Gentoo Archives: gentoo-dev

From: Alec Warner <antarus@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] RFC: Gentoo GPG key policies
Date: Wed, 27 Feb 2013 20:28:06
Message-Id: CAAr7Pr9zR-ovQFk=a3pBF6HrWwzrbBP4zCmLXRZ_voafxbkFiA@mail.gmail.com
In Reply to: Re: [gentoo-dev] RFC: Gentoo GPG key policies by "Robin H. Johnson"
1 On Wed, Feb 27, 2013 at 11:04 AM, Robin H. Johnson <robbat2@g.o> wrote:
2 > Thanks for the partial response Luis.
3 >
4 > On Wed, Feb 27, 2013 at 04:12:14PM +0100, Luis Ressel wrote:
5 >> On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT)
6 >> grozin@g.o wrote:
7 >>
8 >> > Hello *,
9 >> > I am stuck and have many questions.
10 >
11 > New addition to the instructions:
12 > 0. Copy /usr/share/gnupg/gpg-conf.skel to ~/.gnupg/gpg.conf, append the
13 > block given in my email.
14 > TODO: The upstream skeleton config file has improved over the years,
15 > it would be useful for all users to get updates to it, but etc-update
16 > only works for /etc, since this is deployed per-user. Suggestions
17 > welcome on getting users to do this.
18 >
19 >> > [In the process of becoming a dev, I've generated a gpg key, of course. It vwas on an old notebook. When I switched to a newer notebook, I forgot to copy it, because I don't use gpg regularly. No risk that it became known - the disk was re-partitioned and re-formatted. Probably, that key has expired anyway.]
20 >> > 1. So, I start
21 >> > gpg --gen-key
22 >> > It creates ~/.gnupg/ and some files in it. Should I press ctrl-C, then edit ~/.gnupg/gpg.conf, and then re-start gpg --gen-key? Or editing gpg.conf can be done later?
23 >> Editing the conf should be done first, some of the preferences (e.g.
24 >> personal-digest-preference and cert-digest-algo) affect the creation of
25 >> keys.
26 > See step 0 above, and do gen-key AFTER that.
27 >
28 >> > 3. Now I do
29 >> > gpg --edit-key 0x<16_hex_digits_1>
30 >> > addkey
31 >> > Then I choose
32 >> > (4) RSA (sign only)
33 >> > right? Then I choose 4096, 1y, y, y, save. Now
34 >> > gpg --list-keys
35 >> > gives
36 >> > /home/<username>/.gnupg/pubring.gpg
37 >> > -------------------------------
38 >> > pub 4096R/0x<16_hex_digits_1> 2013-02-26 [expires: 2016-02-26]
39 >> > uid [ultimate] <my_name> <my_gentoo_email_address>
40 >> > sub 4096R/0x<16_hex_digits_2> 2013-02-26 [expires: 2016-02-26]
41 >> > sub 4096R/0x<16_hex_digits_3> 2013-02-26 [expires: 2014-02-26]
42 >> > 4. I do
43 >> > gpg --output revoke.asc --gen-revoke 0x<16_hex_digits_1>
44 >> > and choose 1.
45 >> That's all correct.
46 > Make sure to put that revoke.asc file in a secure place, and REMOVE the
47 > unprotected copy from your system. It has NO encryption on that file, by
48 > design.
49 >
50 >> > > 6. Encrypted backup of your secret keys.
51 >> > I don't understand this.
52 >>
53 >> It'd make sense to have an backup of your keys (~/.gnupg/secring.gpg)
54 >> stored in a safe place, just as with everything else... If you want,
55 >> you can protect it by another layer of encryption, but it's not that
56 >> important, because the keys are already protected by your passphrase.
57 >
58 > Yes, your normal keys are protected by your passphrase.
59 > If you have additional SEPARATE keys that might not have passphrases (eg
60 > for automation purposes), having them encrypted on your backup media is
61 > a good idea.
62 >
63 > If you don't have any other keys like that, I've attached a backup
64 > script for you to use (originally written because some versions ago
65 > there was a gnupg locking bug, and it would occasionally
66 > corrupt/overwrite my public keyring).
67 >
68 >> > > 7. In your gpg.conf:
69 >> > > # include an unambiguous indicator of which key made a signature:
70 >> > > # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
71 >> > > sig-notation issuer-fpr@×××××××××××××××××××××××××××××××.net=%g
72 >> > I don't understand this.
73 >> Neither do I (I know what it does, but I don't see what it's good for) –
74 >> just leave it out, it's not necessary.
75 > Here's the origin of this:
76 > http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html
77 > Basically, just like the rest of the expansion to use full length
78 > keyids to avoid collision attacks, this does the same for
79 > certifications.
80 >
81 >> > 5. I do
82 >> > gpg --keyserver subkeys.pgp.net --send-key 0x<16_hex_digits_1>
83 >> > 6. On dev.gentoo.org, I am supposed to do
84 >> > perl_ldap -b user -M gpgkey <gpg-id> <user>
85 >> > perl_ldap -b user -M gpgfingerprint <gpg-fingerprint> <user>
86 >> > Is <gpg-id> 0x<16_hex_digits_1>? Or 0x<16_hex_digits_3>? What is <gpg-fingerprint> and how do I get it? Is <user> my username on dev.gentoo.org?
87 >> > What's even more important, perl_ldap asks my ldap password. I suppose I haven't got one. My usual Gentoo password (used in bugzilla, forums) does not work. How do I get an ldap password?
88 >> I can't help you with that, as I don't have access to any gentoo
89 >> infrastructure. But IIRC, that's the password you once set on d.g.o
90 >> with passwd.
91 > Your recruiter should have pointed you to your LDAP password when you
92 > become a developer for new developers. In case of old developers, this
93 > wasn't reliable followed, and/or gets lost. Please contact infra or
94 > the devrel leads to get your LDAP password reset.
95 >
96 > '<user>' is your Gentoo developer username. Be careful to NOT
97 > replace the '-b user' part, that selects 'user' mode for the tool.
98
99 FYI: I patched perl_ldap so this doesn't happen, as it was a very
100 common mistake.
101
102 -A
103
104 >
105 >> > 7. If I'll ever complete all the above, I'll add sign to FEATURES in /etc/portage/make.conf, and
106 >> > PORTAGE_GPG_DIR="/home/<username>/.gnupg"
107 >> > and also
108 >> > PORTAGE_GPG_KEY="0x<16_hex_digits_3>!"
109 >> > Is this correct? Is it <16_hex_digits_3>, and not, say, <16_hex_digits_1>? Should I add ! at the end, as suggested by mgorny?
110 >> 16_hex_digits_3 (the one you added later via addkey) is the correct
111 >> one. And adding a ! is absolutely necessary.
112 > :-)
113 >
114 >> > During the time I'm reading all these instructions, I could bump 10
115 >> > packages. Very complicated for a person who does not use gpg and
116 >> > knows next to nothing about it.
117 >> Security can be hard to grasp at times. Sadly...
118 > But THANK YOU for writing up your email, it's great to have somebody
119 > with no experience try the instructions, and help us figure out where
120 > they need to improve.
121 >
122 > --
123 > Robin Hugh Johnson
124 > Gentoo Linux: Developer, Trustee & Infrastructure Lead
125 > E-Mail : robbat2@g.o
126 > GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85