Ok, here's an example with enough tools to handle most of the common cases. For now you can get these tools from svn://svn.kitenet.net/joey/trunk/src/packages/unreleased/jetring/ joey@kodama:~>ls jetring changeset-accept* changeset-review* keyring-gen* changeset-apply* keyring-explode* joey@kodama:~>export PATH=$PATH:~/jetring joey@kodama:~>cd ~/tmp/debian-keyring-2005.05.28/keyrings joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings>keyring-explode emeritus-keyring.pgp emeritus-keyring emeritus-keyring/add-17D57681 emeritus-keyring/add-6F7267F5 emeritus-keyring/add-B269698D emeritus-keyring/add-647B8331 emeritus-keyring/add-64433805 .... joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings>head emeritus-keyring/add-001B3BA1 Comment: extracted from emeritus-keyring.pgp by keyring-explode Action: import Data: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.6 (GNU/Linux) mQBtAzI+bhkAAAEDAOn0rvREGipkloa17NRJcSHweJJuhGo5EIPM3XDXbfXF4j18 TBWgGisic/QqtGvOwVVgQitS1evqOHgcRrNOPc/0tOuruR8qtEX33ypwjiZlK30M evm8E9wUEkkpABs7oQAFEbQnQmpvcm4gQnJlbmFuZGVyIDxiam9ybkBicmVuYW5k ZXIucHAuc2U+iQB1AwUQM9T0FhQSSSkAGzuhAQEJTQL9FF2qV4aBYgWKdKu4MdG6 joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings>head emeritus-keyring/index 9c55ce36c00df3d6edec08106db06be1 add-17D57681 9316b0b1f37b97d99336df760deac6ef add-6F7267F5 e2480c78d9b39694775f6bec21023e9b add-B269698D f868db4c2eff8751e8fdc53d6b105c0b add-647B8331 c68795f636ecf52fa6cdff7e71b18915 add-64433805 0836a942d9aa1ca54c9976969a26380c add-DEA67011 5f1af519711e704104550ce984d6033c add-B1CE8961 7c646b8bb334684d164147221c407424 add-5BB0DA6D 4627e1f9cc0c91cfbb5e2c5a3adb45b9 add-FA00F50D 6e64f607284940c6842932f1bf55b4bc add-ABB90E15 keyring-explode is a one-time operation, so a bit slow, but now the changesets are ready for use. First, let's rebuild the keyring from them, and compare to make sure no data is being lost (or added!): joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings>keyring-gen newring.gpg emeritus-keyring Applying emeritus-keyring/add-17D57681 ... gpg --import gpg: key 17D57681: public key "Joel Klecker <espy@debian.org>" imported gpg: key 17D57681: "Joel Klecker <espy@debian.org>" not changed gpg: Total number processed: 2 gpg: imported: 1 (RSA: 1) gpg: unchanged: 1 gpg operation complete ... Applying emeritus-keyring/add-F9033421 ... gpg --import gpg: key F9033421: public key "Herbert Xu <herbert@gondor.apana.org.au>" imported gpg: key F9033421: "Herbert Xu <herbert@gondor.apana.org.au>" 2 new signatures gpg: Total number processed: 2 gpg: imported: 1 (RSA: 1) gpg: new signatures: 2 gpg operation complete All changesets applied ok. joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings>ls -l newring.gpg emeritus-keyring.gpg -rw-r--r-- 1 joey joey 167537 Feb 24 02:03 emeritus-keyring.gpg -rw-r--r-- 1 joey joey 94855 Feb 24 02:06 newring.gpg joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings>gpg --no-default-keyring --keyring ./emeritus-keyring.gpg --list-keys > a joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings>gpg --no-default-keyring --keyring ./newring.pgp --list-keys > b joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings>diff -u a b --- a 2007-02-24 02:15:29.000000000 -0500 +++ b 2007-02-24 02:15:35.000000000 -0500 @@ -1,5 +1,5 @@ -./emeritus-keyring.pgp ----------------------- +./newring.gpg +------------- pub 1024R/17D57681 1996-06-26 uid Joel Klecker <espy@debian.org> uid Joel Klecker <jk@espy.org> @@ -161,10 +161,10 @@ pub 1024R/22714B25 1998-08-30 uid Stephen Crowley <sc462@swbell.net> uid Stephen Crowley <crow@debian.org> -uid Stephen Crowley <stephenc@wf.net> uid Stephen Crowley <stephenc@dns2.digitalpassage.com> uid Stephen Crowley <stephenc@digitalpassage.com> uid Stephen Crowley <stephenc@placemark.com> +uid Stephen Crowley <stephenc@wf.net> pub 768R/21978C61 1996-08-13 uid Hubert Weikert <weikert@debian.org> @@ -347,7 +347,6 @@ pub 1024R/8F23DC91 1994-12-20 uid Joe Reinhardt <jmr@debian.org> uid Joe Reinhardt <joe-reinhardt@uiowa.edu> -uid Joe Reinhardt <joe-reinhardt@uiowa.edu> uid jmr@debian.org uid jmr@master.debian.org uid Joseph M. Reinhardt <jmr@everest.radiology.uiowa.edu> Ok, no significant changes, only id rearrangement and dup removal. I've done the same for debian-keyring.gpg, with similar results, just took a bit longer. On to making changes.. joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings>cat > joeyh.retired Changed-By: Joey Hess <joeyh@debian.org> Comment: had to happen some day Date: Sat, 24 Feb 2007 02:18:51 -0500 Action: delete-key 788A3F4C Data: y joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings>changeset-review newring.gpg joeyh.retired >> y gpg --delete-key 788A3F4C gpg (GnuPG) 1.4.6; Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. pub 1024D/788A3F4C 1999-09-08 Joey Hess <joeyh@debian.org> gpg operation complete Looks good, so accept this changeset. joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings>changeset-accept debian-keyring joeyh.retired joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings> Now, after making some changes, it's time to produce a keyring. Since I already have one that was built by keyring-gen, I can update it in incremental mode, which is much faster than a full rebuild: joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings>keyring-gen -i newring.gpg debian-keyring Skipping forward past changeset add-1E880A84 ... Applying debian-keyring/joeyh.retired ... gpg --delete-key 788A3F4C gpg (GnuPG) 1.4.6; Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. >> y pub 1024D/788A3F4C 1999-09-08 Joey Hess <joeyh@debian.org> gpg operation complete All changesets applied ok. ey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings>gpg --no-auto-check-trustdb --no-default-keyring --keyring ./newring.gpg --list-keys |grep 788A3F4C gpg: please do a --check-trustdb joey@kodama:~/tmp/debian-keyring-2005.05.28/keyrings> No more me. Hurrah! It might be ok to use keyring-gen in interactive mode like this for day-to-day maintenace, and only do a full rebuild for uploads of the debian-keyring package. The debian-keyring source package could be modified to contain the changeset directories, and build the keyrings from them, and then we could even send in diffs against it to submit changes. I've left out one thing that might be worth doing, namely gpg signing of the changesets and the index file, and verification of the signatures before applying changesets. With that in place, it would be possible to check the changesets into a revision control system, and let others commit changesets, which can then be reviewed and signed. -- see shy jo
Attachment:
signature.asc
Description: Digital signature