From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-58866-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 19F77198005
	for <garchives@archives.gentoo.org>; Wed, 27 Feb 2013 20:28:06 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 672B9E09EE;
	Wed, 27 Feb 2013 20:27:59 +0000 (UTC)
Received: from mail-ve0-f169.google.com (mail-ve0-f169.google.com [209.85.128.169])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 3E6F5E09DC
	for <gentoo-dev@lists.gentoo.org>; Wed, 27 Feb 2013 20:27:57 +0000 (UTC)
Received: by mail-ve0-f169.google.com with SMTP id 15so1076086vea.0
        for <gentoo-dev@lists.gentoo.org>; Wed, 27 Feb 2013 12:27:57 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:x-received:sender:x-originating-ip:in-reply-to
         :references:date:x-google-sender-auth:message-id:subject:from:to
         :content-type:content-transfer-encoding:x-gm-message-state;
        bh=GZEs4T1Sh7zs/A1RlY+RZUiAHAovn37yunMiWGU54y8=;
        b=Z250o1m6W3QlTg0FcmNQPt6H6QaNt3uOSlgV2KAhZFB9Dq1hNL7opcM/DFWo0k9/zo
         ca/1P42oFtpC9Zkdklgx7MYcImGDOIf56+pGLzV63sMRZqHYnwt8R79zBU8DSG0CL4zq
         T7icLwTgHeH/1EsCHxwM0P3rbkLFIqLURVe2b8JsmsYFs6UQHGXescMqBNOSyTVfhKke
         bBgix3dUxtUjmM6BnxLd9iNmv4UnOQnaCSWL4Uf/Nt4yyzcUAkDlijS4x95zajPMeTRI
         cJsXUNnjsoEKDb9i0DTdG7JG6Zpp0s+ShhOYJ0AuYRgPoToXhMBLqc4W0KyXi2t5jQbI
         VfFw==
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
X-Received: by 10.58.106.161 with SMTP id gv1mr1465363veb.35.1361996877160;
 Wed, 27 Feb 2013 12:27:57 -0800 (PST)
Sender: antarus@scriptkitty.com
Received: by 10.220.90.210 with HTTP; Wed, 27 Feb 2013 12:27:57 -0800 (PST)
X-Originating-IP: [172.19.15.117]
In-Reply-To: <robbat2-20130227T184548-103646078Z@orbis-terrarum.net>
References: <robbat2-20130218T224715-868658579Z@orbis-terrarum.net>
	<alpine.LRH.1.10.1302261609360.25218@star.inp.nsk.su>
	<20130227161214.4bfde7e9@mygoo.lnet>
	<robbat2-20130227T184548-103646078Z@orbis-terrarum.net>
Date: Wed, 27 Feb 2013 12:27:57 -0800
X-Google-Sender-Auth: 7rCm-sphxFzNCOKWEf27-1JW8Ak
Message-ID: <CAAr7Pr9zR-ovQFk=a3pBF6HrWwzrbBP4zCmLXRZ_voafxbkFiA@mail.gmail.com>
Subject: Re: [gentoo-dev] RFC: Gentoo GPG key policies
From: Alec Warner <antarus@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQk1TuDoZY8i1iH3TyHIpRItI76/9s7N0yRG/o0aEpWUWbYkieKia+KtViyhEleTQ9QxRU6C
X-Archives-Salt: 67667333-8c3e-4203-8d0c-0e1ca7902bbb
X-Archives-Hash: ac803a95d11e9509032548b2e600620c

