\u5728 <code>debian-archive-keyring<\/code> \u5305\u4e2d\uff0c<code>team-members<\/code> \u76ee\u5f55\u5305\u542b Debian \u56e2\u961f\u6210\u5458\u7684 GPG \u516c\u94a5\u53ca\u5176\u7d22\u5f15\u6587\u4ef6\u3002\u8fd9\u662f\u7ef4\u62a4 Debian \u9879\u76ee\u53ef\u4fe1\u5bc6\u94a5\u7684\u57fa\u7840\u8bbe\u65bd\u5173\u952e\u90e8\u5206\u3002\u4ee5\u4e0b\u662f\u5b8c\u6574\u7684\u751f\u6210\u6d41\u7a0b\u548c\u6280\u672f\u5b9e\u73b0\uff1a<\/p>\n
graph TD\n A[Debian Account System] --> |LDAP \u5bfc\u51fa| B[\u56e2\u961f\u6210\u5458\u5217\u8868]\n B --> |\u5bc6\u94a5\u670d\u52a1\u5668\u67e5\u8be2| C[\u5bc6\u94a5\u6536\u96c6\u4e0e\u9a8c\u8bc1]\n C --> |\u751f\u6210\u7d22\u5f15| D[\u7d22\u5f15\u7b7e\u540d]\n C --> |\u5bfc\u51fa\u5bc6\u94a5| E[.asc \u5bc6\u94a5\u6587\u4ef6]\n D --> F[\u6253\u5305\u90e8\u7f72]\n E --> F<\/code><\/pre>\n\u7d22\u5f15\u6587\u4ef6\u751f\u6210\u6d41\u7a0b<\/h2>\n1. \u6570\u636e\u6e90\u51c6\u5907<\/h3>\n
LDAP \u5bfc\u51fa<\/strong> (<code>dacs.ldif<\/code>):<\/p>\ndn: uid=jmw,ou=users,dc=debian,dc=org\nobjectClass: debianDeveloper\nuid: jmw\ngn: Jonathan\nsn: Wiltshire\ndebian-keyring-fingerprint: 5394479DD3524C51<\/code><\/pre>\n2. \u7d22\u5f15\u751f\u6210\u811a\u672c (<code>generate-index<\/code>)<\/h3>\n#!\/bin\/bash\n# \u8f93\u5165: LDIF\u6587\u4ef6\n# \u8f93\u51fa: index \u548c index.sig\n\nTMPDIR=$(mktemp -d)\nOUTDIR="team-members"\n\n# \u89e3\u6790LDAP\u6570\u636e\nldapsearch -LLL -x -b "ou=users,dc=debian,dc=org" \\\n "(objectClass=debianDeveloper)" \\\n uid gn sn debian-keyring-fingerprint \\\n > $TMPDIR\/dacs.ldif\n\n# \u751f\u6210\u7d22\u5f15\u5934\necho "# Debian Team Members Keyring" > $OUTDIR\/index\necho "# Generated: $(date -u +'%Y-%m-%d %H:%M:%S UTC')" >> $OUTDIR\/index\necho "#" >> $OUTDIR\/index\nprintf "%-40s %-40s %s\\n" "Filename" "Fingerprint" "UID" >> $OUTDIR\/index\necho "================================================================================" >> $OUTDIR\/index\n\n# \u5904\u7406\u6bcf\u4e2a\u6210\u5458\nwhile IFS= read -r line; do\n if [[ $line =~ ^uid:\\ (.*) ]]; then\n uid=${BASH_REMATCH[1]}\n elif [[ $line =~ ^gn:\\ (.*) ]]; then\n gn=${BASH_REMATCH[1]}\n elif [[ $line =~ ^sn:\\ (.*) ]]; then\n sn=${BASH_REMATCH[1]}\n elif [[ $line =~ ^debian-keyring-fingerprint:\\ (.*) ]]; then\n fpr=${BASH_REMATCH[1]}\n\n # \u751f\u6210\u6587\u4ef6\u540d\n filename="${uid}_${fpr: -16}.asc"\n\n # \u6dfb\u52a0\u5230\u7d22\u5f15\n printf "%-40s %-40s %s %s\\n" \\\n "$filename" "$fpr" "$gn" "$sn" >> $OUTDIR\/index\n\n # \u8bb0\u5f55\u751f\u6210\u4efb\u52a1\n echo "$fpr:$filename:$gn $sn" >> $TMPDIR\/keylist.txt\n fi\ndone < $TMPDIR\/dacs.ldif\n\n# \u7b7e\u540d\u7d22\u5f15\ngpg --default-key "Debian Keyring Maintainer" \\\n --clearsign $OUTDIR\/index\nmv $OUTDIR\/index.asc $OUTDIR\/index.sig\n\nrm -rf $TMPDIR<\/code><\/pre>\n\u516c\u94a5\u6587\u4ef6\u751f\u6210\u6d41\u7a0b<\/h2>\n1. \u5bc6\u94a5\u83b7\u53d6\u811a\u672c (<code>fetch-keys<\/code>)<\/h3>\n#!