| 1 |
On Thu, 25 Apr 2019 11:30:27 -0400 |
| 2 |
Alec Warner <antarus@g.o> wrote: |
| 3 |
|
| 4 |
> > Seeing as separating the primary and the signing key has been part of |
| 5 |
> > OpenPGP best practices for a long, long time, I have got highly mixed |
| 6 |
> > feelings about this statement. On the one hand, it is not reasonable to |
| 7 |
> > expect someone with no or minimal prior knowledge of OpenPGP to master |
| 8 |
> > it overnight. On the other, we are not just some random people from Teh |
| 9 |
> > Intarwebz and we *have* been using OpenPGP signatures on commits for |
| 10 |
> > quite a while now. |
| 11 |
> > |
| 12 |
> |
| 13 |
> This is untrue though; we *are* random people from teh interwebs. |
| 14 |
> |
| 15 |
> I store my primary key on my desktop. |
| 16 |
> I don't have copies of my primary key. |
| 17 |
> My primary key is protected by a passphrase. |
| 18 |
> Most of the time its cached in gpg-agent, so the passphrase is easily |
| 19 |
> stealable by local attackers. |
| 20 |
> I've been a dev for like > 10 years. |
| 21 |
> |
| 22 |
> I assume that every other dev does the same. Obviously some do not (and |
| 23 |
> I've spoken to many who have better practices) but I assume |
| 24 |
> people do the lazy / easy thing and I highly recommend this assumption. If |
| 25 |
> you assume that people have your security practices, you should prepare to |
| 26 |
> be disappointed. |
| 27 |
> |
| 28 |
> Many devs have *no idea* how GPG works. |
| 29 |
> GPG is quite possibly the worst program I've even been forced to use in |
| 30 |
> terms of doing any operation, particularly around setup (hmm maybe Imation |
| 31 |
> Ironkeys were worse?) |
| 32 |
> Many devs are just following the wiki instructions and get what they get. |
| 33 |
|
| 34 |
I can sort of echo this. I believe I'm close to the recommendations now |
| 35 |
but it took me several evenings to actually wrap my head around all |
| 36 |
this and even then, I still felt very nervous setting it up and I had |
| 37 |
to rehearse it beforehand. As a professional software engineer for many |
| 38 |
years, it really shouldn't be this hard. People talk about GPG best |
| 39 |
practices but it was really difficult to find a reliable update-to-date |
| 40 |
guide and it certainly doesn't feel like best practise when you have to |
| 41 |
manually delete ~/.gnupg/private-keys-v1.d/KEYGRIP.key, where KEYGRIP |
| 42 |
is returned by the obscure --with-keygrip option. |
| 43 |
|
| 44 |
-- |
| 45 |
James Le Cuirot (chewi) |
| 46 |
Gentoo Linux Developer |
Archives