Please reassign PGP key 193589F7 from ~maxb to ~maxb-autobuild

In case it is required for authenticating the request, here is a comment from me logged in as the second user, confirming the above.

Commenting again to get the question back out of "Needs Info" state after commenting on it from the secondary account.

Deactivating a key in LP merely removes its association to your account. It is not removed from the keyservers nor is it revoked.

You can deactivate from one account and then reassign it to the other.

Hi Max,

Please disregard my previous answer as it is flawed. When you deactivate the key in LP it remains in the DB but is marked as deactivated yet is still associated with the original account. Therefore you would be prevented from claiming it from the second account.

I'm pretty sure you will need to revoke that key and create a new one. I'm assigning this question to cprov though, to get his opinion.

Thanks, though note that cprov has already discussed this with me on IRC and directed me to file a question. Here is an edited transcript of the conversation.

[19:20] <maxb> Is it possible to completely delete a PGP key from one LP account so that I can re-import it into another?
[19:21] <cprov> maxb: not sure I follow.
[19:22] <maxb> cprov: I want to delete the passphraseless key that I use for letting cron upload nightly builds to PPAs from my main account and add it to a restricted LP account
[19:22] <maxb> I realize I could just deactivate it and create a third key
[19:23] <cprov> maxb: oh, I see what you mean now. Yes, deactivating the old-key and creating a new one seems sane.
[19:23] <cprov> maxb: we don't reassign gpg keys in LP
[19:23] <maxb> But I want to avoid cruft in the keyservers :-P
[19:24] <cprov> maxb: got me!
[19:24] <cprov> maxb: do you think it would be legitimate to reassign them ?
[19:24] <maxb> Well, only in the case of one person owning two LP accounts
[19:25] <cprov> maxb: what's about the email addresses involved ?
[19:25] <maxb> I own both of the email addresses, and have already moved one of those to the other account
[19:27] <cprov> maxb: could this problem be solved by merging the existing account ?
[19:28] <maxb> cprov: No - the whole idea is that I'm trying to split off permissions to upload to a specific team's PPAs from the rest of my LP account
[19:28] <cprov> maxb: uhm, interesting.
[19:29] <maxb> Surely it's not *that* interesting? There must be other people doing automated nightly builds in PPAs?
[19:30] <cprov> maxb: yes, mozilla, bzr ...
[19:30] <maxb> So, I correctly realized that it would be stupid to give a cron script access to my main GPG key, and created another one
[19:31] <maxb> Problem is I failed to realize that I should not be giving the cron script access to my entire LP identity (in an ideal world)
[19:31] <maxb> And that latter one is the issue I'm trying to correct
[19:32] <cprov> maxb: right, now you want to transfer one of *your* keys to this new robot account.
[19:32] <maxb> Yes
[19:33] <cprov> something like a "split-account" procedure
[19:33] <maxb> Well, perhaps. The only thing that needs splitting is the GPG key
[19:34] <maxb> Does LP have any other account attributes that the user can't outright delete?
[19:34] <cprov> maxb: okay, I'm under the impression it would be okay to reassign a gpg-key on these terms. Can you please file a question on launchpad ?
[19:35] <maxb> sure, on /launchpad or on /soyuz?
[19:35] <cprov> maxb: keys and emails are not deleted, they remain 'deactivated'
[19:35] <cprov> maxb: it sounds like a general launchpad question
[19:36] <maxb> I was able to delete the email from ~maxb and then sign up for a new account using that email
[19:36] <cprov> although, the motivation is clearly soyuz upload ACLs.
[19:37] <cprov> maxb: oops, I guess my assumption is wrong, then.
[19:37] <cprov> maxb: OTOH, this is good, if you can delete a email address and re-create it, you surely should be able to do the same with gpg keys.
[19:39] <cprov> maxb: let's talk to the registry gurus, they will provide a solution :)
[19:45] <maxb> ok, question filed, I'll see what response I get on it
[19:45] <maxb> thanks
[19:52] <cprov> maxb: thank you.

Only an admin has god-like access to launchpad.

DELETE
FROM GpgKey
WHERE keyid = '193589F7'

OK, do I need to do anything to attract a LOSA's attention, or just wait?

Max, sorry bout that, the question needs to be left in an Open State. Any "answered" state will typically have us consider the question .. well... answered. :-/

In any event, attempting the delete the key is failing with a foreign key violation. So will need to get more detail instructions on this.

Cheers!
- Steve

still open

I don't necessarily need the key deleted outright. I'm happy for it simply to be relinked from one user to the other - which might be less likely to run into foreign key violations?

There are a heap of PackageUpload and SourcepackageRelease records tied to this GPG key. I could just change the GPGKey owner, but I don't know what the fallout would be.

Soyuz team will be the people who can answer if changing the owner is safe to do, or will make the package archives explode.

OK... I changed the project to Soyuz. Soyuz team, what do you say?

As far as Soyuz goes, it would just effectively re-assign the person who made the uploads. If that's desirable then I don't see any problem with re-assigning the gpg key. We should probably try this in staging first though, to see if anything blows up!

*bump out of 'Needs Info' status*

OK, what happens next? :-)

LOSAs, please run this SQL:

update gpgkey set owner=person.id from person where fingerprint = '8D419BAB5B21282D1986F2EF99489DBA193589F7' and person.name='maxb-autobuild';

I've tested this on dogfood and it looks OK.

*bump out of 'Needs Info' status*

Julian,

This has been done.

Thanks Julian Edwards, that solved my question.

Thanks to everyone involved, everything looks good, including uploading new builds.