[gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Michael Weber]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/12/2013 10:14 PM, William Hubbs wrote:
> as preparation for the up-coming cvs->git migration of the portage
> tree, the council is strongly suggesting that from this point
> forward all developers sign their manifests with their gpg key as
> described in the developer's manual [1].
++

We should all put these data into LDAP, too. on dev.gentoo.org ..

perl_ldap -b user -M gpgkey <gpg-id> <user>
perl_ldap -b user -M gpgfingerprint <gpg-fingerprint> <user>


At least have some lose binding between tree signing keys and dev
identities. Or put the whole public key into the ldap.

- -- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <xmw@gentoo.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlEax6cACgkQknrdDGLu8JAHmgD/fMVoUUO5g7iYeFobMy6rWBW8
mVIAoCe2BWZ6XOfPEvEBAI1Ny0ruWaRjI+HEStU3omgNVPUddeLoKJMyK5r0pJiX
=37sv
-----END PGP SIGNATURE-----

[gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Michael Weber]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/12/2013 10:14 PM, William Hubbs wrote:
> If you have any questions on this, please feel free to let us
> know.
What is the rotation strategy for (near) outdated keys?
Alter the key or create a new one? Sign the new with the old one?

IMHO the answer to these questions is not obvious nor given by (our)
docu [1].

Maybe, add "keep ldap id/fingerprint synchronized" there, too.


> [1]
> http://devmanual.gentoo.org/general-concepts/manifest/index.html

- -- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <xmw@gentoo.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlEazGMACgkQknrdDGLu8JBXygD8CalxwI4y7kxbqYwyXcyohtbW
7xICGdFgIDA8jH7v4poA/RrtQTxwmmzE4g53Eyg8RBKxEIa0BmAZUaAMIyM9ntdq
=XOfU
-----END PGP SIGNATURE-----

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Robin H. Johnson]

On Wed, Feb 13, 2013 at 12:12:35AM +0100, Michael Weber wrote:
> On 02/12/2013 10:14 PM, William Hubbs wrote:
> > If you have any questions on this, please feel free to let us
> > know.
> What is the rotation strategy for (near) outdated keys?
> Alter the key or create a new one? Sign the new with the old one?
If your keysize is still good, you should ideally update the expiry on
the key and re-upload it to keyservers.

> IMHO the answer to these questions is not obvious nor given by (our)
> docu [1].
I'm pretty sure it was in the devrel developer handbook at one point,
along with instructions to create your key, but I can't find it now.

> Maybe, add "keep ldap id/fingerprint synchronized" there, too.
http://www.gentoo.org/proj/en/infrastructure/ldap.xml#doc_chap3

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

[gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Jeroen Roovers]

On Tue, 12 Feb 2013 15:14:15 -0600
William Hubbs <williamh@gentoo.org> wrote:

> All,
> 
> as preparation for the up-coming cvs->git migration of the portage
> tree, the council is strongly suggesting that from this point forward
> all developers sign their manifests with their gpg key as described
> in the developer's manual [1].
> 
> If you have any questions on this, please feel free to let us know.
> 
> On behalf of the council,
> 
> William
> 
> [1] http://devmanual.gentoo.org/general-concepts/manifest/index.html

It would help if repoman noticed when you have FEATURES=-sign. :-\


     jer

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Jeroen Roovers]

On Wed, 13 Feb 2013 01:47:34 +0100
Jeroen Roovers <jer@gentoo.org> wrote:

> It would help if repoman noticed when you have FEATURES=-sign. :-\

https://bugs.gentoo.org/show_bug.cgi?id=457034


     jer

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Alec Warner]

On Tue, Feb 12, 2013 at 5:05 PM, Jeroen Roovers <jer@gentoo.org> wrote:
> On Wed, 13 Feb 2013 01:47:34 +0100
> Jeroen Roovers <jer@gentoo.org> wrote:
>
>> It would help if repoman noticed when you have FEATURES=-sign. :-\
>
> https://bugs.gentoo.org/show_bug.cgi?id=457034

We can do the opposite, and just complain if we see unsigned manifests fly by.

-A

>
>
>      jer
>

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Jeroen Roovers]

On Tue, 12 Feb 2013 17:07:33 -0800
Alec Warner <antarus@gentoo.org> wrote:

> On Tue, Feb 12, 2013 at 5:05 PM, Jeroen Roovers <jer@gentoo.org>
> wrote:
> > On Wed, 13 Feb 2013 01:47:34 +0100
> > Jeroen Roovers <jer@gentoo.org> wrote:
> >
> >> It would help if repoman noticed when you have FEATURES=-sign. :-\
> >
> > https://bugs.gentoo.org/show_bug.cgi?id=457034
> 
> We can do the opposite, and just complain if we see unsigned
> manifests fly by.

