On Wed, Feb 27, 2013 at 11:04 AM, Robin H. Johnson <robb...@gentoo.org> wrote: > Thanks for the partial response Luis. > > On Wed, Feb 27, 2013 at 04:12:14PM +0100, Luis Ressel wrote: >> On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT) >> gro...@gentoo.org wrote: >> >> > Hello *, >> > I am stuck and have many questions. > > New addition to the instructions: > 0. Copy /usr/share/gnupg/gpg-conf.skel to ~/.gnupg/gpg.conf, append the > block given in my email. > TODO: The upstream skeleton config file has improved over the years, > it would be useful for all users to get updates to it, but etc-update > only works for /etc, since this is deployed per-user. Suggestions > welcome on getting users to do this. > >> > [In the process of becoming a dev, I've generated a gpg key, of course. It >> > vwas on an old notebook. When I switched to a newer notebook, I forgot to >> > copy it, because I don't use gpg regularly. No risk that it became known - >> > the disk was re-partitioned and re-formatted. Probably, that key has >> > expired anyway.] >> > 1. So, I start >> > gpg --gen-key >> > It creates ~/.gnupg/ and some files in it. Should I press ctrl-C, then >> > edit ~/.gnupg/gpg.conf, and then re-start gpg --gen-key? Or editing >> > gpg.conf can be done later? >> Editing the conf should be done first, some of the preferences (e.g. >> personal-digest-preference and cert-digest-algo) affect the creation of >> keys. > See step 0 above, and do gen-key AFTER that. > >> > 3. Now I do >> > gpg --edit-key 0x<16_hex_digits_1> >> > addkey >> > Then I choose >> > (4) RSA (sign only) >> > right? Then I choose 4096, 1y, y, y, save. Now >> > gpg --list-keys >> > gives >> > /home/<username>/.gnupg/pubring.gpg >> > ------------------------------- >> > pub 4096R/0x<16_hex_digits_1> 2013-02-26 [expires: 2016-02-26] >> > uid [ultimate] <my_name> <my_gentoo_email_address> >> > sub 4096R/0x<16_hex_digits_2> 2013-02-26 [expires: 2016-02-26] >> > sub 4096R/0x<16_hex_digits_3> 2013-02-26 [expires: 2014-02-26] >> > 4. I do >> > gpg --output revoke.asc --gen-revoke 0x<16_hex_digits_1> >> > and choose 1. >> That's all correct. > Make sure to put that revoke.asc file in a secure place, and REMOVE the > unprotected copy from your system. It has NO encryption on that file, by > design. > >> > > 6. Encrypted backup of your secret keys. >> > I don't understand this. >> >> It'd make sense to have an backup of your keys (~/.gnupg/secring.gpg) >> stored in a safe place, just as with everything else... If you want, >> you can protect it by another layer of encryption, but it's not that >> important, because the keys are already protected by your passphrase. > > Yes, your normal keys are protected by your passphrase. > If you have additional SEPARATE keys that might not have passphrases (eg > for automation purposes), having them encrypted on your backup media is > a good idea. > > If you don't have any other keys like that, I've attached a backup > script for you to use (originally written because some versions ago > there was a gnupg locking bug, and it would occasionally > corrupt/overwrite my public keyring). > >> > > 7. In your gpg.conf: >> > > # include an unambiguous indicator of which key made a signature: >> > > # (see >> > > http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234) >> > > sig-notation issuer-...@notations.openpgp.fifthhorseman.net=%g >> > I don't understand this. >> Neither do I (I know what it does, but I don't see what it's good for) – >> just leave it out, it's not necessary. > Here's the origin of this: > http://www.ietf.org/mail-archive/web/openpgp/current/msg00405.html > Basically, just like the rest of the expansion to use full length > keyids to avoid collision attacks, this does the same for > certifications. > >> > 5. I do >> > gpg --keyserver subkeys.pgp.net --send-key 0x<16_hex_digits_1> >> > 6. On dev.gentoo.org, I am supposed to do >> > perl_ldap -b user -M gpgkey <gpg-id> <user> >> > perl_ldap -b user -M gpgfingerprint <gpg-fingerprint> <user> >> > Is <gpg-id> 0x<16_hex_digits_1>? Or 0x<16_hex_digits_3>? What is >> > <gpg-fingerprint> and how do I get it? Is <user> my username on >> > dev.gentoo.org? >> > What's even more important, perl_ldap asks my ldap password. I suppose I >> > haven't got one. My usual Gentoo password (used in bugzilla, forums) does >> > not work. How do I get an ldap password? >> I can't help you with that, as I don't have access to any gentoo >> infrastructure. But IIRC, that's the password you once set on d.g.o >> with passwd. > Your recruiter should have pointed you to your LDAP password when you > become a developer for new developers. In case of old developers, this > wasn't reliable followed, and/or gets lost. Please contact infra or > the devrel leads to get your LDAP password reset. > > '<user>' is your Gentoo developer username. Be careful to NOT > replace the '-b user' part, that selects 'user' mode for the tool.
FYI: I patched perl_ldap so this doesn't happen, as it was a very common mistake. -A > >> > 7. If I'll ever complete all the above, I'll add sign to FEATURES in >> > /etc/portage/make.conf, and >> > PORTAGE_GPG_DIR="/home/<username>/.gnupg" >> > and also >> > PORTAGE_GPG_KEY="0x<16_hex_digits_3>!" >> > Is this correct? Is it <16_hex_digits_3>, and not, say, <16_hex_digits_1>? >> > Should I add ! at the end, as suggested by mgorny? >> 16_hex_digits_3 (the one you added later via addkey) is the correct >> one. And adding a ! is absolutely necessary. > :-) > >> > During the time I'm reading all these instructions, I could bump 10 >> > packages. Very complicated for a person who does not use gpg and >> > knows next to nothing about it. >> Security can be hard to grasp at times. Sadly... > But THANK YOU for writing up your email, it's great to have somebody > with no experience try the instructions, and help us figure out where > they need to improve. > > -- > Robin Hugh Johnson > Gentoo Linux: Developer, Trustee & Infrastructure Lead > E-Mail : robb...@gentoo.org > GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