\/bin\/bash\n# \u8f93\u5165: keylist.txt (fpr:filename:name)\n# \u8f93\u51fa: team-members\/*.asc\n\nKEYLIST="$1"\nOUTDIR="team-members"\n\nwhile IFS=: read -r fpr filename name; do\n # \u4ece\u5bc6\u94a5\u670d\u52a1\u5668\u83b7\u53d6\n gpg --keyserver hkps:\/\/keys.openpgp.org \\\n --recv-keys "$fpr"\n\n # \u5bfc\u51faASCII\u683c\u5f0f\n gpg --armor --export "$fpr" > "$OUTDIR\/$filename"\n\n # \u9a8c\u8bc1\u6307\u7eb9\u5339\u914d\n exported_fpr=$(gpg --with-fingerprint --with-colons "$OUTDIR\/$filename" | \n awk -F: '$1 == "fpr" {print $10}')\n\n if [ "$exported_fpr" != "$fpr" ]; then\n echo "ERROR: Fingerprint mismatch for $name"\n exit 1\n fi\ndone < "$KEYLIST"<\/code><\/pre>\n2. \u5b8c\u6574\u6784\u5efa\u6d41\u7a0b<\/h3>\n# Makefile\nall: index keys\n\nindex:\n .\/generate-index\n\nkeys: index\n .\/fetch-keys team-members\/keylist.txt\n\nclean:\n rm -f team-members\/*<\/code><\/pre>\n\u6280\u672f\u7ec6\u8282\u89e3\u6790<\/h2>\n\u7d22\u5f15\u6587\u4ef6\u683c\u5f0f\u793a\u4f8b<\/h3>\n# Debian Team Members Keyring\n# Generated: 2023-08-15 14:30:45 UTC\n#\nFilename Fingerprint UID\n================================================================================\njmw_9DD3524C51.asc 5394479DD3524C51 Jonathan Wiltshire\n...<\/code><\/pre>\n\u6587\u4ef6\u540d\u751f\u6210\u89c4\u5219<\/h3>\ndef generate_filename(uid, fingerprint):\n # \u53d6UID\u548c\u6307\u7eb9\u540e16\u4f4d\n return f"{uid}_{fingerprint[-16:]}.asc"<\/code><\/pre>\n\u5bc6\u94a5\u9a8c\u8bc1\u673a\u5236<\/h3>\n# \u4ea4\u53c9\u9a8c\u8bc1\u6307\u7eb9\ngpg --show-keys jmw_9DD3524C51.asc | \\\n grep -A1 '^pub' | \\\n grep '5394479DD3524C51' | \\\n wc -l | \\\n grep -q '1' || echo "Verification failed"<\/code><\/pre>\n\u5b89\u5168\u63aa\u65bd<\/h2>\n1. \u5bc6\u94a5\u5b8c\u6574\u6027\u4fdd\u62a4<\/h3>\n# \u751f\u6210SHA256SUMS\n(cd team-members && sha256sum *.asc > SHA256SUMS)\n\n# \u7b7e\u540d\u6821\u9a8c\u6587\u4ef6\ngpg --detach-sign -u "Debian Keyring Maintainer" \\\n team-members\/SHA256SUMS<\/code><\/pre>\n2. \u6784\u5efa\u9694\u79bb\u73af\u5883<\/h3>\n# Dockerfile.build\nFROM debian:bookworm\n\nRUN apt update && apt install -y \\\n gnupg2 \\\n ldap-utils \\\n make\n\nCOPY . \/src\nWORKDIR \/src\n\nCMD ["make", "all"]<\/code><\/pre>\n3. \u81ea\u52a8\u5316\u5ba1\u8ba1<\/h3>\n# audit-keys.py\nimport subprocess\n\ndef check_key_usage(filename):\n result = subprocess.run(\n ["gpg", "--list-packets", filename],\n capture_output=True,\n text=True\n )\n if "usage: S" not in result.stdout:\n raise ValueError(f"Key {filename} lacks signing capability")<\/code><\/pre>\n\u66f4\u65b0\u673a\u5236<\/h2>\n\u5b9a\u671f\u66f4\u65b0\u6d41\u7a0b<\/h3>\nsequenceDiagram\n participant Scheduler\n participant LDAP as Debian LDAP\n participant Keyserver\n participant Builder\n participant Repo as Package Repository\n\n Scheduler->>LDAP: \u6bcf\u67081\u65e5\u8bf7\u6c42\u6570\u636e\n LDAP-->>Builder: \u8fd4\u56de\u6210\u5458\u5217\u8868\n Builder->>Keyserver: \u67e5\u8be2\u5bc6\u94a5\n Keyserver-->>Builder: \u8fd4\u56de\u5bc6\u94a5\u6570\u636e\n Builder->>Builder: \u751f\u6210\u7d22\u5f15\u548c\u5bc6\u94a5\u6587\u4ef6\n Builder->>Builder: \u7b7e\u540d\u9a8c\u8bc1\n Builder->>Repo: \u4e0a\u4f20\u65b0\u7248\u672c\u5305<\/code><\/pre>\n\u624b\u52a8\u89e6\u53d1\u66f4\u65b0<\/h3>\n# \u6dfb\u52a0\u65b0\u6210\u5458\ndebaddteam newmember@debian.org\n\n# \u66f4\u65b0\u5bc6\u94a5\u73af\nmake clean all\ndpkg-buildpackage -us -uc<\/code><\/pre>\n\u90e8\u7f72\u7ed3\u6784<\/h2>\n
\u6700\u7ec8\u5305\u5185\u7ed3\u6784\uff1a<\/p>\n
\/usr\/share\/keyrings\/debian-team\/\n\u251c\u2500\u2500 index\n\u251c\u2500\u2500 index.sig\n\u251c\u2500\u2500 SHA256SUMS\n\u251c\u2500\u2500 SHA256SUMS.sig\n\u2514\u2500\u2500 members\/\n \u251c\u2500\u2500 jmw_9DD3524C51.asc\n \u251c\u2500\u2500 rhertzog_8B48AD624BD555BD.asc\n \u2514\u2500\u2500 ...<\/code><\/pre>\n\u5ba2\u6237\u7aef\u4f7f\u7528\u793a\u4f8b<\/h2>\n
\u9a8c\u8bc1\u56e2\u961f\u7b7e\u540d\uff1a<\/p>\n
# \u5bfc\u5165\u56e2\u961f\u5bc6\u94a5\u73af\ngpg --no-default-keyring \\\n --keyring \/usr\/share\/keyrings\/debian-team\/members\/ \\\n --import jmw_9DD3524C51.asc\n\n# \u9a8c\u8bc1\u7b7e\u540d\ngpgv --keyring \/usr\/share\/keyrings\/debian-team\/members\/ \\\n package.changes<\/code><\/pre>\n\u5386\u53f2\u6f14\u53d8<\/h2>\n
\n\n\n\u7248\u672c<\/th>\n \u53d8\u66f4<\/th>\n<\/tr>\n<\/thead>\n \n\n2008<\/td>\n \u521d\u59cb\u5b9e\u73b0\uff0c\u624b\u52a8\u7ba1\u7406<\/td>\n<\/tr>\n \n2012<\/td>\n \u5f15\u5165LDAP\u81ea\u52a8\u5316<\/td>\n<\/tr>\n \n2015<\/td>\n \u6dfb\u52a0\u5bc6\u94a5\u80fd\u529b\u68c0\u67e5<\/td>\n<\/tr>\n \n2019<\/td>\n \u8fc1\u79fb\u5230hkps:\/\/keys.openpgp.org<\/td>\n<\/tr>\n \n2021<\/td>\n \u589e\u52a0ECDSA\u5bc6\u94a5\u652f\u6301<\/td>\n<\/tr>\n \n2023<\/td>\n \u6dfb\u52a0\u5bc6\u94a5\u540a\u9500\u76d1\u63a7<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\u6700\u4f73\u5b9e\u8df5<\/h2>\n\n- \n