The background here is that I set up a new system and "forgot" to set
FEATURES=sign before I went on to do commits from that system. It's not
like I set FEATURES=-sign on purpose. :)


      jer

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Michael Weber]

On 02/13/2013 12:28 AM, Robin H. Johnson wrote:
> On Wed, Feb 13, 2013 at 12:12:35AM +0100, Michael Weber wrote:
>> On 02/12/2013 10:14 PM, William Hubbs wrote:
>>> If you have any questions on this, please feel free to let us
>>> know.
>> What is the rotation strategy for (near) outdated keys?
>> Alter the key or create a new one? Sign the new with the old one?
> If your keysize is still good, you should ideally update the expiry on
> the key and re-upload it to keyservers.
Can you commit this to the document, please?

>> IMHO the answer to these questions is not obvious nor given by (our)
>> docu [1].
> I'm pretty sure it was in the devrel developer handbook at one point,
> along with instructions to create your key, but I can't find it now.
>
>> Maybe, add "keep ldap id/fingerprint synchronized" there, too.
> http://www.gentoo.org/proj/en/infrastructure/ldap.xml#doc_chap3
That does tell how to update the data, but does not suggest to do so.

My main concern is the cross-referencing of our documentation.
I'm aware that there is a ton of documentation splattered all over the
place
and outside our infra.
But besides the "non-trivial" step to become a dev (as mentioned last week)
there is a certain non-trivial step to keep one, esp. by gathering the
non-routine informations and fast-forward developments.

-- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <xmw@gentoo.org>

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Fabian Groffen]

[-- Attachment #1: Type: text/plain, Size: 928 bytes --]

On 13-02-2013 02:15:48 +0100, Jeroen Roovers wrote:
> On Tue, 12 Feb 2013 17:07:33 -0800
> Alec Warner <antarus@gentoo.org> wrote:
> 
> > On Tue, Feb 12, 2013 at 5:05 PM, Jeroen Roovers <jer@gentoo.org>
> > wrote:
> > > On Wed, 13 Feb 2013 01:47:34 +0100
> > > Jeroen Roovers <jer@gentoo.org> wrote:
> > >
> > >> It would help if repoman noticed when you have FEATURES=-sign. :-\
> > >
> > > https://bugs.gentoo.org/show_bug.cgi?id=457034
> > 
> > We can do the opposite, and just complain if we see unsigned
> > manifests fly by.
> 
> The background here is that I set up a new system and "forgot" to set
> FEATURES=sign before I went on to do commits from that system. It's not
> like I set FEATURES=-sign on purpose. :)

I wouldn't mind a mild warning from repoman if you're on the gentoo-x86
tree and try to commit without FEATURES=sign.

So, +1


-- 
Fabian Groffen
Gentoo on a different level

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 194 bytes --]

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Ben de Groot]

On 13 February 2013 15:07, Michael Weber <xmw@gentoo.org> wrote:
> On 02/13/2013 12:28 AM, Robin H. Johnson wrote:
>> On Wed, Feb 13, 2013 at 12:12:35AM +0100, Michael Weber wrote:
>>> On 02/12/2013 10:14 PM, William Hubbs wrote:
>>>> If you have any questions on this, please feel free to let us
>>>> know.
>>> What is the rotation strategy for (near) outdated keys?
>>> Alter the key or create a new one? Sign the new with the old one?
>> If your keysize is still good, you should ideally update the expiry on
>> the key and re-upload it to keyservers.
> Can you commit this to the document, please?
>
>>> IMHO the answer to these questions is not obvious nor given by (our)
>>> docu [1].
>> I'm pretty sure it was in the devrel developer handbook at one point,
>> along with instructions to create your key, but I can't find it now.
>>
>>> Maybe, add "keep ldap id/fingerprint synchronized" there, too.
>> http://www.gentoo.org/proj/en/infrastructure/ldap.xml#doc_chap3
> That does tell how to update the data, but does not suggest to do so.
>
> My main concern is the cross-referencing of our documentation.
> I'm aware that there is a ton of documentation splattered all over the
> place
> and outside our infra.
> But besides the "non-trivial" step to become a dev (as mentioned last week)
> there is a certain non-trivial step to keep one, esp. by gathering the
> non-routine informations and fast-forward developments.

All pertinent information should be in the devmanual. If it's not,
then this omission should be fixed as soon as possible. There is no
reason to keep this scattered over multiple locations.

