Gecko [ fernandoquevedodop.com ]

Name	Size	Permission
pubring.gpg	7.01 KB	-rw-r--r--
random_seed	600 B	-rw-r--r--
secring.gpg	0 B	-rw-r--r--
tl-key-extension.txt	1.62 KB	-rw-r--r--
trustdb.gpg	1.25 KB	-rw-r--r--

Code Editor : tl-key-extension.txt

$Id: tl-key-extension.txt 55147 2020-05-15 14:58:16Z karl $
(Public domain.)

How to update TeX Live distribution signing key
===============================================

This must be done every year! It's not optional.

shut down networking service

cp gpg directory from USB stick to computer

export GNUPGHOME=...<COPY OF USBSTICK gpg directory>
export KEYID=0xC78B82D8C79512F79CC0D7C80D5E5D9106BAB6BC
gpg --edit-key $KEYID
> key 2
	# selects the expiring key, check!
> expire
> 16m
	# choose something after the release of the next TL
> save

# export public key for import into svn and TUG account
gpg -a --export $KEYID > texlive.asc

# update USB drive with new stuff, remove from home,

rm -rf $GNUPGHOME
unset GNUPGHOME

gpg --send-keys $KEYID

# update TeX Live repository
export GNUPGHOME=/path/to/texlive-svn/Master/tlpkg/gpg
# use gpg version 1 here!!!
gpg1 --import texlive.asc

svn/git commit

# on the TUG server (needs the exported public key in
# texlive.asc, see above how to export it)
gpg --homedir ~texlive/.gnupg --import texlive.asc

# can view that .asc with:
gpg --show-keyring texlive.asc

# update web-accessible public key, keeping old files but updating symlink:
cp texlive.asc ~www/texlive/files/texlive`date +%Y`.asc
ln -s texlive`date +%Y`.asc ~www/texlive/files/texlive.asc

More info: 
. we use tlpkg/bin/tl-sign-file to sign texlive.tlpdb.sha512.
. gpg --verify --verbose foo.asc for info on signature file.
. but exit status is zero even with expired keys; to check,
  use --status-file and inspect:
gpg --verify --verbose --status-file=/tmp/st foo.asc
. see tl-sign-file or TLCrypto.pm for full implementation.

${this.title}

Code Editor : tl-key-extension.txt