keys/employees-keys/README.md: major redesign of the procedure

.codespellrc

@@ -0,0 +1,3 @@
+[codespell]
+exclude-file = .codespellx
+ignore-words-list = "fpr"

.codespellx

@@ -0,0 +1,2 @@
+for i in $(gpg --list-keys --with-colons | awk -F: '/^fpr/ {print $10}'|xargs);do
+new_kid=$(gpg --with-colons --list-key "${real_name}"|awk -F: '$1 == "fpr" {print $10;}'|head -1)

.conform.yaml

@@ -0,0 +1,16 @@
+---
+policies:
+  - type: commit
+    spec:
+      header:
+        length: 80
+        imperative: false
+        invalidLastCharacters: .
+      body:
+        required: false
+      dco: true
+      gpg:
+        required: true
+      spellcheck:
+        locale: US
+      maximumOfOneCommit: false

.markdownlint.yaml

@@ -0,0 +1,196 @@
+---
+# Documentation:
+# https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md
+
+# Default state for all rules
+default: false
+
+# MD001/heading-increment/header-increment - Heading levels should only increment by one level at a time
+MD001: true
+
+# MD002/first-heading-h1/first-header-h1 - First heading should be a top-level heading
+MD002:
+  # Heading level
+  level: 1
+
+# MD003/heading-style/header-style - Heading style
+
+MD003:
+  # Heading style
+  # # ATX style H1
+  style: "atx"
+
+# MD004/ul-style - Unordered list style
+MD004:
+  # List style
+  style: "sublist"
+
+# MD005/list-indent - Inconsistent indentation for list items at the same level
+MD005: true
+
+# MD006/ul-start-left - Consider starting bulleted lists at the beginning of the line
+MD006: true
+
+# MD007/ul-indent - Unordered list indentation
+MD007:
+  # Spaces for indent
+  indent: 4
+  # Whether to indent the first level of the list
+  start_indented: false
+
+# MD009/no-trailing-spaces - Trailing spaces
+MD009:
+  # Spaces for line break
+  br_spaces: 2
+  # Allow spaces for empty lines in list items
+  list_item_empty_lines: false
+  # Include unnecessary breaks
+  strict: false
+
+# MD010/no-hard-tabs - Hard tabs
+MD010:
+  # Include code blocks
+  code_blocks: false
+  # Number of spaces for each hard tab
+  spaces_per_tab: 1
+
+# MD011/no-reversed-links - Reversed link syntax
+MD011: true
+
+# MD012/no-multiple-blanks - Multiple consecutive blank lines
+MD012:
+  # Consecutive blank lines
+  maximum: 1
+# MD013/line-length - Line length
+#
+MD013:
+  # Number of characters
+  line_length: 80
+  # Number of characters for headings
+  heading_line_length: 80
+  # Number of characters for code blocks
+  code_block_line_length: 160
+  # Include code blocks
+  code_blocks: false
+  # Include tables
+  tables: false
+  # Include headings
+  headings: true
+  # Strict length checking (e.g. allow for longer URLs)
+  strict: false
+  # Stern length checking
+  stern: false
+
+# MD014/commands-show-output - Dollar signs used before commands without showing output
+# TODO: set false for now but we should consider enabling it
+# https://cirosantilli.com/markdown-style-guide#dollar-signs-in-shell-code
+MD014: true
+
+# MD018/no-missing-space-atx - No space after hash on atx style heading
+MD018: true
+
+# MD019/no-multiple-space-atx - Multiple spaces after hash on atx style heading
+MD019: true
+
+# MD022/blanks-around-headings/blanks-around-headers - Headings should be surrounded by blank lines
+MD022:
+  # Blank lines above heading
+  lines_above: 1
+  # Blank lines below heading
+  lines_below: 1
+
+# MD023/heading-start-left/header-start-left - Headings must start at the beginning of the line
+MD023: true
+
+# MD025/single-title/single-h1 - Multiple top-level headings in the same document
+# TODO: consider enabling it
+
+# MD026/no-trailing-punctuation - Trailing punctuation in heading
+MD026:
+  # Punctuation characters
+  punctuation: ".,;:!。，；：！"
+
+# MD027/no-multiple-space-blockquote - Multiple spaces after blockquote symbol
+MD027: true
+
+# MD028/no-blanks-blockquote - Blank line inside blockquote
+MD028: true
+
+# MD029/ol-prefix - Ordered list item prefix
+MD029:
+  # List style
+  style: "one_or_ordered"
+
+# MD030/list-marker-space - Spaces after list markers
+MD030:
+  # Spaces for single-line unordered list items
+  ul_single: 1
+  # Spaces for single-line ordered list items
+  ol_single: 1
+  # Spaces for multi-line unordered list items
+  ul_multi: 1
+  # Spaces for multi-line ordered list items
+  ol_multi: 1
+
+# MD031/blanks-around-fences - Fenced code blocks should be surrounded by blank lines
+MD031:
+  # Include list items
+  list_items: true
+
+# MD033/no-inline-html - Inline HTML
+MD033:
+  # Allowed elements
+  allowed_elements: ["br", "center", "img", "script", "form", "input"]
+
+# MD034/no-bare-urls - Bare URL used
+MD034: true
+
+# MD035/hr-style - Horizontal rule style
+MD035:
+  # Horizontal rule style
+  style: "---"
+
+# MD037/no-space-in-emphasis - Spaces inside emphasis markers
+MD037: true
+
+# MD038/no-space-in-code - Spaces inside code span elements
+MD038: true
+
+# MD039/no-space-in-links - Spaces inside link text
+MD039: true
+
+# MD040/fenced-code-language - Fenced code blocks should have a language specified
+MD040: true
+
+# MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading
+MD041:
+  # Heading level
+  level: 1
+  # RegExp for matching title in front matter
+  front_matter_title: "^\\s*title\\s*[:=]"
+
+# MD042/no-empty-links - No empty links
+MD042: true
+
+# MD046/code-block-style - Code block style
+MD046:
+  # Block style
+  style: "fenced"
+
+# MD047/single-trailing-newline - Files should end with a single newline character
+MD047: true
+
+# MD048/code-fence-style - Code fence style
+MD048:
+  # Code fence style
+  style: "backtick"
+
+# MD049/emphasis-style - Emphasis style should be consistent
+MD049:
+  # Emphasis style should be consistent
+  style: "underscore"
+
+# MD050/strong-style - Strong style should be consistent
+MD050:
+  # Strong style should be consistent
+  style: "asterisk"

