| 1 |
On Mon, 2013-11-11 at 00:01 +0000, Robin H. Johnson wrote: |
| 2 |
> Gentoo LDAP: |
| 3 |
> ============ |
| 4 |
> All developers must list the complete GPG fingerprint for their root |
| 5 |
> keys in the "gpgfingerprint" LDAP field. |
| 6 |
> |
| 7 |
> It should be exactly 40 hex digits, uppercase, with optional spaces |
| 8 |
> every 8 hex digits. Regular expression for validation: ^[[:xdigit]]{8}( |
| 9 |
> ?[[:xdigit]]{8}){4}$ |
| 10 |
> |
| 11 |
|
| 12 |
The problem I can see happening allowing the optional spaces is that |
| 13 |
currently the fingerpint field is a space separated list of |
| 14 |
fingerprints. In the ldap-seeds code used to generate the |
| 15 |
developer.seeds file. I am splitting that field data on the spaces to |
| 16 |
get a python list of individual fingerprints. There are developers that |
| 17 |
have 2 fingerprints listed. If spaces are to be allowed in the |
| 18 |
fingerprint then we will need to use and enforce a different separator |
| 19 |
to divide the fingerprints. Currently in gentoo-keys I use the ":" as a |
| 20 |
separator in the gpgkey and fingerprint fields of the seed file. A "|" |
| 21 |
is used to separate the fields of the seed info. |
| 22 |
|
| 23 |
|
| 24 |
> The prior "gpgkey" field will be removed, as it is a subset of the |
| 25 |
> fingerprint field. In any place that presently displays the gpgkey |
| 26 |
> field, the last 16 hex digits of the fingerprint should be displayed |
| 27 |
> instead. |
| 28 |
> |
| 29 |
|
| 30 |
++ |
| 31 |
|
| 32 |
Currently running some checks on the gpgkey and fingerprint fields, |
| 33 |
there are many developers with errors. Some have 2 gpgkeys listed, but |
| 34 |
only 1 fingerprint, some the gpgkey does not match the fingerprint. One |
| 35 |
dev's fingerprint is only 39 chars in length. Please check if yours has |
| 36 |
errors and correct them please. See below for the links. |
| 37 |
|
| 38 |
By eliminating the gpgkey field in ldap it will reduce the chance for |
| 39 |
errors and is redundant data anyway. I will later establish a policy & |
| 40 |
code to test the developer.seeds file to look for errors in installing |
| 41 |
the keys before it is pushed to the server for public download. I |
| 42 |
already have code to install the complete set of developer seeds, but |
| 43 |
need to add/tweak the code to log the errors correctly. |
| 44 |
|
| 45 |
For the current file of the valid developer seeds: |
| 46 |
|
| 47 |
http://dev.gentoo.org/~dolsen/developer.seeds |
| 48 |
|
| 49 |
record entries are 1 dev per line. |
| 50 |
fields are ['nick', 'name', 'keyid', 'longkeyid','keydir', 'fingerprint'] |
| 51 |
|
| 52 |
For the latest log of the seed file generation run which lists the |
| 53 |
errors found: |
| 54 |
|
| 55 |
http://dev.gentoo.org/~dolsen/gkeyldap-latest.log |
| 56 |
|
| 57 |
|
| 58 |
P.S. If any python coders are interested in helping, please contact |
| 59 |
me :) |
| 60 |
|
| 61 |
> Tools: |
| 62 |
> ====== |
| 63 |
> We have most of the key-tracking in progress in the gentoo-keys project |
| 64 |
> [#GENTOOKEYS]_. |
| 65 |
> |
| 66 |
> This toolset should also include easy-to-use tools for developers to generate |
| 67 |
> new keys [#TOOLSET]_ (using the recommendations) and update expiry dates. |
| 68 |
> |
| 69 |
> This tool should generate a final user-formatted keyring, to be hosted on the |
| 70 |
> Gentoo API site. |
| 71 |
> |
| 72 |
> Backwards Compatibility: |
| 73 |
> ======================== |
| 74 |
> There is no consistent standard for GPG usage in Gentoo to date. |
| 75 |
> There is conflicting information in the Devmanual [#DEVMANUAL-MANIFEST]_ |
| 76 |
> and the GnuPG Gentoo user guide [#GNUPG-USER]_. As there is little |
| 77 |
> enforcement of Manifest signing and very little commit signing to date, |
| 78 |
> there are no backwards compatibility concerns. |
| 79 |
> |
| 80 |
> External documentation: |
| 81 |
> ======================= |
| 82 |
> Much of the above was driven by the following: |
| 83 |
> - NIST SP 800-57 recommendations [#NIST-SP800-57-1]_, |
| 84 |
> [##NIST-SP800-57-2]_ |
| 85 |
> - Debian GPG documentation [#DEBIANGPG]_ |
| 86 |
> - RiseUp.net OpenPGP best practices [#RISEUP]_ |
| 87 |
> |
| 88 |
> References: |
| 89 |
> =========== |
| 90 |
> .. [#GENTOOKEYS] Gentoo Keys project |
| 91 |
> (http://git.overlays.gentoo.org/gitweb/?p=proj/gentoo-keys.git) |
| 92 |
> .. [#TOOLSET] http://thread.gmane.org/gmane.linux.gentoo.devel/83996/focus=84220 |
| 93 |
> .. [#NIST-SP800-57-1] NIST SP 800-57: Recommendation for Key Management: Part 1: General (Revision 3) |
| 94 |
> (http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf) |
| 95 |
> .. [#NIST-SP800-57-2] NIST SP 800-57: Recommendation for Key Management: Part 2: Best Practices for Key Management Organization |
| 96 |
> (http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part2.pdf) |
| 97 |
> .. [#EKAIA] Ana's blog: Creating a new GPG key |
| 98 |
> (http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/) |
| 99 |
> .. [#DEBIANGPG] Debian GPG documentation |
| 100 |
> (https://wiki.debian.org/Keysigning) |
| 101 |
> .. [#RISEUP] RiseUp.net OpenPGP best practices |
| 102 |
> (https://we.riseup.net/riseuplabs+paow/openpgp-best-practices) |
| 103 |
> .. [#DEVMANUAL-MANIFEST] Gentoo Development Guide: Manifest |
| 104 |
> (http://devmanual.gentoo.org/general-concepts/manifest/index.html) |
| 105 |
> .. [#GNUPG-USER] GnuPG Gentoo User Guide |
| 106 |
> (http://www.gentoo.org/doc/en/gnupg-user.xml) |
| 107 |
> |
| 108 |
|
| 109 |
-- |
| 110 |
Brian Dolbec <dolsen@g.o> |
Archives