1 |
robbat2 09/09/02 03:35:26 |
2 |
|
3 |
Modified: index.xml |
4 |
Log: |
5 |
Document releng usage of PGP keys. |
6 |
|
7 |
Revision Changes Path |
8 |
1.118 xml/htdocs/proj/en/releng/index.xml |
9 |
|
10 |
file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/releng/index.xml?rev=1.118&view=markup |
11 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/releng/index.xml?rev=1.118&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/proj/en/releng/index.xml?r1=1.117&r2=1.118 |
13 |
|
14 |
Index: index.xml |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/releng/index.xml,v |
17 |
retrieving revision 1.117 |
18 |
retrieving revision 1.118 |
19 |
diff -p -w -b -B -u -u -r1.117 -r1.118 |
20 |
--- index.xml 24 Sep 2008 17:47:21 -0000 1.117 |
21 |
+++ index.xml 2 Sep 2009 03:35:25 -0000 1.118 |
22 |
@@ -68,6 +68,83 @@ machines page</uri>. |
23 |
</extraproject> |
24 |
|
25 |
<extrachapter> |
26 |
+<title>Release security & signing</title> |
27 |
+<section> |
28 |
+<body> |
29 |
+<p> |
30 |
+All release media will have its DIGESTS file signed by one of the <c>Gentoo Linux |
31 |
+Release Engineering (releng@g.o)</c> PGP keys listed on this page. |
32 |
+The keys are available through the <c>subkeys.pgp.net</c> keyserver. They can |
33 |
+be used to verify that the media is, in fact, the media shipped by Release |
34 |
+Engineering and not from a potential attacker. You will find more detailed |
35 |
+verification instructions in the handbooks for each release. |
36 |
+</p> |
37 |
+ |
38 |
+<p> |
39 |
+New keys and changes to existing keys will be announced to the following |
40 |
+Gentoo mailing lists: gentoo-dev-announce, gentoo-announce, gentoo-core. |
41 |
+</p> |
42 |
+ |
43 |
+<note> |
44 |
+Releases up to and including 2007.0 had PGP signatures directly on top of the |
45 |
+files. This required large quantities of disk IO for generation on the servers, |
46 |
+and validation on the client side. As such, as of the 2008.0 release, the |
47 |
+DIGESTS file is now signed instead, making verification a two-step process, but |
48 |
+overall much quicker. |
49 |
+</note> |
50 |
+ |
51 |
+<pre caption="Obtaining the public key"> |
52 |
+$ <i>gpg --keyserver subkeys.pgp.net --recv-keys <key id></i> |
53 |
+</pre> |
54 |
+ |
55 |
+<pre caption="Verify the cryptographic signature"> |
56 |
+$ <i>gpg --verify <foo.DIGESTS.asc> <foo.DIGESTS></i> |
57 |
+</pre> |
58 |
+ |
59 |
+<pre caption="Verify the checksum"> |
60 |
+$ <i>sha1sum -c <foo.DIGESTS></i> |
61 |
+</pre> |
62 |
+ |
63 |
+<table> |
64 |
+<tr> |
65 |
+<th>Key ID</th> |
66 |
+<th>Key Type</th> |
67 |
+<th>Key Fingerprint</th> |
68 |
+<th>Key Description</th> |
69 |
+<th>Notes</th> |
70 |
+</tr> |
71 |
+ |
72 |
+<tr> |
73 |
+<ti>0x239C75C4</ti> |
74 |
+<ti>1024-bit DSA</ti> |
75 |
+<ti>AE54 54F9 67B5 6AB0 9AE1 6064 0838 C26E 239C 75C4</ti> |
76 |
+<ti>Gentoo Portage Snapshot Signing Key (Automated Signing Key)</ti> |
77 |
+<ti>Used for daily Portage snapshots.</ti> |
78 |
+</tr> |
79 |
+ |
80 |
+<tr> |
81 |
+<ti>0x17072058</ti> |
82 |
+<ti>1024-bit DSA</ti> |
83 |
+<ti>D99E AC73 79A8 50BC E47D A5F2 9E64 38C8 1707 2058</ti> |
84 |
+<ti>Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key)</ti> |
85 |
+<ti>Used for releases 2004.2-2008.0</ti> |
86 |
+</tr> |
87 |
+ |
88 |
+<tr> |
89 |
+<ti>0x2D182910</ti> |
90 |
+<ti>4096-bit RSA</ti> |
91 |
+<ti>13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910</ti> |
92 |
+<ti>Gentoo Linux Release Engineering (Automated Weekly Release Key)</ti> |
93 |
+<ti>Used for automated weekly releases.</ti> |
94 |
+</tr> |
95 |
+ |
96 |
+</table> |
97 |
+ |
98 |
+</body> |
99 |
+</section> |
100 |
+</extrachapter> |
101 |
+ |
102 |
+<extrachapter> |
103 |
<title>Latest release</title> |
104 |
|
105 |
<section> |