[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    Re: [gentoo-dev] Git, GPG Signing, and Manifests
From:       Brian Dolbec <dolsen () gentoo ! org>
Date:       2015-07-17 15:25:06
Message-ID: 20150717082506.2368b3e3.dolsen () gentoo ! org
[Download RAW message or body]

On Fri, 17 Jul 2015 08:50:43 -0400
Rich Freeman <rich0@gentoo.org> wrote:

> On Fri, Jul 17, 2015 at 8:36 AM, Rich Freeman <rich0@gentoo.org>
> wrote:
> > On Fri, Jul 17, 2015 at 12:42 AM, Brian Dolbec <dolsen@gentoo.org>
> > wrote:
> >>
> >> I don't know tbh, most are already signed, with the git migration,
> >> the strongly recommended commit signing will become MANDATORY.
> >>
> >> So, we are at 50 devs with valid gpg keys now, with 200 more gpg
> >> keys listed in LDAP that fail to meet the new spec.  PLEASE fix
> >> them or create new keys...
> >
> > How does somebody know whether their key meets the spec or not?  I
> > looked at the gentoo-keys website and didn't see any simple way to
> > check.
> >
> > There was documentation on the gkeys utility for checking keys, but
> > I ran into a few issues with this.
> >
> 
> After waking up a bit more I configured a utf8 locale in my "clean
> stage3" and the errors went away, and I was able to verify that my key
> passed, with no encryption subkey (I don't intend to use this key for
> anything but gentoo main repository signing).
> 
> Even so, it might not hurt to have a one-line way to check an
> arbitrary gpg key for conformity by ID.  Otherwise we invite trial and
> error with devs uploading what they hope are compliant keys, fixing
> LDAP, waiting for seeds to be repopulated, then checking them.
> 

One of the things I really wanted to get into gkeys is a way to add a
users ~/.gnupg dir imported into the gkeys system, that will help in
that reagrds and make it more of a one stop shop for common gpg tasks.

Also, I will try to get at least the gkeys-gen target keydir added to
gkeys visibility in the next release.

Oh, forgot to mention.  I will send the gkeys spec-check report
to the gentoo-core list for a start.  Perhaps some of the devs can help
us get the wiki help pages completed when they fix their keys and know
the steps.  I'm sure both Kristian and myself would appreciate a little
help with that while we are explaining how to fix the failures.

One of the slowdowns in completing those pages is creating anomymous
gpg keys output for the wiki examples.  I do not want to use devs real
keys as examples (which of course would be easiest).

-- 
Brian Dolbec <dolsen>


[prev in list] [next in list] [prev in thread] [next in thread]