-- 
Cheers,

Ben | yngwin
Gentoo developer
Gentoo Qt project lead, Gentoo Wiki admin

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Markos Chandras]

On 12 February 2013 23:28, Robin H. Johnson <robbat2@gentoo.org> wrote:
>
>> IMHO the answer to these questions is not obvious nor given by (our)
>> docu [1].
> I'm pretty sure it was in the devrel developer handbook at one point,
> along with instructions to create your key, but I can't find it now.

This one?

http://www.gentoo.org/doc/en/gnupg-user.xml

-- 
Regards,
Markos Chandras - Gentoo Linux Developer
http://dev.gentoo.org/~hwoarang

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Michael Weber]

On 02/13/2013 11:55 AM, Markos Chandras wrote:
> http://www.gentoo.org/doc/en/gnupg-user.xml
> 
still no hint what to do on expiration (as every single other "gpg howto").

-- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <xmw@gentoo.org>

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Aaron W. Swenson]

[-- Attachment #1: Type: text/plain, Size: 979 bytes --]

On Wed, Feb 13, 2013 at 01:20:39PM +0100, Michael Weber wrote:
> On 02/13/2013 11:55 AM, Markos Chandras wrote:
> > http://www.gentoo.org/doc/en/gnupg-user.xml
> > 
> still no hint what to do on expiration (as every single other "gpg howto").
> 

It depends. What do you want to do when it expires?

If you don't believe that the key has been compromised -- nobody is
going around using your key falsely -- then you should just "renew"
your key, i.e change the expiry date.

Some that are a bit more paranoid will generate a new key, sign it
with the about-to-expire key  -- not the already expired key because
they would never allow that to happen -- revoke the about-to-expire
key, then sync with the key server(s).

This information, by the way, has been blogged about thousands of
times.

-- 
Mr. Aaron W. Swenson
Gentoo Linux Developer
Email : titanofold@gentoo.org
GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0
GnuPG ID : D1BBFDA0

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 230 bytes --]

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Markos Chandras]

On 13 February 2013 15:31, Aaron W. Swenson <titanofold@gentoo.org> wrote:
> On Wed, Feb 13, 2013 at 01:20:39PM +0100, Michael Weber wrote:
>> On 02/13/2013 11:55 AM, Markos Chandras wrote:
>> > http://www.gentoo.org/doc/en/gnupg-user.xml
>> >
>> still no hint what to do on expiration (as every single other "gpg howto").
>>
>
> It depends. What do you want to do when it expires?
>
> If you don't believe that the key has been compromised -- nobody is
> going around using your key falsely -- then you should just "renew"
> your key, i.e change the expiry date.
>
> Some that are a bit more paranoid will generate a new key, sign it
> with the about-to-expire key  -- not the already expired key because
> they would never allow that to happen -- revoke the about-to-expire
> key, then sync with the key server(s).
>
> This information, by the way, has been blogged about thousands of
> times.
>
> --
> Mr. Aaron W. Swenson
> Gentoo Linux Developer
> Email : titanofold@gentoo.org
> GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0
> GnuPG ID : D1BBFDA0

Correct. I don't think we need a "Gentoo-specific" document for that.

-- 
Regards,
Markos Chandras - Gentoo Linux Developer
http://dev.gentoo.org/~hwoarang

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Thomas Sachau]

[-- Attachment #1: Type: text/plain, Size: 765 bytes --]

Michael Weber schrieb:
> On 02/12/2013 10:14 PM, William Hubbs wrote:
>> as preparation for the up-coming cvs->git migration of the portage
>> tree, the council is strongly suggesting that from this point
>> forward all developers sign their manifests with their gpg key as
>> described in the developer's manual [1].
> ++
> 
> We should all put these data into LDAP, too. on dev.gentoo.org ..
> 
> perl_ldap -b user -M gpgkey <gpg-id> <user>
> perl_ldap -b user -M gpgfingerprint <gpg-fingerprint> <user>

I suggest, you check your ldap details, since those details are already
added for every new dev by his recruiter, so you only have to update
those entries yourself, when your key changes. ;-)

-- 

Thomas Sachau
Gentoo Linux Developer


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 379 bytes --]

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Denis Dupeyron]

On Wed, Feb 13, 2013 at 8:31 AM, Aaron W. Swenson <titanofold@gentoo.org> wrote:
> This information, by the way, has been blogged about thousands of
> times.

There is a reason people write documentation. Contrary to blog posts,
documentation is thought out, reviewed, maintained and corrected when
necessary. Blogs are written out of our collective ass in order to
generate page hits or satisfy our ego, and forgotten right away. Ain't
this handy.