On Wed, Feb 27, 2013 at 11:04 AM, Robin H. Johnson <robbat2@gentoo.org> wro=
te:
> Thanks for the partial response Luis.
>
> On Wed, Feb 27, 2013 at 04:12:14PM +0100, Luis Ressel wrote:
>> On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT)
>> grozin@gentoo.org wrote:
>>
>> > Hello *,
>> > I am stuck and have many questions.
>
> New addition to the instructions:
> 0. Copy /usr/share/gnupg/gpg-conf.skel to ~/.gnupg/gpg.conf, append the
>    block given in my email.
>    TODO: The upstream skeleton config file has improved over the years,
>    it would be useful for all users to get updates to it, but etc-update
>    only works for /etc, since this is deployed per-user. Suggestions
>    welcome on getting users to do this.
>
>> > [In the process of becoming a dev, I've generated a gpg key, of course=
. It vwas on an old notebook. When I switched to a newer notebook, I forgot=
 to copy it, because I don't use gpg regularly. No risk that it became know=
n - the disk was re-partitioned and re-formatted. Probably, that key has ex=
pired anyway.]
>> > 1. So, I start
>> > gpg --gen-key
>> > It creates ~/.gnupg/ and some files in it. Should I press ctrl-C, then=
 edit ~/.gnupg/gpg.conf, and then re-start gpg --gen-key? Or editing gpg.co=
nf can be done later?
>> Editing the conf should be done first, some of the preferences (e.g.
>> personal-digest-preference and cert-digest-algo) affect the creation of
>> keys.
> See step 0 above, and do gen-key AFTER that.
>
>> > 3. Now I do
>> > gpg --edit-key 0x<16_hex_digits_1>
>> > addkey
>> > Then I choose
>> > (4) RSA (sign only)
>> > right? Then I choose 4096, 1y, y, y, save. Now
>> > gpg --list-keys
>> > gives
>> > /home/<username>/.gnupg/pubring.gpg
>> > -------------------------------
>> > pub   4096R/0x<16_hex_digits_1> 2013-02-26 [expires: 2016-02-26]
>> > uid                 [ultimate] <my_name> <my_gentoo_email_address>
>> > sub   4096R/0x<16_hex_digits_2> 2013-02-26 [expires: 2016-02-26]
>> > sub   4096R/0x<16_hex_digits_3> 2013-02-26 [expires: 2014-02-26]
>> > 4. I do
>> > gpg --output revoke.asc --gen-revoke 0x<16_hex_digits_1>
>> > and choose 1.
>> That's all correct.
> Make sure to put that revoke.asc file in a secure place, and REMOVE the
> unprotected copy from your system. It has NO encryption on that file, by
> design.
>
>> > > 6. Encrypted backup of your secret keys.
>> > I don't understand this.
>>
>> It'd make sense to have an backup of your keys (~/.gnupg/secring.gpg)
>> stored in a safe place, just as with everything else... If you want,
>> you can protect it by another layer of encryption, but it's not that
>> important, because the keys are already protected by your passphrase.
>
> Yes, your normal keys are protected by your passphrase.
> If you have additional SEPARATE keys that might not have passphrases (eg
> for automation purposes), having them encrypted on your backup media is
> a good idea.
>
> If you don't have any other keys like that, I've attached a backup
> script for you to use (originally written because some versions ago
> there was a gnupg locking bug, and it would occasionally
> corrupt/overwrite my public keyring).
>
>> > > 7. In your gpg.conf:
>> > >   # include an unambiguous indicator of which key made a signature:
>> > >   # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/foc=
us=3D7234)
>> > >   sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=3D%g
>> > I don't understand this.
>> Neither do I (I know what it does, but I don't see what it's good for) =
=E2=80=93
>> just leave it out, it's not necessary.
> Here's the origin of this:
> http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html
> Basically, just like the rest of the expansion to use full length
> keyids to avoid collision attacks, this does the same for
> certifications.
>
>> > 5. I do
>> > gpg --keyserver subkeys.pgp.net --send-key 0x<16_hex_digits_1>
>> > 6. On dev.gentoo.org, I am supposed to do
>> > perl_ldap -b user -M gpgkey <gpg-id> <user>
>> > perl_ldap -b user -M gpgfingerprint <gpg-fingerprint> <user>
>> > Is <gpg-id> 0x<16_hex_digits_1>? Or 0x<16_hex_digits_3>? What is <gpg-=
fingerprint> and how do I get it? Is <user> my username on dev.gentoo.org?
>> > What's even more important, perl_ldap asks my ldap password. I suppose=
 I haven't got one. My usual Gentoo password (used in bugzilla, forums) doe=
s not work. How do I get an ldap password?
>> I can't help you with that, as I don't have access to any gentoo
>> infrastructure. But IIRC, that's the password you once set on d.g.o
>> with passwd.
> Your recruiter should have pointed you to your LDAP password when you
> become a developer for new developers. In case of old developers, this
> wasn't reliable followed, and/or gets lost. Please contact infra or
> the devrel leads to get your LDAP password reset.
>
> '<user>' is your Gentoo developer username. Be careful to NOT
> replace the '-b user' part, that selects 'user' mode for the tool.

FYI: I patched perl_ldap so this doesn't happen, as it was a very
common mistake.

-A

>
>> > 7. If I'll ever complete all the above, I'll add sign to FEATURES in /=
etc/portage/make.conf, and
>> > PORTAGE_GPG_DIR=3D"/home/<username>/.gnupg"
>> > and also
>> > PORTAGE_GPG_KEY=3D"0x<16_hex_digits_3>!"
>> > Is this correct? Is it <16_hex_digits_3>, and not, say, <16_hex_digits=
_1>? Should I add ! at the end, as suggested by mgorny?
>> 16_hex_digits_3 (the one you added later via addkey) is the correct
>> one. And adding a ! is absolutely necessary.
> :-)
>
>> > During the time I'm reading all these instructions, I could bump 10
>> > packages. Very complicated for a person who does not use gpg and
>> > knows next to nothing about it.
>> Security can be hard to grasp at times. Sadly...
> But THANK YOU for writing up your email, it's great to have somebody
> with no experience try the instructions, and help us figure out where
> they need to improve.
>
> --
> Robin Hugh Johnson
> Gentoo Linux: Developer, Trustee & Infrastructure Lead
> E-Mail     : robbat2@gentoo.org
> GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85