.pre-commit-config.yaml

@@ -0,0 +1,50 @@
+---
+default_stages: [pre-commit]
+
+default_install_hook_types: [pre-commit, commit-msg]
+
+ci:
+  autoupdate_commit_msg: 'pre-commit: autoupdate hooks'
+  autofix_prs: false
+  # docker is not supported on pre-commit.ci
+  skip: [shellcheck]
+
+exclude: ^canaries/.*$
+
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: check-symlinks
+      - id: detect-private-key
+        exclude: ^README.md$
+      - id: end-of-file-fixer
+      - id: trailing-whitespace
+      - id: mixed-line-ending
+
+  - repo: https://github.com/talos-systems/conform
+    rev: v0.1.0-alpha.27
+    hooks:
+      - id: conform
+        stages:
+          - commit-msg
+
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.2.6
+    hooks:
+      - id: codespell
+        exclude: ^.*\.(asc|sig).*$
+
+  - repo: https://github.com/igorshubovych/markdownlint-cli
+    rev: v0.37.0
+    hooks:
+      - id: markdownlint
+      - id: markdownlint-fix
+
+  - repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.9.0
+    hooks:
+    -   id: shellcheck
+        args: ["--severity=warning"]

README.md

@@ -1,33 +1,34 @@
-3mdeb Security Pack
-===================
+# 3mdeb Security Pack
 
-This git repository was inspired  by [Qubes Security Pack](https://github.com/QubesOS/qubes-secpack) and is a central place for all security-related information
-about the 3mdeb projects. It includes the following:
+This git repository was inspired  by the
+[Qubes Security Pack](https://github.com/QubesOS/qubes-secpack) and is a central
+place for all security-related information about the 3mdeb projects. It includes
+the following:
 
