* [gentoo-project] Gentoo Authority Keys are deployed now for testing!
@ 2019-04-13 19:37 Michał Górny
2019-04-13 23:43 ` Aaron Bauman
2019-04-18 14:04 ` Aaron W. Swenson
0 siblings, 2 replies; 5+ messages in thread
From: Michał Górny @ 2019-04-13 19:37 UTC (permalink / raw
To: gentoo-dev-announce; +Cc: gentoo-project
[-- Attachment #1: Type: text/plain, Size: 1969 bytes --]
Hi, everyone.
I'd like to announce that the experimental deployment of Gentoo
Authority Keys is now in place. If someone would like to give them
a try, Wiki includes instructions for using them [1].
Authority Keys (as defined in GLEP 79 [2]) provide a simple, uniform way
of verifying OpenPGP keys belonging to Gentoo developers. Long story
short, Infra runs a service that signs developer keys with a single key.
You import, verify and trust the key, and you get @gentoo.org UIDs of
all active Gentoo devs verified as a result.
The primary purpose of developer keys is to provide a better GnuPG-
friendly infrastructure for secure communication with developers. It
can be used to verify signatures made by developers, and to encrypt mail
sent to them. In this regard, it can be used in place of LDAP
(available only to Gentoo devs) or gentoo-keys seed files (which require
manual updates, and use custom file format).
Besides developer key signatures, Authority Keys also provide (manually
managed) signatures for other keys used by Infra. Therefore, they
provide an alternative to manually verifying key fingerprints against
Gentoo website [3].
While technically right now the authenticity of Authority Keys can only
be verified against the website [3], I hope that users will start
signing them upon verifying, effectively making WoT-based verification
possible. Once that happens, we will be able to stop relying on PKI.
Currently, the Authority Keys and signed developer keys are available
only on the experimental Gentoo keyserver (hkps://keys.gentoo.org).
Once both mature a little bit, we should start syncing keys between
Gentoo keyserver and SKS, effectively increasing availability of this
service.
[1]:https://wiki.gentoo.org/wiki/Project:Infrastructure/Authority_Keys
[2]:https://www.gentoo.org/glep/glep-0079.html
[3]:https://www.gentoo.org/downloads/signatures/
--
Best regards,
Michał Górny
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-project] Gentoo Authority Keys are deployed now for testing!
2019-04-13 19:37 [gentoo-project] Gentoo Authority Keys are deployed now for testing! Michał Górny
@ 2019-04-13 23:43 ` Aaron Bauman
2019-04-18 14:04 ` Aaron W. Swenson
1 sibling, 0 replies; 5+ messages in thread
From: Aaron Bauman @ 2019-04-13 23:43 UTC (permalink / raw
To: gentoo-project
[-- Attachment #1: Type: text/plain, Size: 333 bytes --]
On Sat, Apr 13, 2019 at 09:37:14PM +0200, Michał Górny wrote:
> Hi, everyone.
>
> I'd like to announce that the experimental deployment of Gentoo
> Authority Keys is now in place. If someone would like to give them
> a try, Wiki includes instructions for using them [1].
>
working great so far!
--
Cheers,
Aaron
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-project] Gentoo Authority Keys are deployed now for testing!
2019-04-13 19:37 [gentoo-project] Gentoo Authority Keys are deployed now for testing! Michał Górny
2019-04-13 23:43 ` Aaron Bauman
@ 2019-04-18 14:04 ` Aaron W. Swenson
2019-04-18 14:07 ` Michał Górny
1 sibling, 1 reply; 5+ messages in thread
From: Aaron W. Swenson @ 2019-04-18 14:04 UTC (permalink / raw
To: gentoo-project
[-- Attachment #1: Type: text/plain, Size: 501 bytes --]
On 2019-04-13 21:37, Michał Górny wrote:
> I'd like to announce that the experimental deployment of Gentoo
> Authority Keys is now in place. If someone would like to give them
> a try, Wiki includes instructions for using them [1].
>
> ...
>
> [1]:https://wiki.gentoo.org/wiki/Project:Infrastructure/Authority_Keys
Unfortunately, the local trust doesn't work for my laptop where I only have the
subkeys. However, the instructions worked fine on my desktop where I have the
full key.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 358 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-project] Gentoo Authority Keys are deployed now for testing!
2019-04-18 14:04 ` Aaron W. Swenson
@ 2019-04-18 14:07 ` Michał Górny
2019-04-18 14:20 ` Aaron W. Swenson
0 siblings, 1 reply; 5+ messages in thread
From: Michał Górny @ 2019-04-18 14:07 UTC (permalink / raw
To: gentoo-project
[-- Attachment #1: Type: text/plain, Size: 896 bytes --]
On Thu, 2019-04-18 at 10:04 -0400, Aaron W. Swenson wrote:
> On 2019-04-13 21:37, Michał Górny wrote:
> > I'd like to announce that the experimental deployment of Gentoo
> > Authority Keys is now in place. If someone would like to give them
> > a try, Wiki includes instructions for using them [1].
> >
> > ...
> >
> > [1]:https://wiki.gentoo.org/wiki/Project:Infrastructure/Authority_Keys
>
> Unfortunately, the local trust doesn't work for my laptop where I only have the
> subkeys. However, the instructions worked fine on my desktop where I have the
> full key.
You need the primary key to be available in order to create
the certification signature. However, a trick to avoid that is to
create a separate certification key for local-only usage. Just make
sure you won't export it accidentally or use for some other purpose.
--
Best regards,
Michał Górny
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 963 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [gentoo-project] Gentoo Authority Keys are deployed now for testing!
2019-04-18 14:07 ` Michał Górny
@ 2019-04-18 14:20 ` Aaron W. Swenson
0 siblings, 0 replies; 5+ messages in thread
From: Aaron W. Swenson @ 2019-04-18 14:20 UTC (permalink / raw
To: gentoo-project
[-- Attachment #1: Type: text/plain, Size: 345 bytes --]
On 2019-04-18 16:07, Michał Górny wrote:
> You need the primary key to be available in order to create
> the certification signature. However, a trick to avoid that is to
> create a separate certification key for local-only usage. Just make
> sure you won't export it accidentally or use for some other purpose.
I'll give that a go.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 358 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-04-18 14:31 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-13 19:37 [gentoo-project] Gentoo Authority Keys are deployed now for testing! Michał Górny
2019-04-13 23:43 ` Aaron Bauman
2019-04-18 14:04 ` Aaron W. Swenson
2019-04-18 14:07 ` Michał Górny
2019-04-18 14:20 ` Aaron W. Swenson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox