1 |
On Wed, Feb 27, 2013 at 11:04 AM, Robin H. Johnson <robbat2@g.o> wrote: |
2 |
> Thanks for the partial response Luis. |
3 |
> |
4 |
> On Wed, Feb 27, 2013 at 04:12:14PM +0100, Luis Ressel wrote: |
5 |
>> On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT) |
6 |
>> grozin@g.o wrote: |
7 |
>> |
8 |
>> > Hello *, |
9 |
>> > I am stuck and have many questions. |
10 |
> |
11 |
> New addition to the instructions: |
12 |
> 0. Copy /usr/share/gnupg/gpg-conf.skel to ~/.gnupg/gpg.conf, append the |
13 |
> block given in my email. |
14 |
> TODO: The upstream skeleton config file has improved over the years, |
15 |
> it would be useful for all users to get updates to it, but etc-update |
16 |
> only works for /etc, since this is deployed per-user. Suggestions |
17 |
> welcome on getting users to do this. |
18 |
> |
19 |
>> > [In the process of becoming a dev, I've generated a gpg key, of course. It vwas on an old notebook. When I switched to a newer notebook, I forgot to copy it, because I don't use gpg regularly. No risk that it became known - the disk was re-partitioned and re-formatted. Probably, that key has expired anyway.] |
20 |
>> > 1. So, I start |
21 |
>> > gpg --gen-key |
22 |
>> > It creates ~/.gnupg/ and some files in it. Should I press ctrl-C, then edit ~/.gnupg/gpg.conf, and then re-start gpg --gen-key? Or editing gpg.conf can be done later? |
23 |
>> Editing the conf should be done first, some of the preferences (e.g. |
24 |
>> personal-digest-preference and cert-digest-algo) affect the creation of |
25 |
>> keys. |
26 |
> See step 0 above, and do gen-key AFTER that. |
27 |
> |
28 |
>> > 3. Now I do |
29 |
>> > gpg --edit-key 0x<16_hex_digits_1> |
30 |
>> > addkey |
31 |
>> > Then I choose |
32 |
>> > (4) RSA (sign only) |
33 |
>> > right? Then I choose 4096, 1y, y, y, save. Now |
34 |
>> > gpg --list-keys |
35 |
>> > gives |
36 |
>> > /home/<username>/.gnupg/pubring.gpg |
37 |
>> > ------------------------------- |
38 |
>> > pub 4096R/0x<16_hex_digits_1> 2013-02-26 [expires: 2016-02-26] |
39 |
>> > uid [ultimate] <my_name> <my_gentoo_email_address> |
40 |
>> > sub 4096R/0x<16_hex_digits_2> 2013-02-26 [expires: 2016-02-26] |
41 |
>> > sub 4096R/0x<16_hex_digits_3> 2013-02-26 [expires: 2014-02-26] |
42 |
>> > 4. I do |
43 |
>> > gpg --output revoke.asc --gen-revoke 0x<16_hex_digits_1> |
44 |
>> > and choose 1. |
45 |
>> That's all correct. |
46 |
> Make sure to put that revoke.asc file in a secure place, and REMOVE the |
47 |
> unprotected copy from your system. It has NO encryption on that file, by |
48 |
> design. |
49 |
> |
50 |
>> > > 6. Encrypted backup of your secret keys. |
51 |
>> > I don't understand this. |
52 |
>> |
53 |
>> It'd make sense to have an backup of your keys (~/.gnupg/secring.gpg) |
54 |
>> stored in a safe place, just as with everything else... If you want, |
55 |
>> you can protect it by another layer of encryption, but it's not that |
56 |
>> important, because the keys are already protected by your passphrase. |
57 |
> |
58 |
> Yes, your normal keys are protected by your passphrase. |
59 |
> If you have additional SEPARATE keys that might not have passphrases (eg |
60 |
> for automation purposes), having them encrypted on your backup media is |
61 |
> a good idea. |
62 |
> |
63 |
> If you don't have any other keys like that, I've attached a backup |
64 |
> script for you to use (originally written because some versions ago |
65 |
