| 1 |
Mark Knecht posted on Thu, 07 Aug 2014 11:16:23 -0700 as excerpted: |
| 2 |
|
| 3 |
> From the comment about the Release Engineering site, I think that's |
| 4 |
> here: |
| 5 |
> |
| 6 |
> https://www.gentoo.org/proj/en/releng/ |
| 7 |
> |
| 8 |
> And the keys match with is good. |
| 9 |
> |
| 10 |
> Anyway, running the first command is fine. The second command wants me |
| 11 |
> to make a choice. For now I chose to 'ultimately trust'. (Aren't I |
| 12 |
> gullible!?!) |
| 13 |
|
| 14 |
[...] |
| 15 |
|
| 16 |
> Please decide how far you trust this user to correctly verify other |
| 17 |
> users' keys (by looking at passports, checking fingerprints from |
| 18 |
> different sources, etc.) |
| 19 |
> |
| 20 |
> 1 = I don't know or won't say |
| 21 |
> 2 = I do NOT trust |
| 22 |
> 3 = I trust marginally |
| 23 |
> 4 = I trust fully |
| 24 |
> 5 = I trust ultimately |
| 25 |
> m = back to the main menu |
| 26 |
> |
| 27 |
> Your decision? 5 |
| 28 |
> Do you really want to set this key to ultimate trust? (y/N) y |
| 29 |
|
| 30 |
|
| 31 |
GPG is built on a "web of trust" idea. Basically, the idea is that if |
| 32 |
you know and trust someone (well, in this case their key), then they can |
| 33 |
vouch for someone else that you don't know. |
| 34 |
|
| 35 |
At various community conferences and the like, there's often a |
| 36 |
"key signing party". Attending devs and others active in the community |
| 37 |
check passports and etc, in theory validating the identity of the other |
| 38 |
person, then sign their key, saying they've checked and the person using |
| 39 |
this key is really who they say they are. |
| 40 |
|
| 41 |
What you're doing here is giving gpg some idea of how much trust you want |
| 42 |
to put in the key, not just to verify that whatever that person sends you |
| 43 |
did indeed get signed with their key, but more importantly, to what |
| 44 |
extent you trust that key to vouch for OTHER keys it has signed that you |
| 45 |
don't know about yet. |
| 46 |
|
| 47 |
If an otherwise unknown-trust key is signed by an ultimate-trust key, |
| 48 |
it'll automatically be considered valid, tho it won't itself be trusted |
| 49 |
to sign /other/ keys until you specifically assign a level of trust to |
| 50 |
it, too. |
| 51 |
|
| 52 |
OTOH, it'd probably take a fully-trusted key plus perhaps a marginally |
| 53 |
trusted key, to validate an otherwise unknown key signed by both but not |
| 54 |
signed by an ultimately-trusted key. |
| 55 |
|
| 56 |
And it'd take more (at least three, maybe five or something, I get the |
| 57 |
idea but have forgotten the specifics) marginal trust key signatures to |
| 58 |
verify an otherwise unknown key in the absence of a stronger-trust key |
| 59 |
signature of it as well. |
| 60 |
|
| 61 |
Don't know or won't say I think means it doesn't count either way, and do |
| 62 |
NOT trust probably counts as a negative vote, thus requiring more votes |
| 63 |
from at least marginal-trust signatures to validate than it would |
| 64 |
otherwise. I'm sure the details are in the gpg docs if you're interested |
| 65 |
in reading up... |
| 66 |
|
| 67 |
Meanwhile, the key in question here is the gentoo snapshot-validation |
| 68 |
key, which should only be used to sign the tree tarballs, not a personal |
| 69 |
key, and gentoo should use a different key to, for instance, sign |
| 70 |
personal gentoo dev keys, so you're not likely to see it used to sign |
| 71 |
other keys and the above web-of-trust stuff doesn't matter so much in |
| 72 |
this case. |
| 73 |
|
| 74 |
OTOH... (more below) |
| 75 |
|
| 76 |
> Please note that the shown key validity is not necessarily correct |
| 77 |
> unless you restart the program. |
| 78 |
|
| 79 |