If you want people to handle security properly you have to tell them
how to. In details. If not everybody will figure it out in his or her
own way, all of them wrong. Get off your high horse and write
documentation if you know how things work. That's more productive than
this blabbering.

Denis.

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Eray Aslan]

On Wed, Feb 13, 2013 at 09:35:56AM -0700, Denis Dupeyron wrote:
> If you want people to handle security properly you have to tell them
> how to. In details. If not everybody will figure it out in his or her
> own way, all of them wrong. Get off your high horse and write
> documentation if you know how things work.

Amen.  I know it's not sexy but please document / help with
documentation if you can.

-- 
Eray Aslan <eras@gentoo.org>

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Aaron W. Swenson]

[-- Attachment #1: Type: text/plain, Size: 1045 bytes --]

On Wed, Feb 13, 2013 at 09:35:56AM -0700, Denis Dupeyron wrote:
> On Wed, Feb 13, 2013 at 8:31 AM, Aaron W. Swenson <titanofold@gentoo.org> wrote:
> > This information, by the way, has been blogged about thousands of
> > times.
> 
> There is a reason people write documentation. Contrary to blog posts,
> documentation is thought out, reviewed, maintained and corrected when
> necessary.

I agree. This is officially documented by GnuPG. [1] That would be the
best source to use. It details everything one needs to do to manage a
key pair.

PGP keys are daunting, but once one uses them for a while it becomes a
bit easier to grok.

There's nothing Gentoo specific about it. I don't see why we would
need to officially document an official document. The most we should
do is point people to the resource.

[1] http://www.gnupg.org/gph/en/manual.html#AEN329

-- 
Mr. Aaron W. Swenson
Gentoo Linux Developer
Email : titanofold@gentoo.org
GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0
GnuPG ID : D1BBFDA0

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 230 bytes --]

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

["Paweł Hajdan, Jr."]

[-- Attachment #1: Type: text/plain, Size: 619 bytes --]

On 2/13/13 12:28 AM, Robin H. Johnson wrote:
> On Wed, Feb 13, 2013 at 12:12:35AM +0100, Michael Weber wrote:
>> What is the rotation strategy for (near) outdated keys?
>> Alter the key or create a new one? Sign the new with the old one?
> If your keysize is still good, you should ideally update the expiry on
> the key and re-upload it to keyservers.

What is considered a good key size these days?

Sorry I'm asking a question that has been "blogged about thousands of
times", but I trust a Gentoo dev more about this than a "random blogger"
who insists everyone should use 8192 bit keys. ;)

Paweł


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 203 bytes --]

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Diego Elio Pettenò]

On 13/02/2013 18:46, "Paweł Hajdan, Jr." wrote:
> What is considered a good key size these days?

As far as I can tell, 2048 rsa should be still fine.

Just drop DSA and anything 1024 I would suggest.

-- 
Diego Elio Pettenò — Flameeyes
flameeyes@flameeyes.eu — http://blog.flameeyes.eu/

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Eray Aslan]

On Wed, Feb 13, 2013 at 05:22:14PM +0000, Aaron W. Swenson wrote:
> I agree. This is officially documented by GnuPG. [1] That would be the
> best source to use. It details everything one needs to do to manage a
> key pair.

Good luck having people find and read it.  Similar to (or perhaps
linking to) something along the lines of

http://keyring.debian.org/creating-key.html

might be appropriate (by adding an expiry date section perhaps).

This is not about expiry dates or even gnupg in particular.  Our
documentation is not up to par anymore.  We need to spend more effort in
documentation in general.  Please do so if you can.

-- 
Eray Aslan <eras@gentoo.org>

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Aaron W. Swenson]

[-- Attachment #1: Type: text/plain, Size: 1048 bytes --]

On Wed, Feb 13, 2013 at 07:58:30PM +0200, Eray Aslan wrote:
> On Wed, Feb 13, 2013 at 05:22:14PM +0000, Aaron W. Swenson wrote:
> > I agree. This is officially documented by GnuPG. [1] That would be the
> > best source to use. It details everything one needs to do to manage a
> > key pair.
> 
> Good luck having people find and read it.  Similar to (or perhaps
> linking to) something along the lines of
> 
> http://keyring.debian.org/creating-key.html
> 
> might be appropriate (by adding an expiry date section perhaps).
> 
> This is not about expiry dates or even gnupg in particular.  Our
> documentation is not up to par anymore.  We need to spend more effort in
> documentation in general.  Please do so if you can.
> 

I do agree that we need to state some minimum requirements that aren't
so antiquated. And, we need to make it a bit more conspicuous.

