aboutsummaryrefslogtreecommitdiffstats

Keyring instructions

This is the keyring for the CTI project. Any new contributors with access to CTI repositories should have an entry in the allowed-signers file before they can be granted access to any of the CTI repositories.

Overview

This repository contains two files, other than the README:

  • an "allowed-signers" file in the format dictated by the ssh-keygen(1) "ALLOWED SIGNERS" section
  • a "revoked-keys" file in the format dictated by ssh-keygen(1) "KEY REVOCATION LIST" section

The only people allowed to push to this repository are the trusted introducers from the CTI project whose keys and identities were verified on a video call between members of LF IT and CTI TAC.

Adding keys to the repository

  1. New members who need to get access to CTI managed repositories will first submit their keys to the trusted introducers (procedure to be established; please edit this file once that is documented and available).
  2. Once the key is validated with the trusted introducers, one of them will add that key to the allowed-signers file and commit that change to the keyring repository. The commit should:
    • describe how the identity was verified and by whom
    • provide the link to the key submission message in the archives (if relevant and available)
    • carry a cryptographic signature on the commit itself (via git commit -S)
  3. The new member will then send a request to the LF helpdesk to request access to gitolite (the exact template to be established, and will include username selection and gitolite group membership details; please edit this file once this procedure is documented).
  4. Members of LF IT will use the allowed-signers file in this repository for the source of the public key data. The signature on the commit will not be checked (it's there for repository integrity verification purposes) -- being able to push to the repository provides sufficient verification of introducer's identity.

Revoking keys from the project

A trusted introducer will remove the key from the allowed-signers file and add an entry to the revoked-keys file, then follow with a request to the LF helpdesk to remove repository access.

Using this keyring for git commit verification

Files in this repository can be used for git commit verification. It is sufficient to add the following entries to the .git/config file of any repository used for commit verification:

[user]
    signingKey = "ssh-rsa AAAAYOUR_FULL_SSH_PUBKEY..."

[commit]
    gpgSign = true

[gpg]
    format = ssh

[gpg "ssh"]
    allowedSignersFile = ~/path/to/keyring/allowed-signers
    revocationFile = ~/path/to/keyring/revoked-keys
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-09-28 10:19:51 +0000