Re: [gentoo-dev] RFC: Gentoo GPG key policies

["Robin H. Johnson" <robbat2@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 5731 bytes --]

Thanks for the partial response Luis.

On Wed, Feb 27, 2013 at 04:12:14PM +0100, Luis Ressel wrote:
> On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT)
> grozin@gentoo.org wrote:
> 
> > Hello *,
> > I am stuck and have many questions.

New addition to the instructions:
0. Copy /usr/share/gnupg/gpg-conf.skel to ~/.gnupg/gpg.conf, append the
   block given in my email.
   TODO: The upstream skeleton config file has improved over the years,
   it would be useful for all users to get updates to it, but etc-update
   only works for /etc, since this is deployed per-user. Suggestions
   welcome on getting users to do this.

> > [In the process of becoming a dev, I've generated a gpg key, of course. It vwas on an old notebook. When I switched to a newer notebook, I forgot to copy it, because I don't use gpg regularly. No risk that it became known - the disk was re-partitioned and re-formatted. Probably, that key has expired anyway.]
> > 1. So, I start
> > gpg --gen-key
> > It creates ~/.gnupg/ and some files in it. Should I press ctrl-C, then edit ~/.gnupg/gpg.conf, and then re-start gpg --gen-key? Or editing gpg.conf can be done later?
> Editing the conf should be done first, some of the preferences (e.g.
> personal-digest-preference and cert-digest-algo) affect the creation of
> keys.
See step 0 above, and do gen-key AFTER that.

> > 3. Now I do
> > gpg --edit-key 0x<16_hex_digits_1>
> > addkey
> > Then I choose
> > (4) RSA (sign only)
> > right? Then I choose 4096, 1y, y, y, save. Now
> > gpg --list-keys
> > gives
> > /home/<username>/.gnupg/pubring.gpg
> > -------------------------------
> > pub   4096R/0x<16_hex_digits_1> 2013-02-26 [expires: 2016-02-26]
> > uid                 [ultimate] <my_name> <my_gentoo_email_address>
> > sub   4096R/0x<16_hex_digits_2> 2013-02-26 [expires: 2016-02-26]
> > sub   4096R/0x<16_hex_digits_3> 2013-02-26 [expires: 2014-02-26]
> > 4. I do
> > gpg --output revoke.asc --gen-revoke 0x<16_hex_digits_1>
> > and choose 1.
> That's all correct.
Make sure to put that revoke.asc file in a secure place, and REMOVE the
unprotected copy from your system. It has NO encryption on that file, by
design.

> > > 6. Encrypted backup of your secret keys.
> > I don't understand this.
> 
> It'd make sense to have an backup of your keys (~/.gnupg/secring.gpg)
> stored in a safe place, just as with everything else... If you want,
> you can protect it by another layer of encryption, but it's not that
> important, because the keys are already protected by your passphrase.

Yes, your normal keys are protected by your passphrase.
If you have additional SEPARATE keys that might not have passphrases (eg
for automation purposes), having them encrypted on your backup media is
a good idea.

If you don't have any other keys like that, I've attached a backup
script for you to use (originally written because some versions ago
there was a gnupg locking bug, and it would occasionally
corrupt/overwrite my public keyring).

> > > 7. In your gpg.conf:
> > >   # include an unambiguous indicator of which key made a signature:
> > >   # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
> > >   sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g
> > I don't understand this.
> Neither do I (I know what it does, but I don't see what it's good for) –
> just leave it out, it's not necessary.
Here's the origin of this:
http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html
Basically, just like the rest of the expansion to use full length
keyids to avoid collision attacks, this does the same for
certifications.

> > 5. I do
> > gpg --keyserver subkeys.pgp.net --send-key 0x<16_hex_digits_1>
> > 6. On dev.gentoo.org, I am supposed to do
> > perl_ldap -b user -M gpgkey <gpg-id> <user>
> > perl_ldap -b user -M gpgfingerprint <gpg-fingerprint> <user>
> > Is <gpg-id> 0x<16_hex_digits_1>? Or 0x<16_hex_digits_3>? What is <gpg-fingerprint> and how do I get it? Is <user> my username on dev.gentoo.org?
> > What's even more important, perl_ldap asks my ldap password. I suppose I haven't got one. My usual Gentoo password (used in bugzilla, forums) does not work. How do I get an ldap password?
> I can't help you with that, as I don't have access to any gentoo
> infrastructure. But IIRC, that's the password you once set on d.g.o
> with passwd.
Your recruiter should have pointed you to your LDAP password when you
become a developer for new developers. In case of old developers, this
wasn't reliable followed, and/or gets lost. Please contact infra or
the devrel leads to get your LDAP password reset.

'<user>' is your Gentoo developer username. Be careful to NOT
replace the '-b user' part, that selects 'user' mode for the tool.

> > 7. If I'll ever complete all the above, I'll add sign to FEATURES in /etc/portage/make.conf, and
> > PORTAGE_GPG_DIR="/home/<username>/.gnupg"
> > and also
> > PORTAGE_GPG_KEY="0x<16_hex_digits_3>!"
> > Is this correct? Is it <16_hex_digits_3>, and not, say, <16_hex_digits_1>? Should I add ! at the end, as suggested by mgorny?
> 16_hex_digits_3 (the one you added later via addkey) is the correct
> one. And adding a ! is absolutely necessary.
:-)

> > During the time I'm reading all these instructions, I could bump 10
> > packages. Very complicated for a person who does not use gpg and
> > knows next to nothing about it.
> Security can be hard to grasp at times. Sadly...
But THANK YOU for writing up your email, it's great to have somebody
with no experience try the instructions, and help us figure out where
they need to improve.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85

[-- Attachment #2: gpg-backup --]
[-- Type: text/plain, Size: 916 bytes --]

#!/bin/sh
T="$(date -u +%Y%m%dT%H%M%SZ)"
OUTDIR=~/.gnupg/backup/
COMPRESS_SUFFIX='.gz'
COMPRESS="gzip -9"
USE_ASCII=0
EXPORTOPTS="--export-options export-local-sigs,export-attributes,export-sensitive-revkeys"

dobackup() {
	OPT="$1"
	OFILE="$2"
	TMP="$(mktemp --tmpdir=$OUTDIR tmp.XXXXXXXXXX)"
	gpg ${OPT} | ${COMPRESS} >"$TMP" && mv "$TMP" "$OFILE"
	rm -f "$TMP"
}

ASCII_OPT=''
ASCII_SUFFIX=''
if [[ $USE_ASCII -eq 1 ]]; then
	ASCII_OPT='--armor'
	ASCII_SUFFIX='.asc'
fi

dobackup "${EXPORTOPTS} --export-ownertrust" "${OUTDIR}/${T}.ownertrust.txt${COMPRESS_SUFFIX}"

dobackup "${EXPORTOPTS} ${ASCII_OPT} --export" "${OUTDIR}/${T}.pubkey${ASCII_SUFFIX}${COMPRESS_SUFFIX}"

dobackup "${EXPORTOPTS} ${ASCII_OPT} --export-secret-keys" "${OUTDIR}/${T}.seckey${ASCII_SUFFIX}${COMPRESS_SUFFIX}"

dobackup "${EXPORTOPTS} ${ASCII_OPT} --export-secret-subkeys" "${OUTDIR}/${T}.seckey-sub${ASCII_SUFFIX}${COMPRESS_SUFFIX}"