This is the source (unfiltered) of the EUGridPMA build of the trust anchor distribution (in its PKIX rendering) for the Interoperable Global Trust Federation IGTF.
** WARNING ** This distribution source itself MUST NOT (really, RFC2119 "MUST NOT"!) be used as a trust anchor set, since the build process takes into account the accredited status (in each trust anchor meta-data file), the structure of the IGTF, as well as the current validity of the root and intermediate certificates, the CRL status, and the accreditation/peer review status.
The approved source of IGTF PKIX trust anchors is at:
as well as at several distribution sites of our major relying parties. Releases are usually done on the last Monday of the month, but only when the trust anchor distribution has materially been updated.
All official IGTF releases are signed with the EUGridPMA GPG signing key. There are two current GPG keys:
- EUGridPMA Distribution Signing Key 3 [email protected]
- EUGridPMA Distribution Signing Key 4 [email protected]
Current production releases are (still) signed with Key #3, a 1024-bit DSA key. In future releases we will move to a new RSA-2048 GPG package signing key. The new public key file, GPG-KEY-EUGridPMA-RPM-4, is distributed with all current official releases. You can retrieve the new public key file from https://dl.igtf.net/distribution/GPG-KEY-EUGridPMA-RPM-4
If you are part of a coordinated-deployment infrastructure (e.g. a national or regional e-Infrastructure, EGI, OSG, PRACE-RI, NAREGI or others) you may want to await their announcement before installing the release. They could include localised adaptations. For reference we include the links below:
- EGI (EGI service providers please follow doc HOWTO01)
- wLCG
- Open Science Grid
Not all IGTF releases are necessarily accompanied by infrastructure-specific releases. If changes in the IGTF distribution do not materially impact the distribution of the relying party, no associated release may be done, nor is there a reason to update such a distribution.
The download repository is also mirrored by the EUGridPMA at https://dist.eugridpma.info/distribution/igtf/ and is also available from the Debian distribution system for its supported version, e.g. https://packages.debian.org/stable/igtf-policy-classic The Debian native version supports debconf selection, which does not come by default with the IGTF distributed versions
- Checkout or clone this repository
- Install the dependendies - the build tools expect an RPM-based platform (and will mimick Debian packaging by using the underlying tools explicitlt). You will need at least perl, perl-DateTime, openssl, ar, tar, gpg, rpmbuild, rpm-sign, and createrepo_c
(for EL9-like systems:
/usr/bin/crb enable; dnf install epel-release gnupg2 perl git createrepo_c rpm-build rpm-sign pinentry pinentry-ttyand setexport GPG_TTY=$(tty)for the build user if needed) - when building for legacy systems on an EL9+-like systems, use an appropriate crypto-policy file (
/etc/crypto-policies/policies/GPGCOMPAT.pol) - When desired, create or select your own PGP key, say with key id
12345678 - Check whether the
buildtools/VERSIONfile has your desired content - Build the distribution!
cd buildtools/
./cabuild4.pl --version=AUTO -s -f -o ~/1.123-GPSK12345678 --mkdeb -K 12345678
rsync -e ssh -av --delete ~/1.123-GPSK* [email protected]:/var/www/html/myown-distribution/releases/
This work is licensed under a Creative Commons Attribution 4.0 International License.