> gpg> check uid Gentoo Portage Snapshot Signing Key |
| 80 |
> (Automated Signing Key) |
| 81 |
> sig!3 96D8BF6D 2011-11-25 [self-signature] |
| 82 |
> 6 signatures not checked due to missing keys |
| 83 |
|
| 84 |
> I'm not sure how to short of a reboot 'restart the program' |
| 85 |
|
| 86 |
That's simply saying that you're in gpg interactive mode, and any edits |
| 87 |
you make in that gpg session won't necessarily show up or become |
| 88 |
effective until you quit gpg and start a new session. |
| 89 |
|
| 90 |
For example, I believe if you change the level of trust of some key, then |
| 91 |
in the same gpg interactive session check the validity of another key |
| 92 |
that the first one signed, the edit to the trust level of the first key |
| 93 |
won't necessarily be reflected in the validity assigned to the second key |
| 94 |
signed by the first. If you quit gpg it'll write the change you made, |
| 95 |
and restarting gpg should then give you an accurate assessment of the |
| 96 |
second key, reflecting the now saved change you made to the trust level |
| 97 |
of the first key that signed the second. |
| 98 |
|
| 99 |
> nor what the line [means:] |
| 100 |
> |
| 101 |
> 6 signatures not checked due to missing keys |
| 102 |
|
| 103 |
That simply indicates that the gentoo key is signed by a bunch of (six) |
| 104 |
others, probably gentoo infra, perhaps the foundation, etc, that if you |
| 105 |
had a larger web of trust already built, would vouch for the validity of |
| 106 |
the portage snapshotting key. Since you don't have that web of trust |
| 107 |
built yet, you gotta do without, but you gotta start somewhere... |
| 108 |
|
| 109 |
... Which is the "more below" I referred to above. The snapshot- |
| 110 |
validation key shouldn't be used to sign other keys, because that's not |
| 111 |
its purpose. Restricting a key to a single purpose helps a bit to keep |
| 112 |
it from leaking, but more importantly, restricts the damage should it |
| 113 |
indeed leak. If the snapshotting key gets stolen, it means snapshots |
| 114 |
signed by it can be no longer trusted, but since it's not used to sign |
| 115 |
other keys, at least the thief can't use the stolen key to vouch for |
| 116 |
other keys, because the key isn't used for that. |
| 117 |
|
| 118 |
At least... he couldn't if you hadn't set the key to ultimate trust, that |
| 119 |
you indeed trust it to vouch for other keys, alone, without any other |
| 120 |
vouching for them as well. |
| 121 |
|
| 122 |
So I'd definitely recommend editing that key again, and reducing the |
| 123 |
trust level. I /think/ you can actually set it to do NOT trust for the |
| 124 |
purpose of signing other keys, since that is indeed the case, without |
| 125 |
affecting its usage for signing the portage tree snapshots. However, I'm |
| 126 |
not positive of that. I'd test that to be sure, and simply set it back |
| 127 |
to "don't want to say" or to "marginally", if that turns out to be |
| 128 |
required to validate the snapshot with it. (Tho I don't believe it |
| 129 |
should, because that would break the whole way the web of trust is |
| 130 |
supposed to work and the concept of using a key for only one thing, not |
| 131 |
letting you simply accept the signature for content signing, without also |
| 132 |
requiring you to accept it as trustworthy for signing other keys.) |
| 133 |
|
| 134 |
I believe I have a different aspect of your post to reply to as well, but |
| 135 |
that can be a different reply... |
| 136 |
|
| 137 |
-- |
| 138 |
Duncan - List replies preferred. No HTML msgs. |
| 139 |
"Every nonfree program has a lord, a master -- |
| 140 |
and if you use the program, he is your master." Richard Stallman |
Archives