1 |
Mark Knecht posted on Thu, 07 Aug 2014 11:16:23 -0700 as excerpted: |
2 |
|
3 |
> From the comment about the Release Engineering site, I think that's |
4 |
> here: |
5 |
> |
6 |
> https://www.gentoo.org/proj/en/releng/ |
7 |
> |
8 |
> And the keys match with is good. |
9 |
> |
10 |
> Anyway, running the first command is fine. The second command wants me |
11 |
> to make a choice. For now I chose to 'ultimately trust'. (Aren't I |
12 |
> gullible!?!) |
13 |
|
14 |
[...] |
15 |
|
16 |
> Please decide how far you trust this user to correctly verify other |
17 |
> users' keys (by looking at passports, checking fingerprints from |
18 |
> different sources, etc.) |
19 |
> |
20 |
> 1 = I don't know or won't say |
21 |
> 2 = I do NOT trust |
22 |
> 3 = I trust marginally |
23 |
> 4 = I trust fully |
24 |
> 5 = I trust ultimately |
25 |
> m = back to the main menu |
26 |
> |
27 |
> Your decision? 5 |
28 |
> Do you really want to set this key to ultimate trust? (y/N) y |
29 |
|
30 |
|
31 |
GPG is built on a "web of trust" idea. Basically, the idea is that if |
32 |
you know and trust someone (well, in this case their key), then they can |
33 |
vouch for someone else that you don't know. |
34 |
|
35 |
At various community conferences and the like, there's often a |
36 |
"key signing party". Attending devs and others active in the community |
37 |
check passports and etc, in theory validating the identity of the other |
38 |
person, then sign their key, saying they've checked and the person using |
39 |
this key is really who they say they are. |
40 |
|
41 |
What you're doing here is giving gpg some idea of how much trust you want |
42 |
to put in the key, not just to verify that whatever that person sends you |
43 |
did indeed get signed with their key, but more importantly, to what |
44 |
extent you trust that key to vouch for OTHER keys it has signed that you |
45 |
don't know about yet. |
46 |
|
47 |
If an otherwise unknown-trust key is signed by an ultimate-trust key, |
48 |
it'll automatically be considered valid, tho it won't itself be trusted |
49 |
to sign /other/ keys until you specifically assign a level of trust to |
50 |
it, too. |
51 |
|
52 |
OTOH, it'd probably take a fully-trusted key plus perhaps a marginally |
53 |
trusted key, to validate an otherwise unknown key signed by both but not |
54 |
signed by an ultimately-trusted key. |
55 |
|
56 |
And it'd take more (at least three, maybe five or something, I get the |
57 |
idea but have forgotten the specifics) marginal trust key signatures to |
58 |
verify an otherwise unknown key in the absence of a stronger-trust key |
59 |
signature of it as well. |
60 |
|
61 |
Don't know or won't say I think means it doesn't count either way, and do |
62 |
NOT trust probably counts as a negative vote, thus requiring more votes |
63 |
from at least marginal-trust signatures to validate than it would |
64 |
otherwise. I'm sure the details are in the gpg docs if you're interested |
65 |
in reading up... |
66 |
|
67 |
Meanwhile, the key in question here is the gentoo snapshot-validation |
68 |
key, which should only be used to sign the tree tarballs, not a personal |
69 |
key, and gentoo should use a different key to, for instance, sign |
70 |
personal gentoo dev keys, so you're not likely to see it used to sign |
71 |
other keys and the above web-of-trust stuff doesn't matter so much in |
72 |
this case. |
73 |
|
74 |
OTOH... (more below) |
75 |
|
76 |
> Please note that the shown key validity is not necessarily correct |
77 |
> unless you restart the program. |
78 |
|
79 |
> gpg> check uid Gentoo Portage Snapshot Signing Key |
80 |
> (Automated Signing Key) |
81 |
> sig!3 96D8BF6D 2011-11-25 [self-signature] |
82 |
> 6 signatures not checked due to missing keys |
83 |
|
84 |
> I'm not sure how to short of a reboot 'restart the program' |
85 |
|
86 |
That's simply saying that you're in gpg interactive mode, and any edits |
87 |
you make in that gpg session won't necessarily show up or become |
88 |
effective until you quit gpg and start a new session. |
89 |
|
90 |
For example, I believe if you change the level of trust of some key, then |
91 |
in the same gpg interactive session check the validity of another key |
92 |
that the first one signed, the edit to the trust level of the first key |
93 |
won't necessarily be reflected in the validity assigned to the second key |
94 |
signed by the first. If you quit gpg it'll write the change you made, |
95 |
and restarting gpg should then give you an accurate assessment of the |
96 |
second key, reflecting the now saved change you made to the trust level |
97 |
of the first key that signed the second. |
98 |
|
99 |
> nor what the line [means:] |
100 |
> |
101 |
> 6 signatures not checked due to missing keys |
102 |
|
103 |
That simply indicates that the gentoo key is signed by a bunch of (six) |
104 |
others, probably gentoo infra, perhaps the foundation, etc, that if you |
105 |
had a larger web of trust already built, would vouch for the validity of |
106 |
the portage snapshotting key. Since you don't have that web of trust |
107 |
built yet, you gotta do without, but you gotta start somewhere... |
108 |
|
109 |
... Which is the "more below" I referred to above. The snapshot- |
110 |
validation key shouldn't be used to sign other keys, because that's not |
111 |
its purpose. Restricting a key to a single purpose helps a bit to keep |
112 |
it from leaking, but more importantly, restricts the damage should it |
113 |
indeed leak. If the snapshotting key gets stolen, it means snapshots |
114 |
signed by it can be no longer trusted, but since it's not used to sign |
115 |
other keys, at least the thief can't use the stolen key to vouch for |
116 |
other keys, because the key isn't used for that. |
117 |
|
118 |
At least... he couldn't if you hadn't set the key to ultimate trust, that |
119 |
you indeed trust it to vouch for other keys, alone, without any other |
120 |
vouching for them as well. |
121 |
|
122 |
So I'd definitely recommend editing that key again, and reducing the |
123 |
trust level. I /think/ you can actually set it to do NOT trust for the |
124 |
purpose of signing other keys, since that is indeed the case, without |
125 |
affecting its usage for signing the portage tree snapshots. However, I'm |
126 |
not positive of that. I'd test that to be sure, and simply set it back |
127 |
to "don't want to say" or to "marginally", if that turns out to be |
128 |
required to validate the snapshot with it. (Tho I don't believe it |
129 |
should, because that would break the whole way the web of trust is |
130 |
supposed to work and the concept of using a key for only one thing, not |
131 |
letting you simply accept the signature for content signing, without also |
132 |
requiring you to accept it as trustworthy for signing other keys.) |
133 |
|
134 |
I believe I have a different aspect of your post to reply to as well, but |
135 |
that can be a different reply... |
136 |
|
137 |
-- |
138 |
Duncan - List replies preferred. No HTML msgs. |
139 |
"Every nonfree program has a lord, a master -- |
140 |
and if you use the program, he is your master." Richard Stallman |