I'm one of those developers still using a deprecated PGP key to sign my
Debian packages. I'd like to make the switch to GPG, but I'm not too
sure how. I first generated a GPG key pair using 'gpa'. The Developer's
corner says:
There is information on this in the developers' reference. You can get
some more useful information on signing a GPG key with a PGP key from
the /usr/share/doc/debian-keyring/README.gz file...
The developers' reference just says to send new keys to
[EMAIL PROTECTED] and the debian-keyring/README.gz file says:
: Signing your GPG key with your PGP one
: --------------------------------------
:
: If you already have a PGP key, but only now made a GPG key, you must
: sign your GPG key with your PGP one. This can be done as follows:
:
: o If you have a version of gpg older than 1.0.3 (without RSA
: support) - get the gpg-rsa (or gpg-rsaref, if you live in the US) packages
: and install them. Newer versions of GPG have RSA support included, as the
: RSA patents expired on that date. You will also need the gpg-idea package
: regardless of the GPG version in use.
:
: o Find your GPG and PGP key ID's using gpg --list-keys, and pgp -kv
: Read the gpg and pgp documentation for more information.
:
: o Sign your GPG key with your PGP key:
: gpg --load-extension rsa --load-extension idea \
: --secret-keyring ~/.pgp/secring.pgp \
: --keyring ~/.pgp/pubring.pgp \
: --keyring ~/.gnupg/pubring.gpg \
: --default-key 'Your PGP ID' --sign-key 'Your GPG ID'
:
: If your version of GPG already has RSA included, you may omit the
: --load-extension rsa option.
I used only:
$ gpg --secret-keyring ~/.pgp/secring.pgp \
--keyring ~/.pgp/pubring.pgp \
--keyring ~/.gnupg/pubring.gpg \
--default-key 'Peter S. Galbraith' --sign-key 'D2A913A1'
because the '--load-extension rsa --load-extension idea' options failed
for me and the gpg-idea package doesn't exist.
I got:
: pub 1024R/D2A913A1 created: 1998-10-07 expires: never trust: -/u
: (1) Peter S Galbraith <[EMAIL PROTECTED]>
: (2). Peter S Galbraith <[EMAIL PROTECTED]>
:
: Really sign all user IDs? yes
:
: pub 1024R/D2A913A1 created: 1998-10-07 expires: never trust: -/u
: Fingerprint: 97 CE 86 6F F5 79 96 EE 6E 68 81 70 35 FF 79 9E
:
: Peter S Galbraith <[EMAIL PROTECTED]>
: Peter S Galbraith <[EMAIL PROTECTED]>
:
: Are you really sure that you want to sign this key
: with your key: "Peter S. Galbraith <[EMAIL PROTECTED]>"
So it seems like it worked.
Questions:
- what do I do with gpg to see what the new key is really signed by my
old PGP key? I would expect to see "D2A913A1" in that output, but I
don't:
$ gpg --list-sigs
/home/rhogee/.gnupg/pubring.gpg
-------------------------------
pub 1024D/A6CB024A 2002-05-13 Peter S. Galbraith <[EMAIL PROTECTED]>
sig A6CB024A 2002-05-13 Peter S. Galbraith <[EMAIL PROTECTED]>
sub 1024g/92BCB61A 2002-05-13
sig A6CB024A 2002-05-13 Peter S. Galbraith <[EMAIL PROTECTED]>
- What output from gpg do I email [EMAIL PROTECTED]?
I presume 'gpg --export [EMAIL PROTECTED]' but that yields a binary
file. Is that correct?
- I presume my PGP signature will continue to work as usual while I
wait for the GPG key to start working. No one knows I'm changing
over to GPG, so I can't see it breaking. Right? (I keep reading
about the nightmare of getting new keys into the keyring).
Thanks, I feel like a newbie.
Peter
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
