summaryrefslogtreecommitdiff
path: root/sec-keys
diff options
context:
space:
mode:
authorV3n3RiX <venerix@koprulu.sector>2023-10-08 06:02:21 +0100
committerV3n3RiX <venerix@koprulu.sector>2023-10-08 06:02:21 +0100
commit32c16465e56b0122cf6e5a4625e9c7b56b107b07 (patch)
tree600c43152c825fda5f210dd7cb52b357eb6f2602 /sec-keys
parent607c0755d4f6476e326fb33795df7216a7bcff18 (diff)
gentoo auto-resync : 08:10:2023 - 06:02:21
Diffstat (limited to 'sec-keys')
-rw-r--r--sec-keys/Manifest.gzbin21890 -> 22060 bytes
-rw-r--r--sec-keys/openpgp-keys-aacid/Manifest2
-rw-r--r--sec-keys/openpgp-keys-aacid/openpgp-keys-aacid-20230907.ebuild2
-rw-r--r--sec-keys/openpgp-keys-gentoo-developers/Manifest2
-rw-r--r--sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231002.ebuild233
-rw-r--r--sec-keys/openpgp-keys-lighttpd/Manifest3
-rw-r--r--sec-keys/openpgp-keys-lighttpd/metadata.xml8
-rw-r--r--sec-keys/openpgp-keys-lighttpd/openpgp-keys-lighttpd-20231008.ebuild20
8 files changed, 268 insertions, 2 deletions
diff --git a/sec-keys/Manifest.gz b/sec-keys/Manifest.gz
index 0a542b9b6591..27d74021c9f6 100644
--- a/sec-keys/Manifest.gz
+++ b/sec-keys/Manifest.gz
Binary files differ
diff --git a/sec-keys/openpgp-keys-aacid/Manifest b/sec-keys/openpgp-keys-aacid/Manifest
index ccf0c85bb4e8..403163573b71 100644
--- a/sec-keys/openpgp-keys-aacid/Manifest
+++ b/sec-keys/openpgp-keys-aacid/Manifest
@@ -3,5 +3,5 @@ DIST openpgp-keys-aacid-20230313-0xCA262C6C83DE4D2FB28A332A3A6A4DB839EAA6D7.asc
DIST openpgp-keys-aacid-20230907-0xCA262C6C83DE4D2FB28A332A3A6A4DB839EAA6D7.asc 28145 BLAKE2B f7cc653b4d147abb44091ed5a61a860bca5f3fce7b14ec09ab447343d6247537b9d3797b8d4af992187dddf399d2aef4d90ec93d28590da0f437320f05855ed9 SHA512 085e54e1d4fd355196c8eb04190f87fd00cc7bbfe87c933f3b564aba77310abf80bae10959effa8b69fa2d048d9a9c6408cbe78c92edbdbad0fa4b4ee8bf53dd
EBUILD openpgp-keys-aacid-20220603.ebuild 715 BLAKE2B 36c5ec1394834660d82c80bce76d66ada5524f363862c75957f86faa971ea0aabc5f1fe7fd6e91e52cd008c7c593a3809f2c140e275d1c5bdf6c3dcbf3e2bdde SHA512 9eb9fd306edc12e5e03c0c4048081cdd8e9c2cc1f52862de828174b2b26d03025b86dcca2d08326ec4d93c671ef402c94d0368c04d37f9d0dc34df0b8b7c5c73
EBUILD openpgp-keys-aacid-20230313.ebuild 720 BLAKE2B c4f1072ecf1fc80ed6619b20c45e421eb4c6cef8c29d4e975fc281bf6f6a16a86d03f0314e8879a23f8ff92c4f6c042809255fa8a0f301d745ae3f8cd4c1ac64 SHA512 dd6145cfaf626ef16f1a55b698e2c295fa20cdf388656c0b40056014cccddeb990393d8f057624d209b50d838c3e7b419bf94d78f04a25814f1518faa2d79a91
-EBUILD openpgp-keys-aacid-20230907.ebuild 734 BLAKE2B 12343ec21ac3dad18792ee32864f37dbff53511606a0b3faa5d0893a419ba496748f4015c42a6929b9b9db1bdece9aac6f80913899b20fae931dd07f16c34702 SHA512 ee99b71cc612e81fbb2a7d8e0cb18e2d26f073e6ece76d00b6302e6947b5dd49eb0c28773c3ce8015b89b4f3f8ba807e4feca4d3c02075ec294c3ae1fd9aac04
