From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 3D232138D21 for ; Fri, 17 Jul 2015 15:25:17 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 10DAE14018; Fri, 17 Jul 2015 15:25:10 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 260AC14014 for ; Fri, 17 Jul 2015 15:25:09 +0000 (UTC) Received: from big_daddy.dol-sen.ca (S010634bdfa9ecf80.vc.shawcable.net [96.49.31.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: dolsen) by smtp.gentoo.org (Postfix) with ESMTPSA id 992DA340D63 for ; Fri, 17 Jul 2015 15:25:08 +0000 (UTC) Date: Fri, 17 Jul 2015 08:25:06 -0700 From: Brian Dolbec To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Git, GPG Signing, and Manifests Message-ID: <20150717082506.2368b3e3.dolsen@gentoo.org> In-Reply-To: References: <55A856A5.1090904@gentoo.org> <20150716182540.083c1c18.dolsen@gentoo.org> <55A8711B.9070400@gentoo.org> <20150716214228.7f336f78.dolsen@gentoo.org> Organization: Gentoo Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: 6d5b10b6-1cc8-453e-93d0-d78a37223b58 X-Archives-Hash: f4ba75341290aff4c93f883b0258d453 On Fri, 17 Jul 2015 08:50:43 -0400 Rich Freeman wrote: > On Fri, Jul 17, 2015 at 8:36 AM, Rich Freeman > wrote: > > On Fri, Jul 17, 2015 at 12:42 AM, Brian Dolbec > > wrote: > >> > >> I don't know tbh, most are already signed, with the git migration, > >> the strongly recommended commit signing will become MANDATORY. > >> > >> So, we are at 50 devs with valid gpg keys now, with 200 more gpg > >> keys listed in LDAP that fail to meet the new spec. PLEASE fix > >> them or create new keys... > > > > How does somebody know whether their key meets the spec or not? I > > looked at the gentoo-keys website and didn't see any simple way to > > check. > > > > There was documentation on the gkeys utility for checking keys, but > > I ran into a few issues with this. > > > > After waking up a bit more I configured a utf8 locale in my "clean > stage3" and the errors went away, and I was able to verify that my key > passed, with no encryption subkey (I don't intend to use this key for > anything but gentoo main repository signing). > > Even so, it might not hurt to have a one-line way to check an > arbitrary gpg key for conformity by ID. Otherwise we invite trial and > error with devs uploading what they hope are compliant keys, fixing > LDAP, waiting for seeds to be repopulated, then checking them. > One of the things I really wanted to get into gkeys is a way to add a users ~/.gnupg dir imported into the gkeys system, that will help in that reagrds and make it more of a one stop shop for common gpg tasks. Also, I will try to get at least the gkeys-gen target keydir added to gkeys visibility in the next release. Oh, forgot to mention. I will send the gkeys spec-check report to the gentoo-core list for a start. Perhaps some of the devs can help us get the wiki help pages completed when they fix their keys and know the steps. I'm sure both Kristian and myself would appreciate a little help with that while we are explaining how to fix the failures. One of the slowdowns in completing those pages is creating anomymous gpg keys output for the wiki examples. I do not want to use devs real keys as examples (which of course would be easiest). -- Brian Dolbec