From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 0515D198005 for ; Wed, 27 Feb 2013 15:12:53 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 74BCCE0978; Wed, 27 Feb 2013 15:12:45 +0000 (UTC) Received: from wp260.webpack.hosteurope.de (wp260.webpack.hosteurope.de [80.237.133.29]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 78A72E08EB for ; Wed, 27 Feb 2013 15:12:44 +0000 (UTC) Received: from [2001:470:7308:84c9:d405:8512:af44:ac0b] (helo=mygoo.lnet); authenticated by wp260.webpack.hosteurope.de running ExIM with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) id 1UAigU-0000vD-P1; Wed, 27 Feb 2013 16:12:42 +0100 Date: Wed, 27 Feb 2013 16:12:14 +0100 From: Luis Ressel To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] RFC: Gentoo GPG key policies Message-ID: <20130227161214.4bfde7e9@mygoo.lnet> In-Reply-To: References: X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.12; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA512; boundary="Sig_/bwXXE=ggMYugAXjuG4ug/bf"; protocol="application/pgp-signature" X-bounce-key: webpack.hosteurope.de;aranea@aixah.de;1361977964;88ce100e; X-Archives-Salt: f9667f68-5664-4a0c-bce5-24f4e4b298f4 X-Archives-Hash: eafe3b600b944cc61d24ddea5565044a --Sig_/bwXXE=ggMYugAXjuG4ug/bf Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT) grozin@gentoo.org wrote: > Hello *, > I am stuck and have many questions. > [In the process of becoming a dev, I've generated a gpg key, of course. I= t vwas on an old notebook. When I switched to a newer notebook, I forgot to= copy it, because I don't use gpg regularly. No risk that it became known -= the disk was re-partitioned and re-formatted. Probably, that key has expir= ed anyway.] > 1. So, I start > gpg --gen-key > It creates ~/.gnupg/ and some files in it. Should I press ctrl-C, then ed= it ~/.gnupg/gpg.conf, and then re-start gpg --gen-key? Or editing gpg.conf = can be done later? Editing the conf should be done first, some of the preferences (e.g. personal-digest-preference and cert-digest-algo) affect the creation of keys. > 2. Then I choose 1, 3y, y, then my name and the @gentoo.org email address= . After that, > gpg --list-keys > says > /home//.gnupg/pubring.gpg > ------------------------------- > pub 4096R/0x<16_hex_digits_1> 2013-02-26 [expires: 2016-02-26] > uid [ultimate] sub = 4096R/0x<16_hex_digits_2> 2013-02-26 [expires: 2016-02-26] > So, my key id is 0x<16_hex_digits_1>, right? Yep, but why did you bother to replace the information? > 3. Now I do > gpg --edit-key 0x<16_hex_digits_1> > addkey > Then I choose > (4) RSA (sign only) > right? Then I choose 4096, 1y, y, y, save. Now > gpg --list-keys > gives > /home//.gnupg/pubring.gpg > ------------------------------- > pub 4096R/0x<16_hex_digits_1> 2013-02-26 [expires: 2016-02-26] > uid [ultimate] > sub 4096R/0x<16_hex_digits_2> 2013-02-26 [expires: 2016-02-26] > sub 4096R/0x<16_hex_digits_3> 2013-02-26 [expires: 2014-02-26] > 4. I do > gpg --output revoke.asc --gen-revoke 0x<16_hex_digits_1> > and choose 1. That's all correct. > > 6. Encrypted backup of your secret keys. > I don't understand this. It'd make sense to have an backup of your keys (~/.gnupg/secring.gpg) stored in a safe place, just as with everything else... If you want, you can protect it by another layer of encryption, but it's not that important, because the keys are already protected by your passphrase. > > 7. In your gpg.conf: > > # include an unambiguous indicator of which key made a signature: > > # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus= =3D7234) > > sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=3D%g > I don't understand this. Neither do I (I know what it does, but I don't see what it's good for) =E2= =80=93 just leave it out, it's not necessary. > 5. I do > gpg --keyserver subkeys.pgp.net --send-key 0x<16_hex_digits_1> > 6. On dev.gentoo.org, I am supposed to do > perl_ldap -b user -M gpgkey > perl_ldap -b user -M gpgfingerprint > Is 0x<16_hex_digits_1>? Or 0x<16_hex_digits_3>? What is and how do I get it? Is my username on dev.gentoo.org? > What's even more important, perl_ldap asks my ldap password. I suppose I = haven't got one. My usual Gentoo password (used in bugzilla, forums) does n= ot work. How do I get an ldap password? I can't help you with that, as I don't have access to any gentoo infrastructure. But IIRC, that's the password you once set on d.g.o with passwd. > 7. If I'll ever complete all the above, I'll add sign to FEATURES in /etc= /portage/make.conf, and > PORTAGE_GPG_DIR=3D"/home//.gnupg" > and also > PORTAGE_GPG_KEY=3D"0x<16_hex_digits_3>!" > Is this correct? Is it <16_hex_digits_3>, and not, say, <16_hex_digits_1>= ? Should I add ! at the end, as suggested by mgorny? 16_hex_digits_3 (the one you added later via addkey) is the correct one. And adding a ! is absolutely necessary. > During the time I'm reading all these instructions, I could bump 10 packa= ges. Very complicated for a person who does not use gpg and knows next to n= othing about it. Security can be hard to grasp at times. Sadly... HTH, Luis --Sig_/bwXXE=ggMYugAXjuG4ug/bf Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iQIcBAEBCgAGBQJRLiJpAAoJEMcYkaag77fpJwUP/R1uei2P1TFfuW5NPchMzUBn 49J8TZhmAgePr8EWLzRvIsemEnfi++s/4+7slunMnrwX7b3cyPa6vqqu3kCEXRBo 0sCmOZJGd3uh3DCeUlnAiUBGz2qv0nQ3Ye0iu5KMBDNcUjGFOspr8VZqHaxdibyH A83wDijsn7ynBwR4x/+ufOT5+aRdq7FiChLuNyVa0m6zr5LgIKGpKcTTacrEYsC0 dwtDtjK0WeZskGvOTLk2qBPzkWMVXnqGbbCr9SUscbsnHjY83fVOXGnEY+JSgMO9 ITw1Ptc6UVIY14pUFSf8qPwyaGlstVzWnZY1MrWqNFbDxpRuBYTynotN+kvh/KTC 0V+q0eZY9uLHv+NiUhENZRSCR5/TjziziU27nAiWSar64i/S2W/run3Ekj1G4PJ5 HBi55mdKR5YGX+Lkiaj2vnPM0J6k6t1fqHe81x1rt0hcjfyDJ4eQH1fx6KPw6hmG bbj+TCb2eOmVWFhL6MyUO7R8xZApDZY+cJksspgzLyo7GSSVgX/g5lXeW6TrwXPq lco5u7vC0D5AHDqMlvIxzUL+p4O8DhS5p7w6qalYlA9WhQ5en1giT6wNtXluK23A IUDdxOO4SYZHFFruMnMQBMfhSnXeMVU35Krb8CHEmPmdxCS++1mKjj8FSwwNw4NV eCBkQ9ZIuk8H1+/5fxR5 =RH3K -----END PGP SIGNATURE----- --Sig_/bwXXE=ggMYugAXjuG4ug/bf--