+EBUILD openpgp-keys-aacid-20230907.ebuild 733 BLAKE2B bd65c39f389a9524d57a0f2e177f51d0a10aaf611912a57beea09dcd68f4ff75b1086915a1e4e3bc1d9e9102b510695a8038facb50055b3da8c5e6005b004f04 SHA512 d2b96deb7608979aed4acb6626e82e987129e015c46cb3c3dc5058d199cf72ecb81f5b6a6f4b0366474ca3196025e2f866a20b54e2e5f733b66fe2bda45c15c5
MISC metadata.xml 629 BLAKE2B b7cc93b83ed533024c82d0de48597ad3298575e6aaeee896302327d9f9dba420f9136df63907eddbb147e4bbf878d559dc52d291729836a7e4e6d326b97522c6 SHA512 30c1568e0d3d82386695dcfb7d859e20161350b9fb17436b9a6fe7f30e511b0eab20a1b9f9375a75c703d0a70f16edbe2f352081fb100acc50bc6bd2f1355e95
diff --git a/sec-keys/openpgp-keys-aacid/openpgp-keys-aacid-20230907.ebuild b/sec-keys/openpgp-keys-aacid/openpgp-keys-aacid-20230907.ebuild
index ee9a51d538d5..44ad69bcc1b7 100644
--- a/sec-keys/openpgp-keys-aacid/openpgp-keys-aacid-20230907.ebuild
+++ b/sec-keys/openpgp-keys-aacid/openpgp-keys-aacid-20230907.ebuild
@@ -11,7 +11,7 @@ S="${WORKDIR}"
LICENSE="public-domain"
SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
src_install() {
local files=( ${A} )
diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest
index 419890f9d0e5..1de7652ddc83 100644
--- a/sec-keys/openpgp-keys-gentoo-developers/Manifest
+++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest
@@ -2,8 +2,10 @@ AUX keyring-mangler.py 3061 BLAKE2B a5acb20346c8eb4b036773562625ac39469d378a343c
DIST openpgp-keys-gentoo-developers-20230828-active-devs.gpg 3102805 BLAKE2B efd321e8ebb76d32e47df8085c9bb0d393c59d747b54cb5cf6febcc301a92a7c2a2b8bebd95b8f1b8fa9a6683aefc673809d8418408434bc41a1cf2bf8076938 SHA512 9e2e7408c2371edbe037243971fe6d45931cf526dff1d6014e472c056f8ed6881632d86497e9d6cd6b535574fb99c2af43fb63074911f4af476b5f590cc272dd
DIST openpgp-keys-gentoo-developers-20230918-active-devs.gpg 3093946 BLAKE2B 43f7781068ead0375c0bd510a286c1568b5dce05c66f1f0f42e2d0d96fdb5dfbb884f4b182527078998d68c4f432db5a20ac9cfa54cf1299142978b662c59b62 SHA512 772bcbae91bf5e0e3c2e6519b8dd5f27c81bc5e17acb8bb739aefcae762e6316c7d5b292972a11655466cb16a4fcc93f296fea3b3c3c48ec41ffeb957c815e2b
DIST openpgp-keys-gentoo-developers-20230925-active-devs.gpg 3094306 BLAKE2B 0e70a39a2102630a5285b2b2313a7b3c83cca71f76f75ce5fa0dc0432002d5e57926ce82158f4f9c44c2f671a5a44076781a6ca8a1ce330d5bd97ba2e3726a97 SHA512 395c499833a07506b7f44bfbab2851361ece5885dd53d606699eefb523b60a13078ae87e6ebd46f9a7644adfc8920fe141ac777ec260b747d13c3359631fa27b
+DIST openpgp-keys-gentoo-developers-20231002-active-devs.gpg 3102348 BLAKE2B 13854c1e9daf64c055642cfcfd59dc77119ff3bb98e6a46ec8d4eee093be3c1d39ce284b524da2156e6d28b3b936c8c98de76a6fcca013ab519c6211d05773f9 SHA512 8ebe8d600d47a721ce5f08ad07317164f31c7ef540ed81be7555500e9ffc82fa9a46afeccd08b530936fff10318e094b4ba061108e84886fdb033f7d327eb690
