Aloha, so, this is about implemented. Needs a little work from DSA (to sync around the machines), which needs some more time, they are just about starting to look at that. So I guess it will be in real usage somewhat a little later today or early tomorrow, depending on when the keyrings appear in the right location. I will also cron it, probably run out of cron.hourly on our side. But keep in mind that this builds up a set of files which is then synced off by DSA, which then transfer those to the usual /srv/keyrings location, so a key won't be immediately available. Best is to make sure you start a key rollover something like a week or so before the old key expires. In the meantime, let me reiterate over how the stuff is supposed to go and how wbadm can deal with it: First, the rules attached to this: - the buildd host must be maintained by DSA - the key must have a size of 4096 or higher and must never leave the buildd (well, the private part :) ) - the key expires within 120 days - there are not more than 2 keys per buildd (so you can do a key rollover) The way you get the keys to us is by placing them into franck.debian.org:/srv/ftp-master.debian.org/scripts/builddkeyrings/incoming using a filename of architecture_builddname.YEAR-MONTH-DAY_HOURMINUTE.key or architecture_builddname.YEAR-MONTH-DAY_HOURMINUTE.del depending on the work you want it to do. wbadm can write there. Ending key adds keys, del removes. The contents of those files have to be clearsigned by a key in the "admin" keyring, which currently contains all wbadm keys as well as the ftpmasters. For the .key file the contents are a plain gpg --export -a of the key, for the .del file it is two lines: key: 16CHARKEYID comment: whatevercommentyoucanimagineandmakessense And thats about it. -- bye, Joerg <sgran about debianqueued> Its not's exactly well factored code.
Attachment:
pgpKBZLcj4tst.pgp
Description: PGP signature