1 |
On Mon, 2013-11-11 at 00:01 +0000, Robin H. Johnson wrote: |
2 |
> Gentoo LDAP: |
3 |
> ============ |
4 |
> All developers must list the complete GPG fingerprint for their root |
5 |
> keys in the "gpgfingerprint" LDAP field. |
6 |
> |
7 |
> It should be exactly 40 hex digits, uppercase, with optional spaces |
8 |
> every 8 hex digits. Regular expression for validation: ^[[:xdigit]]{8}( |
9 |
> ?[[:xdigit]]{8}){4}$ |
10 |
> |
11 |
|
12 |
The problem I can see happening allowing the optional spaces is that |
13 |
currently the fingerpint field is a space separated list of |
14 |
fingerprints. In the ldap-seeds code used to generate the |
15 |
developer.seeds file. I am splitting that field data on the spaces to |
16 |
get a python list of individual fingerprints. There are developers that |
17 |
have 2 fingerprints listed. If spaces are to be allowed in the |
18 |
fingerprint then we will need to use and enforce a different separator |
19 |
to divide the fingerprints. Currently in gentoo-keys I use the ":" as a |
20 |
separator in the gpgkey and fingerprint fields of the seed file. A "|" |
21 |
is used to separate the fields of the seed info. |
22 |
|
23 |
|
24 |
> The prior "gpgkey" field will be removed, as it is a subset of the |
25 |
> fingerprint field. In any place that presently displays the gpgkey |
26 |
> field, the last 16 hex digits of the fingerprint should be displayed |
27 |
> instead. |
28 |
> |
29 |
|
30 |
++ |
31 |
|
32 |
Currently running some checks on the gpgkey and fingerprint fields, |
33 |
there are many developers with errors. Some have 2 gpgkeys listed, but |
34 |
only 1 fingerprint, some the gpgkey does not match the fingerprint. One |
35 |
dev's fingerprint is only 39 chars in length. Please check if yours has |
36 |
errors and correct them please. See below for the links. |
37 |
|
38 |
By eliminating the gpgkey field in ldap it will reduce the chance for |
39 |
errors and is redundant data anyway. I will later establish a policy & |
40 |
code to test the developer.seeds file to look for errors in installing |
41 |
the keys before it is pushed to the server for public download. I |
42 |
already have code to install the complete set of developer seeds, but |
43 |
need to add/tweak the code to log the errors correctly. |
44 |
|
45 |
For the current file of the valid developer seeds: |
46 |
|
47 |
http://dev.gentoo.org/~dolsen/developer.seeds |
48 |
|
49 |
record entries are 1 dev per line. |
50 |
fields are ['nick', 'name', 'keyid', 'longkeyid','keydir', 'fingerprint'] |
51 |
|
52 |
For the latest log of the seed file generation run which lists the |
53 |
errors found: |
54 |
|
55 |
http://dev.gentoo.org/~dolsen/gkeyldap-latest.log |
56 |
|
57 |
|
58 |
P.S. If any python coders are interested in helping, please contact |
59 |
me :) |
60 |
|
61 |
> Tools: |
62 |
> ====== |
63 |
> We have most of the key-tracking in progress in the gentoo-keys project |
64 |
> [#GENTOOKEYS]_. |
65 |
> |
66 |
> This toolset should also include easy-to-use tools for developers to generate |
67 |
> new keys [#TOOLSET]_ (using the recommendations) and update expiry dates. |
68 |
> |
69 |
> This tool should generate a final user-formatted keyring, to be hosted on the |
70 |
> Gentoo API site. |
71 |
> |
72 |
> Backwards Compatibility: |
73 |
> ======================== |
74 |
> There is no consistent standard for GPG usage in Gentoo to date. |
75 |
> There is conflicting information in the Devmanual [#DEVMANUAL-MANIFEST]_ |
76 |
> and the GnuPG Gentoo user guide [#GNUPG-USER]_. As there is little |
77 |
> enforcement of Manifest signing and very little commit signing to date, |
78 |
> there are no backwards compatibility concerns. |
79 |
> |
80 |
> External documentation: |
81 |
> ======================= |
82 |
> Much of the above was driven by the following: |
83 |
> - NIST SP 800-57 recommendations [#NIST-SP800-57-1]_, |
84 |
> [##NIST-SP800-57-2]_ |
85 |
> - Debian GPG documentation [#DEBIANGPG]_ |
86 |
> - RiseUp.net OpenPGP best practices [#RISEUP]_ |
87 |
> |
88 |
> References: |
89 |
> =========== |
90 |
> .. [#GENTOOKEYS] Gentoo Keys project |
91 |
> (http://git.overlays.gentoo.org/gitweb/?p=proj/gentoo-keys.git) |
92 |
> .. [#TOOLSET] http://thread.gmane.org/gmane.linux.gentoo.devel/83996/focus=84220 |
93 |
> .. [#NIST-SP800-57-1] NIST SP 800-57: Recommendation for Key Management: Part 1: General (Revision 3) |
94 |
> (http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf) |
95 |
> .. [#NIST-SP800-57-2] NIST SP 800-57: Recommendation for Key Management: Part 2: Best Practices for Key Management Organization |
96 |
> (http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part2.pdf) |
97 |
> .. [#EKAIA] Ana's blog: Creating a new GPG key |
98 |
> (http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/) |
99 |
> .. [#DEBIANGPG] Debian GPG documentation |
100 |
> (https://wiki.debian.org/Keysigning) |
101 |
> .. [#RISEUP] RiseUp.net OpenPGP best practices |
102 |
> (https://we.riseup.net/riseuplabs+paow/openpgp-best-practices) |
103 |
> .. [#DEVMANUAL-MANIFEST] Gentoo Development Guide: Manifest |
104 |
> (http://devmanual.gentoo.org/general-concepts/manifest/index.html) |
105 |
> .. [#GNUPG-USER] GnuPG Gentoo User Guide |
106 |
> (http://www.gentoo.org/doc/en/gnupg-user.xml) |
107 |
> |
108 |
|
109 |
-- |
110 |
Brian Dolbec <dolsen@g.o> |