1 |
Thanks for the partial response Luis. |
2 |
|
3 |
On Wed, Feb 27, 2013 at 04:12:14PM +0100, Luis Ressel wrote: |
4 |
> On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT) |
5 |
> grozin@g.o wrote: |
6 |
> |
7 |
> > Hello *, |
8 |
> > I am stuck and have many questions. |
9 |
|
10 |
New addition to the instructions: |
11 |
0. Copy /usr/share/gnupg/gpg-conf.skel to ~/.gnupg/gpg.conf, append the |
12 |
block given in my email. |
13 |
TODO: The upstream skeleton config file has improved over the years, |
14 |
it would be useful for all users to get updates to it, but etc-update |
15 |
only works for /etc, since this is deployed per-user. Suggestions |
16 |
welcome on getting users to do this. |
17 |
|
18 |
> > [In the process of becoming a dev, I've generated a gpg key, of course. It vwas on an old notebook. When I switched to a newer notebook, I forgot to copy it, because I don't use gpg regularly. No risk that it became known - the disk was re-partitioned and re-formatted. Probably, that key has expired anyway.] |
19 |
> > 1. So, I start |
20 |
> > gpg --gen-key |
21 |
> > It creates ~/.gnupg/ and some files in it. Should I press ctrl-C, then edit ~/.gnupg/gpg.conf, and then re-start gpg --gen-key? Or editing gpg.conf can be done later? |
22 |
> Editing the conf should be done first, some of the preferences (e.g. |
23 |
> personal-digest-preference and cert-digest-algo) affect the creation of |
24 |
> keys. |
25 |
See step 0 above, and do gen-key AFTER that. |
26 |
|
27 |
> > 3. Now I do |
28 |
> > gpg --edit-key 0x<16_hex_digits_1> |
29 |
> > addkey |
30 |
> > Then I choose |
31 |
> > (4) RSA (sign only) |
32 |
> > right? Then I choose 4096, 1y, y, y, save. Now |
33 |
> > gpg --list-keys |
34 |
> > gives |
35 |
> > /home/<username>/.gnupg/pubring.gpg |
36 |
> > ------------------------------- |
37 |
> > pub 4096R/0x<16_hex_digits_1> 2013-02-26 [expires: 2016-02-26] |
38 |
> > uid [ultimate] <my_name> <my_gentoo_email_address> |
39 |
> > sub 4096R/0x<16_hex_digits_2> 2013-02-26 [expires: 2016-02-26] |
40 |
> > sub 4096R/0x<16_hex_digits_3> 2013-02-26 [expires: 2014-02-26] |
41 |
> > 4. I do |
42 |
> > gpg --output revoke.asc --gen-revoke 0x<16_hex_digits_1> |
43 |
> > and choose 1. |
44 |
> That's all correct. |
45 |
Make sure to put that revoke.asc file in a secure place, and REMOVE the |
46 |
unprotected copy from your system. It has NO encryption on that file, by |
47 |
design. |
48 |
|
49 |
> > > 6. Encrypted backup of your secret keys. |
50 |
> > I don't understand this. |
51 |
> |
52 |
> It'd make sense to have an backup of your keys (~/.gnupg/secring.gpg) |
53 |
> stored in a safe place, just as with everything else... If you want, |
54 |
> you can protect it by another layer of encryption, but it's not that |
55 |
> important, because the keys are already protected by your passphrase. |
56 |
|
57 |
Yes, your normal keys are protected by your passphrase. |
58 |
If you have additional SEPARATE keys that might not have passphrases (eg |
59 |
for automation purposes), having them encrypted on your backup media is |
60 |
a good idea. |
61 |
|
62 |
If you don't have any other keys like that, I've attached a backup |
63 |
script for you to use (originally written because some versions ago |
64 |
there was a gnupg locking bug, and it would occasionally |
65 |
corrupt/overwrite my public keyring). |
66 |
|
67 |
> > > 7. In your gpg.conf: |
68 |
> > > # include an unambiguous indicator of which key made a signature: |
69 |
> > > # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234) |
70 |
> > > sig-notation issuer-fpr@×××××××××××××××××××××××××××××××.net=%g |
71 |
> > I don't understand this. |
72 |
> Neither do I (I know what it does, but I don't see what it's good for) – |
73 |
> just leave it out, it's not necessary. |
74 |
Here's the origin of this: |
75 |
http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html |
76 |
Basically, just like the rest of the expansion to use full length |
77 |
keyids to avoid collision attacks, this does the same for |
78 |
certifications. |
79 |
|
80 |
> > 5. I do |
81 |
> > gpg --keyserver subkeys.pgp.net --send-key 0x<16_hex_digits_1> |
82 |
> > 6. On dev.gentoo.org, I am supposed to do |
83 |
> > perl_ldap -b user -M gpgkey <gpg-id> <user> |
84 |
> > perl_ldap -b user -M gpgfingerprint <gpg-fingerprint> <user> |
85 |
> > Is <gpg-id> 0x<16_hex_digits_1>? Or 0x<16_hex_digits_3>? What is <gpg-fingerprint> and how do I get it? Is <user> my username on dev.gentoo.org? |
86 |
> > What's even more important, perl_ldap asks my ldap password. I suppose I haven't got one. My usual Gentoo password (used in bugzilla, forums) does not work. How do I get an ldap password? |
87 |
> I can't help you with that, as I don't have access to any gentoo |
88 |
> infrastructure. But IIRC, that's the password you once set on d.g.o |
89 |
> with passwd. |
90 |
Your recruiter should have pointed you to your LDAP password when you |
91 |
become a developer for new developers. In case of old developers, this |
92 |
wasn't reliable followed, and/or gets lost. Please contact infra or |
93 |
the devrel leads to get your LDAP password reset. |
94 |
|
95 |
'<user>' is your Gentoo developer username. Be careful to NOT |
96 |
replace the '-b user' part, that selects 'user' mode for the tool. |
97 |
|
98 |
> > 7. If I'll ever complete all the above, I'll add sign to FEATURES in /etc/portage/make.conf, and |
99 |
> > PORTAGE_GPG_DIR="/home/<username>/.gnupg" |
100 |
> > and also |
101 |
> > PORTAGE_GPG_KEY="0x<16_hex_digits_3>!" |
102 |
> > Is this correct? Is it <16_hex_digits_3>, and not, say, <16_hex_digits_1>? Should I add ! at the end, as suggested by mgorny? |
103 |
> 16_hex_digits_3 (the one you added later via addkey) is the correct |
104 |
> one. And adding a ! is absolutely necessary. |
105 |
:-) |
106 |
|
107 |
> > During the time I'm reading all these instructions, I could bump 10 |
108 |
> > packages. Very complicated for a person who does not use gpg and |
109 |
> > knows next to nothing about it. |
110 |
> Security can be hard to grasp at times. Sadly... |
111 |
But THANK YOU for writing up your email, it's great to have somebody |
112 |
with no experience try the instructions, and help us figure out where |
113 |
they need to improve. |
114 |
|
115 |
-- |
116 |
Robin Hugh Johnson |
117 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
118 |
E-Mail : robbat2@g.o |
119 |
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |