys-yubico/metadata.xml
@@ -1,6 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
- <!-- maintainer-needed -->
+ <maintainer type="person" proxied="yes">
+ <email>mario.haustein@hrz.tu-chemnitz.de</email>
+ <name>Mario Haustein</name>
+ </maintainer>
+ <maintainer type="project" proxied="proxy">
+ <email>proxy-maint@gentoo.org</email>
+ <name>Proxy Maintainers</name>
+ </maintainer>
<stabilize-allarches/>
</pkgmetadata>
diff --git a/sec-keys/openpgp-keys-yubico/openpgp-keys-yubico-20240628.ebuild b/sec-keys/openpgp-keys-yubico/openpgp-keys-yubico-20240628.ebuild
new file mode 100644
index 000000000000..8ca3f7045ee3
--- /dev/null
+++ b/sec-keys/openpgp-keys-yubico/openpgp-keys-yubico-20240628.ebuild
@@ -0,0 +1,57 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="OpenPGP keys used by Yubico's developers"
+HOMEPAGE="https://developers.yubico.com/Software_Projects/Software_Signing.html"
+# Current keys. Keys which should also be there but as of 2023-08-25 trigger import failures
+# due to having no user IDs associated with them on the keyserver:
+# - Jean Paul Galea <jeanpaul@yubico.com> B604 2E2B D1FD BC2B CA85 88B2 FF8D 3B45 B7B8 75A9
+# - Trevor Bentley <trevor@yubico.com> 2685 83B6 4786 F50F 8074 56DA 8CED 3A80 D41C 0DCB
+SRC_URI="
+ https://keys.openpgp.org/vks/v1/by-fingerprint/0A3B0262BCA1705307D5FF06BCA00FD4B2168C0A
+ -> yubico-${PV}-0A3B0262BCA1705307D5FF06BCA00FD4B2168C0A.asc
+ https://keys.openpgp.org/vks/v1/by-fingerprint/20EE325B86A81BCBD3E56798F04367096FBA95E8
+ -> yubico-${PV}-20EE325B86A81BCBD3E56798F04367096FBA95E8.asc
+ https://keys.openpgp.org/vks/v1/by-fingerprint/B70D62AA6A31AD6B9E4F9F4BDC8888925D25CA7A
+ -> yubico-${PV}-B70D62AA6A31AD6B9E4F9F4BDC8888925D25CA7A.asc
+ https://keys.openpgp.org/vks/v1/by-fingerprint/57A9DEED4C6D962A923BB691816F3ED99921835E
+ -> yubico-${PV}-57A9DEED4C6D962A923BB691816F3ED99921835E.asc
+ https://keys.openpgp.org/vks/v1/by-fingerprint/1D7308B0055F5AEF36944A8F27A9C24D9588EA0F
+ -> yubico-${PV}-1D7308B0055F5AEF36944A8F27A9C24D9588EA0F.asc
+ https://keys.openpgp.org/vks/v1/by-fingerprint/355C8C0186CC96CBA49F9CD8DAA17C2953914D9D
+ -> yubico-${PV}-355C8C0186CC96CBA49F9CD8DAA17C2953914D9D.asc
+ https://keys.openpgp.org/vks/v1/by-fingerprint/9E885C0302F9BB9167529C2D5CBA11E6ADC7BCD1
+ -> yubico-${PV}-9E885C0302F9BB9167529C2D5CBA11E6ADC7BCD1.asc
+ https://keys.openpgp.org/vks/v1/by-fingerprint/7FBB6186957496D58C751AC20E777DD85755AA4A
+ -> yubico-${PV}-7FBB6186957496D58C751AC20E777DD85755AA4A.asc
+ https://keys.openpgp.org/vks/v1/by-fingerprint/78D997D53E9C0A2A205392ED14A19784723C9988
+ -> yubico-${PV}-78D997D53E9C0A2A205392ED14A19784723C9988.asc
+ https://keys.openpgp.org/vks/v1/by-fingerprint/AF511D2CBC0F973E5D308054325C8E4AE2E6437D
+ -> yubico-${PV}-AF511D2CBC0F973E5D308054325C8E4AE2E6437D.asc
+"
+# Old keys. Keys which should also be there but as of 2023-08-25 trigger import failures
+# due to having no user IDs associated with them on the keyserver:
+# - Tommaso De Orchi <tom@yubico.com> FF8A F719 AE58 2818 1B89 4D83 1CE3 9268 A097 3948
+# - Henrik StrĂ¥th <henrik@yubico.com> DCB9 04FA B343 CFA7 1907 6EF7 9EA9 0242 958E 0658
+# - Pedro Martelletto <pedro@yubico.com> EE90 AE0D 1977 4C83 8662 8FAA B428 949E F791 4718
+SRC_URI+="
+ https://keys.openpgp.org/vks/v1/by-fingerprint/8D0B4EBA9345254BCEC0E843514F078FF4AB24C3
+ -> yubico-${PV}-8D0B4EBA9345254BCEC0E843514F078FF4AB24C3.asc
+ https://keys.openpgp.org/vks/v1/by-fingerprint/1DC4BA2872525B3F2FE8207F5D9C760A3FB51707
+ -> yubico-${PV}-1DC4BA2872525B3F2FE8207F5D9C760A3FB51707.asc
+ https://keys.openpgp.org/vks/v1/by-fingerprint/9AA9BDB11BB1B99A21285A330664A76954265E8C
+ -> yubico-${PV}-9AA9BDB11BB1B99A21285A330664A76954265E8C.asc
+"
+S=${WORKDIR}
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc x86"
+
+src_install() {
+ local files=( ${A} )
+ insinto /usr/share/openpgp-keys
+ newins - yubico.com.asc < <(cat "${files[@]/#/${DISTDIR}/}" || die)
+}