GPG Keys

Summary

After our security incident in July 2014, we planned to try and contain the scope of our GPG keys to avoid resigning lots of content if (or rather, when) a key is compromised or has to be revoked.

  1. General use time based keys: for use with Debian archives, nightly packages etc. Cycled every two years.
  2. Major release (1.5, 1.6 etc) based keys: for use with tarballs, RPMs. Expiry of one year.

Debian archives seem to only support one key, or perhaps one key per dist, so we don't believe we can sign releases with different keys.

RPM users are told in install & upgrade documentation to install foreman-release from the new release, which can contain the keys for that release, making distribution easy.

Generating a new key

Consider using a new directory per key, and use --homedir to specify it.

[dcleal@cobalt gnupg]$ mkdir 2014
[dcleal@cobalt gnupg]$ chmod 0700 2014
[dcleal@cobalt 2014]$ gpg --homedir . --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keyring `./secring.gpg' created
gpg: keyring `./pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits

Time based keys will last two years, release keys last one year.

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Thu 30 Jun 2016 18:00:07 BST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" 

For time based keys, note that we're using the year the key starts:

Real name: Foreman Automatic Signing Key
Email address: packages@theforeman.org
Comment: 2014
You selected this USER-ID:
    "Foreman Automatic Signing Key (2014) <packages@theforeman.org>" 

For release keys note the different name and release number in the comment field:

Real name: Foreman Release Signing Key
Email address: packages@theforeman.org
Comment: 1.6
You selected this USER-ID:
    "Foreman Release Signing Key (1.6) <packages@theforeman.org>" 

It's suggested you use a passphrase locally, but to distribute it to others you'll probably want to create a copy with it removed and encourage others to add one they know at their side.

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

Success:

gpg: ./trustdb.gpg: trustdb created
gpg: key 1AA043B8 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2016-06-30
pub   4096R/1AA043B8 2014-07-01 [expires: 2016-06-30]
      Key fingerprint = 7059 542D 5AEA 367F 7873  2D02 B348 4CB7 1AA0 43B8
uid                  Foreman Automatic Signing Key (2014) <packages@theforeman.org>
sub   4096R/3A85FC71 2014-07-01 [expires: 2016-06-30]

Lastly, sign the new packaging key with your own key to prove its authenticity:

$ gpg --homedir . --armor --export 0x1AA043B8 | gpg --import

$ gpg --edit-key 0x1AA043B8

pub  4096R/1AA043B8  created: 2014-07-01  expires: 2016-06-30  usage: SC  
                     trust: unknown       validity: unknown
sub  4096R/3A85FC71  created: 2014-07-01  expires: 2016-06-30  usage: E   
[ unknown] (1). Foreman Automatic Signing Key (2014) <packages@theforeman.org>

gpg> fpr
pub   4096R/1AA043B8 2014-07-01 Foreman Automatic Signing Key (2014) <packages@theforeman.org>
 Primary key fingerprint: 7059 542D 5AEA 367F 7873  2D02 B348 4CB7 1AA0 43B8

gpg> sign

pub  4096R/1AA043B8  created: 2014-07-01  expires: 2016-06-30  usage: SC  
                     trust: unknown       validity: unknown
 Primary key fingerprint: 7059 542D 5AEA 367F 7873  2D02 B348 4CB7 1AA0 43B8

     Foreman Automatic Signing Key (2014) <packages@theforeman.org>

This key is due to expire on 2016-06-30.
Are you sure that you want to sign this key with your
key "Dominic Cleal <dominic@computerkb.co.uk>" (2C2B72CC)

Really sign? (y/N) y

gpg> check
uid  Foreman Automatic Signing Key (2014) <packages@theforeman.org>
sig!3        1AA043B8 2014-07-01  [self-signature]
sig!         2C2B72CC 2014-07-01  Dominic Cleal <dominic@computerkb.co.uk>

gpg> Save changes? (y/N) y

$ gpg --keyserver pgp.mit.edu --send-keys 0x1AA043B8