EBUILD openpgp-keys-gentoo-developers-20230828.ebuild 7523 BLAKE2B 2b3f5c5c1694b782ac318bdfd0dc7941ce47ed8f60fc2d715b88bf1404cd59639797e65e45891fad1aba9b456c3d356d7cadc1b79a9919cce0a8b1587364f7e5 SHA512 a013e480059fb7b0de2da5581f8d6c01b9eecb0593751fda7b57b4d4e98db2ab6b21a2aaefce7aec0c0981e6dc22fd9fc202bea6dedaf170816bd05c1031311e
EBUILD openpgp-keys-gentoo-developers-20230918.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840
EBUILD openpgp-keys-gentoo-developers-20230925.ebuild 7523 BLAKE2B 2b3f5c5c1694b782ac318bdfd0dc7941ce47ed8f60fc2d715b88bf1404cd59639797e65e45891fad1aba9b456c3d356d7cadc1b79a9919cce0a8b1587364f7e5 SHA512 a013e480059fb7b0de2da5581f8d6c01b9eecb0593751fda7b57b4d4e98db2ab6b21a2aaefce7aec0c0981e6dc22fd9fc202bea6dedaf170816bd05c1031311e
+EBUILD openpgp-keys-gentoo-developers-20231002.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840
EBUILD openpgp-keys-gentoo-developers-99999999.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840
MISC metadata.xml 264 BLAKE2B 630ac0044f623dc63de725aae23da036b649a2d65331c06fbe9eb66d18ad1a4d3fd804cdffc4703500662b01272063af346680d2550f2fb6a262d6acee8c6789 SHA512 3cf1981080b4a7634537d20a3e837fa802c52ae5ee750531cc4aa3f8478cda78579375602bc058abbd75f9393f9681b79603c3ddd9af809a1e72f7336a708056
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231002.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231002.ebuild
new file mode 100644
index 000000000000..fda85a259ff6
--- /dev/null
+++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231002.ebuild
@@ -0,0 +1,233 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..12} )
+inherit edo python-any-r1
+
+DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
+HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
+if [[ ${PV} == 9999* ]] ; then
+ PROPERTIES="live"
+
+ BDEPEND="net-misc/curl"
+else
+ SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+fi
+
+S="${WORKDIR}"
+
+LICENSE="public-domain"
+SLOT="0"
+IUSE="test"
+RESTRICT="!test? ( test )"
+
+BDEPEND+="
+ $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
+ sec-keys/openpgp-keys-gentoo-auth
+ test? (
+ app-crypt/gnupg
+ sys-apps/grep[pcre]
+ )
+"
+
+python_check_deps() {
+ python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
+}
+
+src_unpack() {
+ if [[ ${PV} == 9999* ]] ; then
+ curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die
+ else
+ default
+ fi
+}
+
+src_compile() {
+ export GNUPGHOME="${T}"/.gnupg
+
+ get_gpg_keyring_dir() {
+ if [[ ${PV} == 9999* ]] ; then
+ echo "${WORKDIR}"
+ else
+ echo "${DISTDIR}"
+ fi
+ }
+
+ local mygpgargs=(
+ --no-autostart
+ --no-default-keyring
+ --homedir "${GNUPGHOME}"
+ )
+
+ # From verify-sig.eclass:
+ # "GPG upstream knows better than to follow the spec, so we can't
+ # override this directory. However, there is a clean fallback
+ # to GNUPGHOME."
