[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    Re: [gentoo-dev] RFC: Gentoo GPG key policies
From:       Alec Warner <antarus () gentoo ! org>
Date:       2013-02-27 20:27:57
Message-ID: CAAr7Pr9zR-ovQFk=a3pBF6HrWwzrbBP4zCmLXRZ_voafxbkFiA () mail ! gmail ! com
[Download RAW message or body]

On Wed, Feb 27, 2013 at 11:04 AM, Robin H. Johnson <robbat2@gentoo.org> wrote:
> Thanks for the partial response Luis.
> 
> On Wed, Feb 27, 2013 at 04:12:14PM +0100, Luis Ressel wrote:
> > On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT)
> > grozin@gentoo.org wrote:
> > 
> > > Hello *,
> > > I am stuck and have many questions.
> 
> New addition to the instructions:
> 0. Copy /usr/share/gnupg/gpg-conf.skel to ~/.gnupg/gpg.conf, append the
> block given in my email.
> TODO: The upstream skeleton config file has improved over the years,
> it would be useful for all users to get updates to it, but etc-update
> only works for /etc, since this is deployed per-user. Suggestions
> welcome on getting users to do this.
> 
> > > [In the process of becoming a dev, I've generated a gpg key, of course. It vwas \
> > > on an old notebook. When I switched to a newer notebook, I forgot to copy it, \
> > > because I don't use gpg regularly. No risk that it became known - the disk was \
> > > re-partitioned and re-formatted. Probably, that key has expired anyway.] 1. So, \
> > > I start gpg --gen-key
> > > It creates ~/.gnupg/ and some files in it. Should I press ctrl-C, then edit \
> > > ~/.gnupg/gpg.conf, and then re-start gpg --gen-key? Or editing gpg.conf can be \
> > > done later?
> > Editing the conf should be done first, some of the preferences (e.g.
> > personal-digest-preference and cert-digest-algo) affect the creation of
> > keys.
> See step 0 above, and do gen-key AFTER that.
> 
> > > 3. Now I do
> > > gpg --edit-key 0x<16_hex_digits_1>
> > > addkey
> > > Then I choose
> > > (4) RSA (sign only)
> > > right? Then I choose 4096, 1y, y, y, save. Now
> > > gpg --list-keys
> > > gives
> > > /home/<username>/.gnupg/pubring.gpg
> > > -------------------------------
> > > pub   4096R/0x<16_hex_digits_1> 2013-02-26 [expires: 2016-02-26]
> > > uid                 [ultimate] <my_name> <my_gentoo_email_address>
> > > sub   4096R/0x<16_hex_digits_2> 2013-02-26 [expires: 2016-02-26]
> > > sub   4096R/0x<16_hex_digits_3> 2013-02-26 [expires: 2014-02-26]
> > > 4. I do
> > > gpg --output revoke.asc --gen-revoke 0x<16_hex_digits_1>
> > > and choose 1.
> > That's all correct.
> Make sure to put that revoke.asc file in a secure place, and REMOVE the
> unprotected copy from your system. It has NO encryption on that file, by
> design.
> 
> > > > 6. Encrypted backup of your secret keys.
> > > I don't understand this.
> > 
> > It'd make sense to have an backup of your keys (~/.gnupg/secring.gpg)
> > stored in a safe place, just as with everything else... If you want,
> > you can protect it by another layer of encryption, but it's not that
> > important, because the keys are already protected by your passphrase.
> 
> Yes, your normal keys are protected by your passphrase.
> If you have additional SEPARATE keys that might not have passphrases (eg
> for automation purposes), having them encrypted on your backup media is
> a good idea.
> 
> If you don't have any other keys like that, I've attached a backup
> script for you to use (originally written because some versions ago
> there was a gnupg locking bug, and it would occasionally
> corrupt/overwrite my public keyring).
> 
> > > > 7. In your gpg.conf:
> > > > # include an unambiguous indicator of which key made a signature:
> > > > # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
> > > > sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g
> > > I don't understand this.
> > Neither do I (I know what it does, but I don't see what it's good for) –
> > just leave it out, it's not necessary.
> Here's the origin of this:
> http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html
> Basically, just like the rest of the expansion to use full length
> keyids to avoid collision attacks, this does the same for
> certifications.
> 
> > > 5. I do
> > > gpg --keyserver subkeys.pgp.net --send-key 0x<16_hex_digits_1>
> > > 6. On dev.gentoo.org, I am supposed to do
> > > perl_ldap -b user -M gpgkey <gpg-id> <user>
> > > perl_ldap -b user -M gpgfingerprint <gpg-fingerprint> <user>
> > > Is <gpg-id> 0x<16_hex_digits_1>? Or 0x<16_hex_digits_3>? What is \
> > > <gpg-fingerprint> and how do I get it? Is <user> my username on dev.gentoo.org? \
> > > What's even more important, perl_ldap asks my ldap password. I suppose I \
> > > haven't got one. My usual Gentoo password (used in bugzilla, forums) does not \
> > > work. How do I get an ldap password?
> > I can't help you with that, as I don't have access to any gentoo
> > infrastructure. But IIRC, that's the password you once set on d.g.o
> > with passwd.
> Your recruiter should have pointed you to your LDAP password when you
> become a developer for new developers. In case of old developers, this
> wasn't reliable followed, and/or gets lost. Please contact infra or
> the devrel leads to get your LDAP password reset.
> 
> '<user>' is your Gentoo developer username. Be careful to NOT
> replace the '-b user' part, that selects 'user' mode for the tool.

FYI: I patched perl_ldap so this doesn't happen, as it was a very
common mistake.

-A

> 
> > > 7. If I'll ever complete all the above, I'll add sign to FEATURES in \
> > > /etc/portage/make.conf, and PORTAGE_GPG_DIR="/home/<username>/.gnupg"
> > > and also
> > > PORTAGE_GPG_KEY="0x<16_hex_digits_3>!"
> > > Is this correct? Is it <16_hex_digits_3>, and not, say, <16_hex_digits_1>? \
> > > Should I add ! at the end, as suggested by mgorny?
> > 16_hex_digits_3 (the one you added later via addkey) is the correct
> > one. And adding a ! is absolutely necessary.
> > -)
> 
> > > During the time I'm reading all these instructions, I could bump 10
> > > packages. Very complicated for a person who does not use gpg and
> > > knows next to nothing about it.
> > Security can be hard to grasp at times. Sadly...
> But THANK YOU for writing up your email, it's great to have somebody
> with no experience try the instructions, and help us figure out where
> they need to improve.
> 
> --
> Robin Hugh Johnson
> Gentoo Linux: Developer, Trustee & Infrastructure Lead
> E-Mail     : robbat2@gentoo.org
> GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85


[prev in list] [next in list] [prev in thread] [next in thread]