Gentoo Archives: gentoo-dev

From: "Michał Górny" <mgorny@g.o>
To: gentoo-dev@l.g.o
Cc: robbat2@g.o, "Michał Górny" <mgorny@g.o>
Subject: [gentoo-dev] [PATCH v5 14/16] glep-0063: Remove gpg.conf bits
Date: Sun, 08 Jul 2018 18:45:00
Message-Id: 20180708183902.30367-15-mgorny@gentoo.org
In Reply to: [gentoo-dev] [PATCH v5 00/16] GLEP 63, once again by "Michał Górny"
1 Remove the gpg.conf bits from recommended and minimal specification.
2 Apparently they are seriously obsolete and worse than the modern
3 defaults. While at it, editorial corrections to 'SHA2' bit.
4
5 Requested-by: Richard Yao <ryao@g.o>
6 ---
7 glep-0063.rst | 60 ++++++++-------------------------------------------
8 1 file changed, 9 insertions(+), 51 deletions(-)
9
10 diff --git a/glep-0063.rst b/glep-0063.rst
11 index 37b1f4d..84d87d2 100644
12 --- a/glep-0063.rst
13 +++ b/glep-0063.rst
14 @@ -42,6 +42,9 @@ v2
15 The ``gpgfingerprint`` LDAP field has been altered to remove optional
16 whitespace.
17
18 + The ``gpg.conf`` contents have been removed as they were seriously
19 + outdated and decreased security over the modern defaults.
20 +
21 v1.1
22 The recommended RSA key size has been changed from 4096 bits
23 to 2048 bits to match the GnuPG recommendations [#GNUPG-FAQ-11-4]_.
24 @@ -73,10 +76,8 @@ This section specifies obligatory requirements for all OpenPGP keys used
25 to commit to Gentoo. Keys that do not conform to those requirements can
26 not be used to commit.
27
28 -1. SHA2-series output digest (SHA1 digests internally permitted),
29 - 256bit or more::
30 -
31 - personal-digest-preferences SHA256
32 +1. SHA-2 series output digest (SHA-1 digests internally permitted),
33 + at least 256-bit.
34
35 2. Signing subkey that is different from the primary key, and does not
36 have any other capabilities enabled
37 @@ -102,58 +103,15 @@ The developers should follow those practices unless there is a strong
38 technical reason not to (e.g. hardware limitations, necessity of replacing
39 their primary key).
40
41 -1. Copy ``/usr/share/gnupg/gpg-conf.skel`` to ``~/.gnupg/gpg.conf``, append
42 - the following block::
43 -
44 - keyserver pool.sks-keyservers.net
45 -
46 - emit-version
47 -
48 - default-recipient-self
49 -
50 - # -- All of the below portion from the RiseUp.net OpenPGP best practices, and
51 - # -- many of them are also in the Debian GPG documentation.
52 -
53 - # when outputting certificates, view user IDs distinctly from keys:
54 - fixed-list-mode
55 -
56 - # long keyids are more collision-resistant than short keyids (it's trivial to make a key
57 - # with any desired short keyid)
58 - # NOTE: this breaks kmail gnupg support!
59 - keyid-format 0xlong
60 -
61 - # when multiple digests are supported by all recipients, choose the strongest one:
62 - personal-digest-preferences SHA512 SHA384 SHA256 SHA224
63 -
64 - # preferences chosen for new keys should prioritize stronger algorithms:
65 - default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
66 -
67 - # If you use a graphical environment (and even if you don't) you should be using an agent:
68 - # (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64)
69 - use-agent
70 -
71 - # You should always know at a glance which User IDs gpg thinks are legitimately bound to
72 - # the keys in your keyring:
73 - verify-options show-uid-validity
74 - list-options show-uid-validity
75 -
76 - # include an unambiguous indicator of which key made a signature:
77 - # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
78 - # (and http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html)
79 - sig-notation issuer-fpr@×××××××××××××××××××××××××××××××.net=%g
80 -
81 - # when making an OpenPGP certification, use a stronger digest than the default SHA1:
82 - cert-digest-algo SHA256
83 -
84 -2. Primary key and the signing subkey are both of type RSA, 2048 bits
85 +1. Primary key and the signing subkey are both of type RSA, 2048 bits
86 (OpenPGP v4 key format or later)
87
88 -3. Key expiration renewed annually to a fixed day of the year
89 +2. Key expiration renewed annually to a fixed day of the year
90
91 -4. Create a revocation certificate & store it hardcopy offsite securely
92 +3. Create a revocation certificate & store it hardcopy offsite securely
93 (it's about ~300 bytes).
94
95 -5. Encrypted backup of your secret keys.
96 +4. Encrypted backup of your secret keys.
97
98 Gentoo LDAP
99 ===========
100 --
101 2.18.0