1 |
On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT) |
2 |
grozin@g.o wrote: |
3 |
|
4 |
> Hello *, |
5 |
> I am stuck and have many questions. |
6 |
> [In the process of becoming a dev, I've generated a gpg key, of course. It vwas on an old notebook. When I switched to a newer notebook, I forgot to copy it, because I don't use gpg regularly. No risk that it became known - the disk was re-partitioned and re-formatted. Probably, that key has expired anyway.] |
7 |
> 1. So, I start |
8 |
> gpg --gen-key |
9 |
> It creates ~/.gnupg/ and some files in it. Should I press ctrl-C, then edit ~/.gnupg/gpg.conf, and then re-start gpg --gen-key? Or editing gpg.conf can be done later? |
10 |
|
11 |
Editing the conf should be done first, some of the preferences (e.g. |
12 |
personal-digest-preference and cert-digest-algo) affect the creation of |
13 |
keys. |
14 |
|
15 |
> 2. Then I choose 1, 3y, y, then my name and the @gentoo.org email address. After that, |
16 |
> gpg --list-keys |
17 |
> says |
18 |
> /home/<username>/.gnupg/pubring.gpg |
19 |
> ------------------------------- |
20 |
> pub 4096R/0x<16_hex_digits_1> 2013-02-26 [expires: 2016-02-26] |
21 |
> uid [ultimate] <my_name> <my_gentoo_email_address> sub 4096R/0x<16_hex_digits_2> 2013-02-26 [expires: 2016-02-26] |
22 |
> So, my key id is 0x<16_hex_digits_1>, right? |
23 |
|
24 |
Yep, but why did you bother to replace the information? |
25 |
|
26 |
> 3. Now I do |
27 |
> gpg --edit-key 0x<16_hex_digits_1> |
28 |
> addkey |
29 |
> Then I choose |
30 |
> (4) RSA (sign only) |
31 |
> right? Then I choose 4096, 1y, y, y, save. Now |
32 |
> gpg --list-keys |
33 |
> gives |
34 |
> /home/<username>/.gnupg/pubring.gpg |
35 |
> ------------------------------- |
36 |
> pub 4096R/0x<16_hex_digits_1> 2013-02-26 [expires: 2016-02-26] |
37 |
> uid [ultimate] <my_name> <my_gentoo_email_address> |
38 |
> sub 4096R/0x<16_hex_digits_2> 2013-02-26 [expires: 2016-02-26] |
39 |
> sub 4096R/0x<16_hex_digits_3> 2013-02-26 [expires: 2014-02-26] |
40 |
> 4. I do |
41 |
> gpg --output revoke.asc --gen-revoke 0x<16_hex_digits_1> |
42 |
> and choose 1. |
43 |
|
44 |
That's all correct. |
45 |
|
46 |
> > 6. Encrypted backup of your secret keys. |
47 |
> I don't understand this. |
48 |
|
49 |
It'd make sense to have an backup of your keys (~/.gnupg/secring.gpg) |
50 |
stored in a safe place, just as with everything else... If you want, |
51 |
you can protect it by another layer of encryption, but it's not that |
52 |
important, because the keys are already protected by your passphrase. |
53 |
|
54 |
> > 7. In your gpg.conf: |
55 |
> > # include an unambiguous indicator of which key made a signature: |
56 |
> > # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234) |
57 |
> > sig-notation issuer-fpr@×××××××××××××××××××××××××××××××.net=%g |
58 |
> I don't understand this. |
59 |
|
60 |
Neither do I (I know what it does, but I don't see what it's good for) – |
61 |
just leave it out, it's not necessary. |
62 |
|
63 |
> 5. I do |
64 |
> gpg --keyserver subkeys.pgp.net --send-key 0x<16_hex_digits_1> |
65 |
> 6. On dev.gentoo.org, I am supposed to do |
66 |
> perl_ldap -b user -M gpgkey <gpg-id> <user> |
67 |
> perl_ldap -b user -M gpgfingerprint <gpg-fingerprint> <user> |
68 |
> Is <gpg-id> 0x<16_hex_digits_1>? Or 0x<16_hex_digits_3>? What is <gpg-fingerprint> and how do I get it? Is <user> my username on dev.gentoo.org? |
69 |
> What's even more important, perl_ldap asks my ldap password. I suppose I haven't got one. My usual Gentoo password (used in bugzilla, forums) does not work. How do I get an ldap password? |
70 |
|
71 |
I can't help you with that, as I don't have access to any gentoo |
72 |
infrastructure. But IIRC, that's the password you once set on d.g.o |
73 |
with passwd. |
74 |
|
75 |
> 7. If I'll ever complete all the above, I'll add sign to FEATURES in /etc/portage/make.conf, and |
76 |
> PORTAGE_GPG_DIR="/home/<username>/.gnupg" |
77 |
> and also |
78 |
> PORTAGE_GPG_KEY="0x<16_hex_digits_3>!" |
79 |
> Is this correct? Is it <16_hex_digits_3>, and not, say, <16_hex_digits_1>? Should I add ! at the end, as suggested by mgorny? |
80 |
|
81 |
16_hex_digits_3 (the one you added later via addkey) is the correct |
82 |
one. And adding a ! is absolutely necessary. |
83 |
|
84 |
> During the time I'm reading all these instructions, I could bump 10 packages. Very complicated for a person who does not use gpg and knows next to nothing about it. |
85 |
|
86 |
Security can be hard to grasp at times. Sadly... |
87 |
|
88 |
|
89 |
HTH, |
90 |
Luis |