Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
robbat2 09/09/02 03:35:26
Modified: index.xml
Log:
Document releng usage of PGP keys.
Revision Changes Path
1.118 xml/htdocs/proj/en/releng/index.xml
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/releng/index.xml?rev=1.118&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/releng/index.xml?rev=1.118&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/releng/index.xml?r1=1.117&r2=1.118
Index: index.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/releng/index.xml,v
retrieving revision 1.117
retrieving revision 1.118
diff -p -w -b -B -u -u -r1.117 -r1.118
--- index.xml 24 Sep 2008 17:47:21 -0000 1.117
+++ index.xml 2 Sep 2009 03:35:25 -0000 1.118
@@ -68,6 +68,83 @@ machines page</uri>.
</extraproject>
<extrachapter>
+<title>Release security & signing</title>
+<section>
+<body>
+<p>
+All release media will have its DIGESTS file signed by one of the <c>Gentoo Linux
+Release Engineering (releng@g.o)</c> PGP keys listed on this page.
+The keys are available through the <c>subkeys.pgp.net</c> keyserver. They can
+be used to verify that the media is, in fact, the media shipped by Release
+Engineering and not from a potential attacker. You will find more detailed
+verification instructions in the handbooks for each release.
+</p>
+
+<p>
+New keys and changes to existing keys will be announced to the following
+Gentoo mailing lists: gentoo-dev-announce, gentoo-announce, gentoo-core.
+</p>
+
+<note>
+Releases up to and including 2007.0 had PGP signatures directly on top of the
+files. This required large quantities of disk IO for generation on the servers,
+and validation on the client side. As such, as of the 2008.0 release, the
+DIGESTS file is now signed instead, making verification a two-step process, but
+overall much quicker.
+</note>
+
+<pre caption="Obtaining the public key">
+$ <i>gpg --keyserver subkeys.pgp.net --recv-keys <key id></i>
+</pre>
+
+<pre caption="Verify the cryptographic signature">
+$ <i>gpg --verify <foo.DIGESTS.asc> <foo.DIGESTS></i>
+</pre>
+
+<pre caption="Verify the checksum">
+$ <i>sha1sum -c <foo.DIGESTS></i>
+</pre>
+
+<table>
+<tr>
+<th>Key ID</th>
+<th>Key Type</th>
+<th>Key Fingerprint</th>
+<th>Key Description</th>
+<th>Notes</th>
+</tr>
+
+<tr>
+<ti>0x239C75C4</ti>
+<ti>1024-bit DSA</ti>
+<ti>AE54 54F9 67B5 6AB0 9AE1 6064 0838 C26E 239C 75C4</ti>
+<ti>Gentoo Portage Snapshot Signing Key (Automated Signing Key)</ti>
+<ti>Used for daily Portage snapshots.</ti>
+</tr>
+
+<tr>
+<ti>0x17072058</ti>
+<ti>1024-bit DSA</ti>
+<ti>D99E AC73 79A8 50BC E47D A5F2 9E64 38C8 1707 2058</ti>
+<ti>Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key)</ti>
+<ti>Used for releases 2004.2-2008.0</ti>
+</tr>
+
+<tr>
+<ti>0x2D182910</ti>
+<ti>4096-bit RSA</ti>
+<ti>13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910</ti>
+<ti>Gentoo Linux Release Engineering (Automated Weekly Release Key)</ti>
+<ti>Used for automated weekly releases.</ti>
+</tr>
+
+</table>
+
+</body>
+</section>
+</extrachapter>
+
+<extrachapter>
<title>Latest release</title>
<section>
|
|