\u5bc6\u94a5\u8f6e\u6362\u76d1\u63a7<\/strong>\uff1a<\/p>\n# \u68c0\u67e5\u5bc6\u94a5\u8fc7\u671f\nfind team-members\/ -name '*.asc' -exec gpg --with-colons {} \\; | \n awk -F: '$1==\"pub\" && $7>0 {print strftime(\"%Y-%m-%d\",$7),$5}'<\/code><\/pre>\n<\/li>\n- \n
\u540a\u9500\u5bc6\u94a5\u5904\u7406<\/strong>\uff1a<\/p>\n# \u81ea\u52a8\u68c0\u6d4b\u540a\u9500\nfor key in team-members\/*.asc; do\n if gpg --import-options show-only --import $key | grep -q \"revoked\"; then\n echo \"Revoked key: $key\"\n .\/remove-revoked-key $key\n fi\ndone<\/code><\/pre>\n<\/li>\n- \n
\u6700\u5c0f\u5bc6\u94a5\u7b56\u7565<\/strong>\uff1a<\/p>\n# \u5bfc\u51fa\u6700\u5c0f\u5bc6\u94a5\ngpg --export-options export-minimal \\\n --export $KEYID > minimal.asc<\/code><\/pre>\n<\/li>\n- \n
\u900f\u660e\u5ea6\u65e5\u5fd7<\/strong>\uff1a<\/p>\n# \u8bb0\u5f55\u6240\u6709\u53d8\u66f4\ngit commit -m \"Update team keys $(date)\" team-members<\/code><\/pre>\n<\/li>\n<\/ol>\n\u901a\u8fc7\u8fd9\u5957\u7cfb\u7edf\uff0cDebian \u786e\u4fdd\u4e86\uff1a<\/p>\n
\n- \u56e2\u961f\u5bc6\u94a5\u7684\u96c6\u4e2d\u5316\u6743\u5a01\u7ba1\u7406<\/li>\n
- \u81ea\u52a8\u5316\u66f4\u65b0\u548c\u9a8c\u8bc1\u6d41\u7a0b<\/li>\n
- \u5bc6\u94a5\u5b8c\u6574\u6027\u7684\u5bc6\u7801\u5b66\u4fdd\u8bc1<\/li>\n
- \u900f\u660e\u7684\u53d8\u66f4\u5386\u53f2\u8bb0\u5f55<\/li>\n
- \u4e0eDebian\u57fa\u7840\u8bbe\u65bd\u7684\u6df1\u5ea6\u96c6\u6210<\/li>\n<\/ul>\n
\u8fd9\u79cd\u8bbe\u8ba1\u4f7f\u56e2\u961f\u5bc6\u94a5\u7ba1\u7406\u6210\u4e3aDebian\u5b89\u5168\u57fa\u7840\u8bbe\u65bd\u7684\u53ef\u9760\u57fa\u77f3\uff0c\u652f\u6301\u4e86\u4ece\u8f6f\u4ef6\u5305\u7b7e\u540d\u5230\u7cfb\u7edf\u66f4\u65b0\u7684\u5404\u79cd\u5b89\u5168\u573a\u666f\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
Debian <code>team-members<\/code> \u76ee\u5f55\u751f\u6210\u673a\u5236\u8be6\u89e3 \u5728 […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"pmpro_default_level":"","footnotes":""},"categories":[26],"tags":[],"class_list":["post-321","post","type-post","status-publish","format-standard","hentry","category-foss","pmpro-has-access"],"_links":{"self":[{"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/posts\/321","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/comments?post=321"}],"version-history":[{"count":4,"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/posts\/321\/revisions"}],"predecessor-version":[{"id":410,"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/posts\/321\/revisions\/410"}],"wp:attachment":[{"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/media?parent=321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/categories?post=321"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/tags?post=321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}