> there was a gnupg locking bug, and it would occasionally |
66 |
> corrupt/overwrite my public keyring). |
67 |
> |
68 |
>> > > 7. In your gpg.conf: |
69 |
>> > > # include an unambiguous indicator of which key made a signature: |
70 |
>> > > # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234) |
71 |
>> > > sig-notation issuer-fpr@×××××××××××××××××××××××××××××××.net=%g |
72 |
>> > I don't understand this. |
73 |
>> Neither do I (I know what it does, but I don't see what it's good for) – |
74 |
>> just leave it out, it's not necessary. |
75 |
> Here's the origin of this: |
76 |
> http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html |
77 |
> Basically, just like the rest of the expansion to use full length |
78 |
> keyids to avoid collision attacks, this does the same for |
79 |
> certifications. |
80 |
> |
81 |
>> > 5. I do |
82 |
>> > gpg --keyserver subkeys.pgp.net --send-key 0x<16_hex_digits_1> |
83 |
>> > 6. On dev.gentoo.org, I am supposed to do |
84 |
>> > perl_ldap -b user -M gpgkey <gpg-id> <user> |
85 |
>> > perl_ldap -b user -M gpgfingerprint <gpg-fingerprint> <user> |
86 |
>> > Is <gpg-id> 0x<16_hex_digits_1>? Or 0x<16_hex_digits_3>? What is <gpg-fingerprint> and how do I get it? Is <user> my username on dev.gentoo.org? |
87 |
>> > What's even more important, perl_ldap asks my ldap password. I suppose I haven't got one. My usual Gentoo password (used in bugzilla, forums) does not work. How do I get an ldap password? |
88 |
>> I can't help you with that, as I don't have access to any gentoo |
89 |
>> infrastructure. But IIRC, that's the password you once set on d.g.o |
90 |
>> with passwd. |
91 |
> Your recruiter should have pointed you to your LDAP password when you |
92 |
> become a developer for new developers. In case of old developers, this |
93 |
> wasn't reliable followed, and/or gets lost. Please contact infra or |
94 |
> the devrel leads to get your LDAP password reset. |
95 |
> |
96 |
> '<user>' is your Gentoo developer username. Be careful to NOT |
97 |
> replace the '-b user' part, that selects 'user' mode for the tool. |
98 |
|
99 |
FYI: I patched perl_ldap so this doesn't happen, as it was a very |
100 |
common mistake. |
101 |
|
102 |
-A |
103 |
|
104 |
> |
105 |
>> > 7. If I'll ever complete all the above, I'll add sign to FEATURES in /etc/portage/make.conf, and |
106 |
>> > PORTAGE_GPG_DIR="/home/<username>/.gnupg" |
107 |
>> > and also |
108 |
>> > PORTAGE_GPG_KEY="0x<16_hex_digits_3>!" |
109 |
>> > Is this correct? Is it <16_hex_digits_3>, and not, say, <16_hex_digits_1>? Should I add ! at the end, as suggested by mgorny? |
110 |
>> 16_hex_digits_3 (the one you added later via addkey) is the correct |
111 |
>> one. And adding a ! is absolutely necessary. |
112 |
> :-) |
113 |
> |
114 |
>> > During the time I'm reading all these instructions, I could bump 10 |
115 |
>> > packages. Very complicated for a person who does not use gpg and |
116 |
>> > knows next to nothing about it. |
117 |
>> Security can be hard to grasp at times. Sadly... |
118 |
> But THANK YOU for writing up your email, it's great to have somebody |
119 |
> with no experience try the instructions, and help us figure out where |
120 |
> they need to improve. |
121 |
> |
122 |
> -- |
123 |
> Robin Hugh Johnson |
124 |
> Gentoo Linux: Developer, Trustee & Infrastructure Lead |
125 |
> E-Mail : robbat2@g.o |
126 |
> GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 |