From 497d2af76200d40fdb964091c73b9ff9fd7b631e Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Fri, 15 Jun 2018 20:53:24 -0300
Subject: Updates source checking instructions

---
 .devscripts |  1 +
 .gitignore  |  2 +-
 Makefile    | 14 ++++++++++----
 checking.md | 50 +++++++++++++++++++++++++++-----------------------
 4 files changed, 39 insertions(+), 28 deletions(-)
 create mode 100644 .devscripts

diff --git a/.devscripts b/.devscripts
new file mode 100644
index 0000000..d095dac
--- /dev/null
+++ b/.devscripts
@@ -0,0 +1 @@
+DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg:~/keyrings/debian-keyring.gpg:~/keyrings/debian-maintainers.gpg"
diff --git a/.gitignore b/.gitignore
index 3c24c59..929d984 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,4 +7,4 @@ tmp
 /www
 build-area
 puppet/modules
-keyrings
+keyring
diff --git a/Makefile b/Makefile
index 8da8402..458ab42 100644
--- a/Makefile
+++ b/Makefile
@@ -22,8 +22,14 @@ web:
 web_deploy:
 	@rsync -avz --delete --exclude=keyring www/ debian:/var/sites/debian/www/
 
-keyring:
-	@rsync -az --progress keyring.debian.org::keyrings/ keyrings/
-	@gpg --verify keyrings/sha512sums.txt
-
 publish: web web_deploy
+
+keyring:
+	@rsync -az --progress keyring.debian.org::keyrings/ keyring/
+	@gpg --verify keyring/sha512sums.txt
+	@cd keyring > /dev/null && sha512sum -c sha512sums.txt
+	@cd keyring > /dev/null && chmod 700 keyrings && ln -sf keyrings .gnupg #&& cd .gnupg && ln -sf debian-keyring.gpg trustedkeys.gpg
+	@cp .devscripts keyring/
+	@gpg --no-default-keyring --keyring keyring/keyrings/debian-keyring.gpg     --export | HOME=keyring/ gpg --import
+	@gpg --no-default-keyring --keyring keyring/keyrings/debian-maintainers.gpg --export | HOME=keyring/ gpg --import
+	@cd keyring/.gnupg && ln -sf pubring.kbx trustedkeys.kbx
diff --git a/checking.md b/checking.md
index f99fa1d..c30a27d 100644
--- a/checking.md
+++ b/checking.md
@@ -28,24 +28,24 @@ yet but can reduce a lot of complexity that follows.
 ### Install manually debian-keyring somewhere
 
 If not, you might try to have a newer copy of the `debian-keyring` somewhere. We already provide one in the
-form of git://anonscm.debian.org/keyring/keyring.git available as a git submodule in the `keyring` folder:
+a way for you to get the keyring directly from https://keyring.debian.org:
 
-    gpg --no-default-keyring --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg --verify *.dsc
+    make keyring
+
+We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring:
+
+    gpg --no-default-keyring --keyring /path/to/debian/keyring/keyrings/debian-keyring.gpg --verify *.dsc
 
 You might also want to have the following on your `~/.devscripts` (line break just to keep formatting here):
 
     DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg:
-                        /path/to/debian/keyring/output/keyrings/debian-keyring.gpg"
+                        /path/to/debian/keyring/keyrings/debian-keyring.gpg:/path/to/debian/keyring/keyrings/debian-maintainers.gpg"
 
 Or you can use the following alias:
 
-    alias dscverify='dscverify --keyring /path/to/debian/keyring/output/keyrings/debian-keyring.gpg'
-
-This assumes that you initialized the `keyring` submodule and compiled the keyrings:
+    alias dscverify='dscverify --keyring /path/to/debian/keyring/keyrings/debian-keyring.gpg --keyring /path/to/debian/keyring/keyrings/debian-maintainers.gpg'
 
-    ( cd keyring && make )
-
-We use `--no-default-keyring` to make sure `gpg` just looks for the key in the `debian-maintainers` keyring.
+### Manually getting the key
 
 Another option is to get the specific key:
 
@@ -55,9 +55,13 @@ Either way, you have to have a criteria about how much trust you should give to
 you just downloaded. The same goes for software you're porting to Debian and that you can't actually check
 it's signature against `debian-keyring`.
 