+ addpredict /run/user
+
+ mkdir "${GNUPGHOME}" || die
+ chmod 700 "${GNUPGHOME}" || die
+
+ # Convert the binary keyring into an armored one so we can process it
+ edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
+ edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
+
+ # Now strip out the keys which are expired and/or missing a signature
+ # from our L2 developer authority key
+ edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
+ "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
+ "${WORKDIR}"/gentoo-developers.asc \
+ "${WORKDIR}"/gentoo-developers-sanitised.asc
+}
+
+src_test() {
+ export GNUPGHOME="${T}"/tests/.gnupg
+
+ local mygpgargs=(
+ # We don't have --no-autostart here because we need
+ # to let it spawn an agent for the key generation.
+ --no-default-keyring
+ --homedir "${GNUPGHOME}"
+ )
+
+ # From verify-sig.eclass:
+ # "GPG upstream knows better than to follow the spec, so we can't
+ # override this directory. However, there is a clean fallback
+ # to GNUPGHOME."
+ addpredict /run/user
+
+ # Check each of the keys to verify they're trusted by
+ # the L2 developer key.
+ mkdir -p "${GNUPGHOME}" || die
+ chmod 700 "${GNUPGHOME}" || die
+ cd "${T}"/tests || die
+
+ # First, grab the L1 key, and mark it as ultimately trusted.
+ edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
+ edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
+
+ # Generate a temporary key which isn't signed by anything to check
+ # whether we're detecting unexpected keys.
+ #
+ # The test is whether this appears in the sanitised keyring we
+ # produce in src_compile (it should not be in there).
+ #
+ # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
+ edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
+ %echo Generating temporary key for testing...
+
+ %no-protection
+ %transient-key
+ %pubring ${P}-ebuild-test-key.asc
+
+ Key-Type: 1
+ Key-Length: 2048
+ Subkey-Type: 1
+ Subkey-Length: 2048
+ Name-Real: Larry The Cow
+ Name-Email: larry@example.com
+ Expire-Date: 0
+ Handle: ${P}-ebuild-test-key
+
+ %commit
+ %echo Temporary key generated!
+ EOF
+
+ # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
+ edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
+
+ # Sign a tiny file with the to-be-injected key for testing rejection below
+ echo "Hello world!" > "${T}"/tests/signme || die
+ edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
+
+ edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
+
+ # keyring-mangler.py should now produce a keyring *without* it
+ edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
+ "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
+ "${T}"/tests/tainted-keyring.asc \
+ "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log
+ assert "Key mangling in tests failed?"
+
+ # Check the log to verify the injected key got detected
+ grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"
+
+ # gnupg doesn't have an easy way for us to actually just.. ask
+ # if a key is known via WoT. So, sign a file using the key
+ # we just made, and then try to gpg --verify it, and check exit code.
+ #
+ # Let's now double check by seeing if a file signed by the injected key
+ # is rejected.
+ if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
+ die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
+ fi
+
+ # Bonus lame sanity check
+ edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log
+ assert "trustdb call failed!"
+
+ check_trust_levels() {
+ local mode=${1}
+
+ while IFS= read -r line; do
+ # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
+ # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
+ if [[ ${line} == *depth* ]] ; then
+ depth=$(echo ${line} | grep -Po "depth: [0-9]")
+ trust=$(echo ${line} | grep -Po "trust:.*")
+
+ trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")
+ [[ ${trust_uncalculated} == 0 ]] || ${mode}
+
+ trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")
+ [[ ${trust_insufficient} == 0 ]] || ${mode}
+
+ trust_never=$(echo ${trust} | grep -Po "[0-9]n")
+ [[ ${trust_never} == 0 ]] || ${mode}
+
+ trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")
+ [[ ${trust_marginal} == 0 ]] || ${mode}
+
+ trust_full=$(echo ${trust} | grep -Po "[0-9]f")
+ [[ ${trust_full} != 0 ]] || ${mode}
+
+ trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")
+ [[ ${trust_ultimate} == 1 ]] || ${mode}
+
+ echo "${trust_uncalculated}, ${trust_insufficient}"
+ fi
+ done < "${T}"/tests/trustdb.log
+ }
+
+ # First, check with the bad key still in the test keyring.
