1JETRING(7)                     jetring commands                     JETRING(7)
2
3
4

NAME

6       jetring - maintenance of gpg keyrings using changesets
7

OVERVIEW

9       jetring  is  a  collection  of  tools that allow for gpg keyrings to be
10       maintained using changesets. It was developed with the  Debian  keyring
11       in  mind,  and aims to solve the problem that a gpg keyring is a binary
12       blob that's hard for multiple people to collaboratively edit.
13
14       With jetring, changesets can be submitted, reviewed to see exactly what
15       they will do, applied, and used to build a keyring. The origin of every
16       change made to the keyring is available for auditing,  and  gpg  signa‐
17       tures can be used to further secure things.
18

OPERATION

20       A  jetring  directory  is  used as the "source" that a keyring is built
21       from.  To convert an existing gpg keyring to such a directory, use  the
22       jetring-explode(1) command.
23
24       Each  change  to the gpg keyring is stored in a separate changeset file
25       in the directory. Changesets can reflect any  set  of  changes  to  the
26       keyring.   Changesets can also include arbitrary metadata. The jetring-
27       gen(1) command can be used to  compare  two  keyrings  and  generate  a
28       changeset from one to the other.
29
30       Changesets  are  never  removed or modified, only new ones added, using
31       the jetring-accept(1) command.
32
33       There's an ordering of the changesets. This ordering is  stored  in  an
34       index file. The index file is only appended to, to add new changesets.
35
36       Changesets  can  be  fully examined to see what change they make before
37       applying them. The jetring-review(1) and jetring-diff(1)  commands  can
38       be used for such review.
39
40       To  create  a new keyring, or incrementally update an existing keyring,
41       changesets are applied in order using the jetring-build(1) command.
42

GPG SIGNATURES

44       The index file can optionally be gpg  signed  (the  signature  will  be
45       stored in index.gpg); if JETRING_SIGN is set to point to a gpg keyring,
46       then jetring commands that operate on the jetring directory will always
47       check  that  the  index  file  is signed with one of the keys from that
48       keyring. Commands that modify the index file will update its signature.
49

CHANGESET FORMAT

51       A changeset file consists of one or more stanzas,  separated  by  blank
52       lines.   The  stanzas are in RFC-822-like format. Each stanza must have
53       an action field, which specifies which action to take on  the  keyring,
54       and a data field, typically a multi-line field, which contains the data
55       to feed to the action. Supported actions are:
56
57       import The data field should be an ascii-armored gpg key block, that is
58              fed into gpg --import.
59
60       edit-key keyid
61              gpg --edit-key is run on the specified key id. The data field is
62              a script, each line in it is passed in to gpg, the  same  as  if
63              gpg  were  being  driven interactively. This can be used to make
64              arbitrary changes to the key.
65
66       delete-key keyid
67              The given key is deleted. The data is fed into gpg --delete-key,
68              and should be "y", since gpg expects that confirmation to delet‐
69              ing a key.
70
71       Other fields can be added as desired to hold metadata about the change.
72       Typical additional fields include date, changed-by, and comment.
73
74       Changesets  can  be  optionally have attached signatures, although such
75       data is not automatically validated and is mostly useful to record  who
76       submitted or signed off on a given changeset.
77

AUTHOR

79       Joey Hess, <joey@kitenet.net>.
80
81
82
83                                                                    JETRING(7)
Impressum