-Things get even trickier when you try to use `dpkg-source`.
+### Issues with dpkg-source
+
+Things get even trickier when you try to use `dpkg-source`. See [Debian Bug report logs - #852019 gpgv: unknown
+type of key resource 'trustedkeys.kbx'](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852019)
+for details.
 
-Even if you symlink `keyring/output/keyrings/debian-keyring.gpg` as `keyring/output/keyrings/debian-keyring.gpg/trustedkeys.gpg`
+Even if you symlink `keyring/keyrings/debian-keyring.gpg` as `keyring/keyrings/trustedkeys.gpg`
 and point `GNUPGHOME` to this folder you'll still get a weird behavior:
 
     0 $ dget http://ftp.de.debian.org/debian/pool/main/r/ruby-childprocess/ruby-childprocess_0.5.2-1.dsc
@@ -95,33 +99,33 @@ you don't really want to fill with keys you actually haven't stablished a proper
 As currently `dpkg-source` doesn't honour `GNUPGHOME` (see TODO for bugreport), all we can do currently is call `dget`
 and `dpkg-source` with
 
-    HOME=/path/to/debian/keyring/output/ dpkg-source -x $package*dsc
-    HOME=/path/to/debian/keyring/output/ dget <remote-dsc>
+    HOME=/path/to/debian/keyring/ dpkg-source -x $package*dsc
+    HOME=/path/to/debian/keyring/ dget <remote-dsc>
 
-For this trick to work, you'll need to
+For this trick to work, you'll need to run `make keyring` or manually run this:
 
-    ( cd /path/to/debian/keyring/output/ && ln -s keyrings .gnupg && cd .gnupg && ln -s debian-keyring.gpg trustedkeys.gpg )
+    ( cd /path/to/debian/keyring/ && chmod 700 keyrings && ln -sf keyrings .gnupg && cd .gnupg && ln -sf debian-keyring.gpg trustedkeys.gpg )
 
-And also set the `/path/to/debian/keyring/output/.devscripts` to the following content:
+If you're doing manually, make sure to add into `/path/to/debian/keyring/.devscripts` the following content:
 
     DSCVERIFY_KEYRINGS="/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-maintainers.gpg:
-                        ~/keyrings/debian-keyring.gpg"
+                        ~/keyrings/debian-keyring.gpg:~/keyrings/debian-maintainers.gpg"
 
-Again, you might set two handy aliases:
+Again, you might set two handy aliases for your shell:
 
-    alias dpkg-source='HOME=/path/to/debian/keyring/output/ dpkg-source'
-    alias dget='HOME=/path/to/debian/keyring/output/ dget'
+    alias dpkg-source='HOME=/path/to/debian/keyring/keyrings/ dpkg-source'
+    alias dget='HOME=/path/to/debian/keyring/keyrings/ dget'
 
-As a last touch, import your own key into this keyring:
+Optionally, as a last touch, import your own key into this keyring:
 
     gpg --armor --export $KEYID | \
-    gpg --no-default-keyring --keyring /path/to/debian/keyring/output/.gnupg/trustedkeys.gpg --import
+    gpg --no-default-keyring --keyring /path/to/debian/keyring/keyrings/.gnupg/trustedkeys.gpg --import
 
 Then you might be happy... for a while :P
 
 See also:
 
 * `dscverify(1)` manpage.
-* [Debian Public Key Server](http://keyring.debian.org/).
+* [Debian Public Key Server](http://keyring.debian.org/) and it's [workflow](https://keyring.debian.org/keyring-workflow.html).
 * [apt get - How to get apt-get source verification working? - Super User](https://superuser.com/questions/626810/how-to-get-apt-get-source-verification-working).
 * [Debian. How can I securely get debian-archive-keyring, so that I can do an apt-get update? NO_PUBKEY - Server Fault](http://serverfault.com/questions/337278/debian-how-can-i-securely-get-debian-archive-keyring-so-that-i-can-do-an-apt-g/337283#337283).
-- 
cgit v1.2.3