$Id: tl-key-extension.txt 64337 2022-09-11 00:37:43Z preining $
(Public domain.)

How to update TeX Live distribution signing key
===============================================

This must be done every year! It's not optional.

shut down networking service

cp gpg directory from USB stick to computer

export GNUPGHOME=...<COPY OF USBSTICK gpg directory>
export KEYID=0xC78B82D8C79512F79CC0D7C80D5E5D9106BAB6BC
gpg --edit-key $KEYID
> key 2
	# selects the expiring key, check!
> expire
> 16m
	# choose something after the release of the next TL
> save

# export public key for import into svn and TUG account
gpg -a --export $KEYID > texlive.asc

# update USB drive with new stuff, remove from home,

rm -rf $GNUPGHOME
unset GNUPGHOME

# send keys
# make sure that .gnupg/dirmngr.conf does NOT contain hkp-cacert lines!!!

# keys.openpgp.org
gpg --export $KEYID |  curl -T - https://keys.openpgp.org
# this will give an URL to associate key with email, visit it!

# ubuntu key server
gpg --send-key --keyserver hkp://keyserver.ubuntu.com:80 $KEYID



# update TeX Live repository
export GNUPGHOME=/home/texlive/Master/tlpkg/gpg # wherever svn checkout
# use gpg version 1 here!!!
gpg1 --import texlive.asc

svn commit


# on the TUG server (needs the exported public key in
# texlive.asc, see above how to export it)
gpg --homedir /home/texlive/.gnupg --import texlive.asc

# can view that .asc with:
gpg --homedir /home/texlive/.gnupg texlive.asc

# update web-accessible public key, keeping old files but updating symlink:
cp texlive.asc ~www/texlive/files/texlive`date +%Y`.asc
ln -s texlive`date +%Y`.asc ~www/texlive/files/texlive.asc

More info: 
. tlgpg runs a gpg command with the above TL .gnupg directory, etc.

. tl-sign-file (uses tlgpg) is used to sign texlive.tlpdb.sha512.

. tlgpg-verify foo[.asc] will check for expired key, per below.
  tl-sign-file uses this to make sure it is not signing with an expired key.

. (tl)gpg foo.asc will sometimes report expiration info.

. given files updated in Master/tlpkg/gpg, can export into asc:
gpg --homedir ..../Master/tlpkg/gpg --export -a 0x0D5E5D9106BAB6BC >tl.asc

. gpg --verify --verbose foo.asc reports some info.

. but exit status is zero even with expired keys; to check,
  use --status-file and inspect:
gpg --verify --verbose --status-file=/tmp/st foo.asc

. see tlgpg, tl-sign-file, TLCrypto.pm for full implementation.