Gentoo Archives: gentoo-dev

From: James Le Cuirot <chewi@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Best way to create a GLEP 63 compliant GPG key on Nitrocard?
Date: Thu, 25 Apr 2019 20:34:34
In Reply to: Re: [gentoo-dev] Best way to create a GLEP 63 compliant GPG key on Nitrocard? by Alec Warner
1 On Thu, 25 Apr 2019 11:30:27 -0400
2 Alec Warner <antarus@g.o> wrote:
4 > > Seeing as separating the primary and the signing key has been part of
5 > > OpenPGP best practices for a long, long time, I have got highly mixed
6 > > feelings about this statement. On the one hand, it is not reasonable to
7 > > expect someone with no or minimal prior knowledge of OpenPGP to master
8 > > it overnight. On the other, we are not just some random people from Teh
9 > > Intarwebz and we *have* been using OpenPGP signatures on commits for
10 > > quite a while now.
11 > >
12 >
13 > This is untrue though; we *are* random people from teh interwebs.
14 >
15 > I store my primary key on my desktop.
16 > I don't have copies of my primary key.
17 > My primary key is protected by a passphrase.
18 > Most of the time its cached in gpg-agent, so the passphrase is easily
19 > stealable by local attackers.
20 > I've been a dev for like > 10 years.
21 >
22 > I assume that every other dev does the same. Obviously some do not (and
23 > I've spoken to many who have better practices) but I assume
24 > people do the lazy / easy thing and I highly recommend this assumption. If
25 > you assume that people have your security practices, you should prepare to
26 > be disappointed.
27 >
28 > Many devs have *no idea* how GPG works.
29 > GPG is quite possibly the worst program I've even been forced to use in
30 > terms of doing any operation, particularly around setup (hmm maybe Imation
31 > Ironkeys were worse?)
32 > Many devs are just following the wiki instructions and get what they get.
34 I can sort of echo this. I believe I'm close to the recommendations now
35 but it took me several evenings to actually wrap my head around all
36 this and even then, I still felt very nervous setting it up and I had
37 to rehearse it beforehand. As a professional software engineer for many
38 years, it really shouldn't be this hard. People talk about GPG best
39 practices but it was really difficult to find a reliable update-to-date
40 guide and it certainly doesn't feel like best practise when you have to
41 manually delete ~/.gnupg/private-keys-v1.d/KEYGRIP.key, where KEYGRIP
42 is returned by the obscure --with-keygrip option.
44 --
45 James Le Cuirot (chewi)
46 Gentoo Linux Developer