+ # This is supposed to fail, so we want it to return 1
+ check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
+
+ # Now check without the bad key in the test keyring.
+ # This one should pass.
+ #
+ # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
+ keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \
+ | grep "^fpr" \
+ | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
+
+ local key
+ for key in ${keys[@]} ; do
+ nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
+ done
+
+ edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>"
+ check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"
+
+ gpgconf --kill gpg-agent || die
+}
+
+src_install() {
+ insinto /usr/share/openpgp-keys
+ newins gentoo-developers-sanitised.asc gentoo-developers.asc
+
+ # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
+}
diff --git a/sec-keys/openpgp-keys-lighttpd/Manifest b/sec-keys/openpgp-keys-lighttpd/Manifest
new file mode 100644
index 000000000000..1be071f9249a
--- /dev/null
+++ b/sec-keys/openpgp-keys-lighttpd/Manifest
@@ -0,0 +1,3 @@
+DIST openpgp-keys-lighttpd-20231008.asc 5397 BLAKE2B 6a234c7ea217fe5819ab06a1c87544752c097bfa8cb765a2742ffd82086887aa43962059d823a5262710983f54c28928051aea709534a3d556d6a479caf0da6c SHA512 000a10351998f0d058a0e127040127e8baeca33f9bf5c76c0df33dd85c863f6838d0dc60b6d964f1b6d760328ed1e0dfb91663795fa5b1ce112e26f228298abf
+EBUILD openpgp-keys-lighttpd-20231008.ebuild 570 BLAKE2B f2a8da3e3b3114b5cc26992e2898a2221b0073d964933d77d51c72823c52f242227eb1b1cae89eb4da6bd4886442079a8f7db338bedeab3b4f68bec92ef12363 SHA512 702cb6f17c6340b0fec4bafe3388b01d98a543da3e976734fc78a40e08d9bc5ce1909c7841c37cd7833b1c90c78c5d50776fb1be75f34ad8b18a855d062bf043
+MISC metadata.xml 369 BLAKE2B 6cc19ae6c320ce326a51aa83486490be1cfd4219c79b926da9afa9cddc28d1cd793abd7ad6a334b482a1cffde812ebc44ea869c7ae024c2365a5bb55448fd890 SHA512 db84772cf1584b166aa81c3238a8bb312ab781f9c8285df37d5a7fb9e84af602b9ea9075d582bd1b350610f8502d6d03e4c91f5378d61924c2350591f632e65b
diff --git a/sec-keys/openpgp-keys-lighttpd/metadata.xml b/sec-keys/openpgp-keys-lighttpd/metadata.xml
new file mode 100644
index 000000000000..38bfb729261e
--- /dev/null
+++ b/sec-keys/openpgp-keys-lighttpd/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer type="person">
+ <email>sam@gentoo.org</email>
+ <name>Sam James</name>
+ </maintainer>
+</pkgmetadata>
diff --git a/sec-keys/openpgp-keys-lighttpd/openpgp-keys-lighttpd-20231008.ebuild b/sec-keys/openpgp-keys-lighttpd/openpgp-keys-lighttpd-20231008.ebuild
new file mode 100644
index 000000000000..983d36fca412
--- /dev/null
+++ b/sec-keys/openpgp-keys-lighttpd/openpgp-keys-lighttpd-20231008.ebuild
@@ -0,0 +1,20 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="OpenPGP keys used to sign lighttpd"
+HOMEPAGE="https://www.lighttpd.net/"
+SRC_URI="https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}.asc"
+S="${WORKDIR}"
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+
+src_install() {
+ local files=( ${A} )
+
+ insinto /usr/share/openpgp-keys
+ newins - lighttpd.asc < <(cat "${files[@]/#/${DISTDIR}/}" || die)
+}