developer keyring verification

* gpg keyrings in /usr/share/debug-me/ will be checked
  to see if a connecting person is a known developer of software
  installed on the system, and so implicitly trusted already.
  Software packages/projects can install keyrings to that location.
  (Thanks to Sean Whitton for the idea.)
* make install will install /usr/share/debug-me/debug-me_developer.gpg,
  which contains the key of Joey Hess. (stack and cabal installs don't
  include this file because they typically don't install system-wide)
* debug-me.cabal: Added dependency on time.

This commit was sponsored by Francois Marier on Patreon.

4 files changed, 48 insertions, 14 deletions

diff --git a/doc/faq.mdwn b/doc/faq.mdwn
index c9b46ea..6884ec0 100644
--- a/doc/faq.mdwn
+++ b/doc/faq.mdwn
@@ -6,20 +6,28 @@
 
 #### Should I let John Doe connect to my debug-me session? I don't know that guy.
 
-When a developer connects to your debug-me session, it will display
-their GnuPG key, and the number of people who have signed it. It will
-also list the names of some of those people (the best connected ones).
-
-If the developer of software you use is connecting to debug-me,
-their software documentation might say what their GnuPG key is. Then you
-can simply check that the GnuPG key ids match.
+When a developer connects to your debug-me session, debug-me will display
+their GnuPG key, and information about it, including
+the number of people who have signed it. It will also list the names
+of some of those people (the best connected ones).
+
+Suppose you're using Debian, and debug-me says "John Doe is a Debian
+developer". Then it's probably safe to let this person connect,
+because you already trust this guy implicitly, since you're using software
+he develops.
+
+How does debug-me know that John Doe is a Debian developer? It's checked
+that his gpg key is in the keyring at
+`/usr/share/debug-me/keyring/a_Debian_developer.gpg`, which is provided by
+Debian. Other software projects that are installed on your computer can
+also put keyrings in that directory, and then debug-me will be able to
+tell then a developer of a project is connecting.
 
 If debug-me says that "John Doe is probably a real person", it means
 that he's connected to the strong set of the GnuPG web of trust.
 Other people, who certianly are real, have verified his identity.
-So even if you don't know his name, it can be safe to let him connect.
-
-But it's a gut call. If in doubt, don't let the developer connect.
+So even if you don't know his name, it can be safe to let him connect,
+but if in doubt, don't let him.
 
 If debug-me says "identity cannot be verified!", it means that the GnuPG
 key couldn't be downloaded at all, or the developer is not connected to the
@@ -67,6 +75,18 @@ Here's a quick checklist:
 * Include your GnuPG key id in your project's documentation, so users
   will know which key is yours. It also helps to sign git tags,
   tarballs, git commits, etc with your key.
+* Make your software package install a gpg keyring of its developers to
+  /usr/share/debug-me/keyring/.
+  
+  A file there named "a_Foo_developer.gpg"
+  will make debug-me tell the user that "Your Name is a Foo developer." 
+  when you connect to their debug-me session, and so the user will be more
+  likely to trust you and let you connect.
+
+  For example:
+  
+  	gpg --export-options export-minimal --export C910D9222512E3C7 > a_Foo_developer.gpg
+
 * When a user has a bug that you need more information to reproduce and
   understand, ask if they'll use debug-me.
 
diff --git a/doc/index.mdwn b/doc/index.mdwn
index 84bc344..14fec93 100644
--- a/doc/index.mdwn
+++ b/doc/index.mdwn
@@ -20,19 +20,21 @@ problem. Making your problem their problem gets it fixed fast.
 A debug-me session is logged and signed with the developer's GnuPG key,
 producing a [[chain of evidence|evidence]] of what they saw and what they
 did. So the developer's good reputation is leveraged to make debug-me
-secure.
+secure. If you trust a developer to ship software to your computer,
+you can trust them to debug-me.
 
 When you start debug-me without any options, it will connect to a debug-me
 [[server|servers]], and print out an url that you can give to the developer
-to get them connected to you. Then debug-me will show you their GnuPG key
-and who has signed it. If the developer has a good reputation, you can
+to get them connected to you. Then debug-me will show you their GnuPG key,
+who has signed it, and will let you know if they are a known developer
+of software on your computer. If the developer has a good reputation, you can
 proceed to let them type into your console in a debug-me session. Once the
 session is done, the debug-me server will email you the signed evidence of
 what the developer did in the session.
 
 If the developer did do something bad, you'd have proof that they cannot
 be trusted, which you can share with the world. Knowing that is the case
-will keep most developers honest.
+will keep developers honest.
 
 <video controls width=400 title="debug-me demo" src="https://downloads.kitenet.net/videos/debug-me/debug-me-demo.webm"></video>
 <video controls width=400 title="debug-me logs" src="https://downloads.kitenet.net/videos/debug-me/debug-me-logs.webm"></video>
diff --git a/doc/todo/use_distribution_keyrings.mdwn b/doc/todo/use_distribution_keyrings.mdwn
index df21588..be4492e 100644
--- a/doc/todo/use_distribution_keyrings.mdwn
+++ b/doc/todo/use_distribution_keyrings.mdwn
@@ -5,3 +5,6 @@ Example output: `Sean Whitton is an official Debian Developer (information accur
 Distribution packagers of debug-me could add the keyrings to be checked in this way to a configuration file, or possibly just hardcode them somewhere in debug-me's source.
 
 --spwhitton
+
+> [[done]]; you'll need to include the symlinks to the debian keyring
+> in the keysafe.deb. --[[Joey]]
diff --git a/doc/todo/use_distribution_keyrings/comment_2_43e012511d2fc39d78789541482928b7._comment b/doc/todo/use_distribution_keyrings/comment_2_43e012511d2fc39d78789541482928b7._comment
new file mode 100644
index 0000000..8145e47
--- /dev/null
+++ b/doc/todo/use_distribution_keyrings/comment_2_43e012511d2fc39d78789541482928b7._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2017-05-20T21:10:36Z"
+ content="""
+Simplified that sligtly. The keyring filename can describe the
+relationship, eg "a_Debian_developer.gpg". The mtime of the keyring will be
+displayed so the user knows how up-to-date it is.
+"""]]