- * 3mdeb customers PGP keys (`customer-keys/`) - keys managed by 3mdeb on
+* 3mdeb customers PGP keys (`customer-keys/`) - keys managed by 3mdeb on
    behalf of our customers, typically we use those keys for binaries signing
- * Dasharo keys (`dasharo/`) - Dasharo Master Key used to sign Dasharo keys
+* Dasharo keys (`dasharo/`) - Dasharo Master Key used to sign Dasharo keys
    related to market segments (Secure Firewall, Workstation), as well as
    Dasharo market segment firmware release signing keys, to read more about
    Dasharo visit [website](https://dasharo.com/) and
    [documentation](https://docs.dasharo.com/)
- * 3mdeb PGP keys (`keys/`)
-   - `employees-keys` -  3mdeb employees keys signed according to org chart,
+* 3mdeb PGP keys (`keys/`)
+    - `employees-keys` -  3mdeb employees keys signed according to org chart,
      chain of signatures end with `owner-key` signature
-   - `master-key` - 3mdeb Master Key signs all keys dedicated to given purpose
+    - `master-key` - 3mdeb Master Key signs all keys dedicated to given purpose
      e.g. Open Source Software Release Signing Key, Open Source Firmware
      Release Signing Key and others
-   - `owner-key` - 3mdeb Owner Key
- * 3mdeb Open Source Firmware Master Key (`open-source-firmware/`) - key used
+    - `owner-key` - 3mdeb Owner Key
+* 3mdeb Open Source Firmware Master Key (`open-source-firmware/`) - key used
    to sign firmware releases produced by 3mdeb
- * 3mdeb Open Source Software Master Key (`open-source-software/`) - key used
+* 3mdeb Open Source Software Master Key (`open-source-software/`) - key used
    to sign software releases produced by 3mdeb
- * Supporting scripts (`scripts/`)
+* Supporting scripts (`scripts/`)
 
 The files contained in this repository can be verified in two ways:
 
- * By verifying the git commit tags (`git tag -v`)
- * By verifying the detached PGP signatures, which are provided for the majority
+* By verifying the git commit tags (`git tag -v`)
+* By verifying the detached PGP signatures, which are provided for the majority
    of files included here
 
 All the keys used by the 3mdeb projects, including the keys used to sign files
@@ -39,41 +40,9 @@ obtain the key fingerprint via some other channel, as you can be sure
 that if you were getting a falsified 3mdeb Security Pack it would contain a
 falsified owner key as well.
 
-# git-secrets setup
-
-Below configuration would prevent you from accidentaly commiting private keys
-into the repository.
-
-* Install [git-secrets](https://github.com/awslabs/git-secrets) via one of the
-  supported installation options
-
-* Add pre-commit hooks to this repo:
-
-```
-$ git secrets --install
-$ git secrets --add 'PRIVATE[[:space:]]KEY'
-```
-
-* Trying to commit private key would result in following message:
-
-```
-FILE_NAME:1:-----BEGIN PGP PRIVATE KEY BLOCK-----
-FILE_NAME:118:-----END PGP PRIVATE KEY BLOCK-----
-
-[ERROR] Matched one or more prohibited patterns
-
-Possible mitigations:
-- Mark false positives as allowed using: git config --add secrets.allowed ...
-- Mark false positives as allowed by adding regular expressions to .gitallowed at repository's root directory
-- List your configured patterns: git config --get-all secrets.patterns
-- List your configured allowed patterns: git config --get-all secrets.allowed
-- List your configured allowed patterns in .gitallowed at repository's root directory
-- Use --no-verify if this is a one-time false positive
-```
-
 # Adding new Master Key
 
-```
+```shell
 user@vault ~ % gpg --expert --full-gen-key --allow-freeform-uid
 gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
@@ -109,8 +78,8 @@ Is this correct? (y/N) y
 GnuPG needs to construct a user ID to identify your key.
 
 Real name: 3mdeb Dasharo Master Key
-Email address: 
-Comment: 
+Email address:
+Comment:
 You selected this USER-ID:
     "3mdeb Dasharo Master Key"