-- 
Mr. Aaron W. Swenson
Gentoo Linux Developer
Email : titanofold@gentoo.org
GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0
GnuPG ID : D1BBFDA0

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 230 bytes --]

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Michael Weber]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/13/2013 06:22 PM, Aaron W. Swenson wrote:
> There's nothing Gentoo specific about it. I don't see why we would 
> need to officially document an official document. The most we
> should do is point people to the resource.
So, please link to this page and drop out fractional/incomplete version.

> [1] http://www.gnupg.org/gph/en/manual.html#AEN329
> 


- -- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <xmw@gentoo.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlEb62sACgkQknrdDGLu8JAZeQD+M8+z4/LicZnWLOf+mwXcqFEM
qwuAFjeV5XN+KoDehn8A/1IE9ane4mN5dTFSPRgArTghBUgJ1hXhfIcDdCcukB0N
=24Uj
-----END PGP SIGNATURE-----

[gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Agostino Sarubbo]

On Tuesday 12 February 2013 15:14:15 William Hubbs wrote:
> All,
> 
> as preparation for the up-coming cvs->git migration of the portage tree,
> the council is strongly suggesting that from this point forward all
> developers sign their manifests with their gpg key as described in the
> developer's manual [1].
> 
> If you have any questions on this, please feel free to let us know.

As most of us do, I do the commit from another machine, not mine. So, for ssh 
I'm using ssh -A to forward the key and I'm interested to find a way to do it 
for the gpg key.

I found an how-to that uses socat ( http://superuser.com/questions/161973/how-
can-i-forward-a-gpg-key-via-ssh-agent ) but does not work as expected.

This is an example: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-
x86/app-portage/splat/Manifest?revision=1.45&view=markup

The manifest apparently is signed, but there is no really gpg sign.

If someone know how to do it, please let me know.
-- 
Agostino Sarubbo / ago -at- gentoo.org
Gentoo Linux Developer

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Peter Stuge]

Agostino Sarubbo wrote:
> I'm using ssh -A to forward the key and I'm interested to find a
> way to do it for the gpg key.
> 
> I found an how-to that uses socat ( http://superuser.com/questions/161973/how-
> can-i-forward-a-gpg-key-via-ssh-agent ) but does not work as expected.

Did you debug?

Rather than creating a TCP socket I would look into using the ssh -W
option.


//Peter

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Michael Weber]

On 02/13/2013 09:07 PM, Agostino Sarubbo wrote:
> As most of us do, I do the commit from another machine, not mine. So, for ssh 
> I'm using ssh -A to forward the key and I'm interested to find a way to do it 
> for the gpg key.
> 
> I found an how-to that uses socat ( http://superuser.com/questions/161973/how-
> can-i-forward-a-gpg-key-via-ssh-agent ) but does not work as expected.

GPG agents do not transport keys, just passphrases.

I once used a patch against openssh to enable forwarding of domain
sockets, it applies to current 6.1_p1.

http://www.25thandclement.com/~william/projects/streamlocal.html

Maybe we should add this to our openssh version, I'd appreciate it.

> This is an example: http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-
> x86/app-portage/splat/Manifest?revision=1.45&view=markup
> 
> The manifest apparently is signed, but there is no really gpg sign.

look closely to the output of repoman commit, there is a small "gpg
failed" or somethink like that.


-- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <xmw@gentoo.org>

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Michael Weber]

On 02/13/2013 09:23 PM, Peter Stuge wrote:
> Rather than creating a TCP socket I would look into using the ssh -W
> option.
gpg agent works with unix domain sockets.


-- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <xmw@gentoo.org>

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Peter Stuge]

Michael Weber wrote:
> > Rather than creating a TCP socket I would look into using the ssh -W
> > option.
> gpg agent works with unix domain sockets.

I know. It would look something like socat + ssh -W socat


//Peter

Re: [gentoo-dev] Re: [gentoo-dev-announce] please sign your manifests

[Michael Weber]

On 02/13/2013 09:30 PM, Michael Weber wrote:
> GPG agents do not transport keys, just passphrases.

To stress that, my passphrased key resides on my remote build-box,
gpg just askes my local gpg agent for the passphrase.

ssh -R /root/.gnupg/S.gpg-agent:/tmp/keyring-michael/gpg b-4

with a persistent location of the unix socket assured by
https://xmw.de/dotfiles/bin/new-keyring




-- 
Michael Weber
Gentoo Developer
web: https://xmw.de/
mailto: Michael Weber <xmw@gentoo.org>