Gentoo Archives: gentoo-commits

From: "Robin H. Johnson (robbat2)" <robbat2@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/proj/en/releng: index.xml
Date: Tue, 01 Sep 2009 22:26:43
Message-Id: E1Migd4-0004tI-5M@stork.gentoo.org
robbat2     09/09/02 03:35:26

  Modified:             index.xml
  Log:
  Document releng usage of PGP keys.

Revision  Changes    Path
1.118                xml/htdocs/proj/en/releng/index.xml

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/releng/index.xml?rev=1.118&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/releng/index.xml?rev=1.118&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/releng/index.xml?r1=1.117&r2=1.118

Index: index.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/releng/index.xml,v
retrieving revision 1.117
retrieving revision 1.118
diff -p -w -b -B -u -u -r1.117 -r1.118
--- index.xml	24 Sep 2008 17:47:21 -0000	1.117
+++ index.xml	2 Sep 2009 03:35:25 -0000	1.118
@@ -68,6 +68,83 @@ machines page</uri>.
 </extraproject>
 
 <extrachapter>
+<title>Release security &amp; signing</title>
+<section>
+<body>
+<p>
+All release media will have its DIGESTS file signed by one of the <c>Gentoo Linux
+Release	Engineering (releng@g.o)</c> PGP keys listed on this page.
+The keys are available through the <c>subkeys.pgp.net</c> keyserver. They can
+be used to verify that the media is, in fact, the media shipped by Release
+Engineering and not from a potential attacker. You will find more detailed
+verification instructions in the handbooks for each release.
+</p>
+
+<p>
+New keys and changes to existing keys will be announced to the following
+Gentoo mailing lists: gentoo-dev-announce, gentoo-announce, gentoo-core.
+</p>
+
+<note>
+Releases up to and including 2007.0 had PGP signatures directly on top of the
+files. This required large quantities of disk IO for generation on the servers,
+and validation on the client side. As such, as of the 2008.0 release, the
+DIGESTS file is now signed instead, making verification a two-step process, but
+overall much quicker.
+</note>
+
+<pre caption="Obtaining the public key">
+$ <i>gpg --keyserver subkeys.pgp.net --recv-keys &lt;key id&gt;</i>
+</pre>
+
+<pre caption="Verify the cryptographic signature">
+$ <i>gpg --verify &lt;foo.DIGESTS.asc&gt; &lt;foo.DIGESTS&gt;</i>
+</pre>
+
+<pre caption="Verify the checksum">
+$ <i>sha1sum -c &lt;foo.DIGESTS&gt;</i>
+</pre>
+
+<table>
+<tr>
+<th>Key ID</th>
+<th>Key Type</th>
+<th>Key Fingerprint</th>
+<th>Key Description</th>
+<th>Notes</th>
+</tr>
+
+<tr>
+<ti>0x239C75C4</ti>
+<ti>1024-bit DSA</ti>
+<ti>AE54 54F9 67B5 6AB0 9AE1  6064 0838 C26E 239C 75C4</ti>
+<ti>Gentoo Portage Snapshot Signing Key (Automated Signing Key)</ti>
+<ti>Used for daily Portage snapshots.</ti>
+</tr>
+
+<tr>
+<ti>0x17072058</ti>
+<ti>1024-bit DSA</ti>
+<ti>D99E AC73 79A8 50BC E47D A5F2 9E64 38C8 1707 2058</ti>
+<ti>Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key)</ti>
+<ti>Used for releases 2004.2-2008.0</ti>
+</tr>
+
+<tr>
+<ti>0x2D182910</ti>
+<ti>4096-bit RSA</ti>
+<ti>13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910</ti>
+<ti>Gentoo Linux Release Engineering (Automated Weekly Release Key)</ti>
+<ti>Used for automated weekly releases.</ti>
+</tr>
+
+</table>
+
+</body>
+</section>
+</extrachapter>
+
+<extrachapter>
 <title>Latest release</title>
 
 <section>