1 |
On Thu, 25 Apr 2019 11:30:27 -0400 |
2 |
Alec Warner <antarus@g.o> wrote: |
3 |
|
4 |
> > Seeing as separating the primary and the signing key has been part of |
5 |
> > OpenPGP best practices for a long, long time, I have got highly mixed |
6 |
> > feelings about this statement. On the one hand, it is not reasonable to |
7 |
> > expect someone with no or minimal prior knowledge of OpenPGP to master |
8 |
> > it overnight. On the other, we are not just some random people from Teh |
9 |
> > Intarwebz and we *have* been using OpenPGP signatures on commits for |
10 |
> > quite a while now. |
11 |
> > |
12 |
> |
13 |
> This is untrue though; we *are* random people from teh interwebs. |
14 |
> |
15 |
> I store my primary key on my desktop. |
16 |
> I don't have copies of my primary key. |
17 |
> My primary key is protected by a passphrase. |
18 |
> Most of the time its cached in gpg-agent, so the passphrase is easily |
19 |
> stealable by local attackers. |
20 |
> I've been a dev for like > 10 years. |
21 |
> |
22 |
> I assume that every other dev does the same. Obviously some do not (and |
23 |
> I've spoken to many who have better practices) but I assume |
24 |
> people do the lazy / easy thing and I highly recommend this assumption. If |
25 |
> you assume that people have your security practices, you should prepare to |
26 |
> be disappointed. |
27 |
> |
28 |
> Many devs have *no idea* how GPG works. |
29 |
> GPG is quite possibly the worst program I've even been forced to use in |
30 |
> terms of doing any operation, particularly around setup (hmm maybe Imation |
31 |
> Ironkeys were worse?) |
32 |
> Many devs are just following the wiki instructions and get what they get. |
33 |
|
34 |
I can sort of echo this. I believe I'm close to the recommendations now |
35 |
but it took me several evenings to actually wrap my head around all |
36 |
this and even then, I still felt very nervous setting it up and I had |
37 |
to rehearse it beforehand. As a professional software engineer for many |
38 |
years, it really shouldn't be this hard. People talk about GPG best |
39 |
practices but it was really difficult to find a reliable update-to-date |
40 |
guide and it certainly doesn't feel like best practise when you have to |
41 |
manually delete ~/.gnupg/private-keys-v1.d/KEYGRIP.key, where KEYGRIP |
42 |
is returned by the obscure --with-keygrip option. |
43 |
|
44 |
-- |
45 |
James Le Cuirot (chewi) |
46 |
Gentoo Linux Developer |