Version 1 - History - GPG Keys - Foreman

1

Ewoud Kohl van Wijngaarden

h1. GPG Keys

2

3

h2. Summary

4

5

After our security incident in July 2014, we planned to try and contain the scope of our GPG keys to avoid resigning lots of content if (or rather, when) a key is compromised or has to be revoked.

6

7

1. General use time based keys: for use with Debian archives, nightly packages etc. Cycled every two years.

8

2. Major release (1.5, 1.6 etc) based keys: for use with tarballs, RPMs. Expiry of one year.

9

10

Debian archives seem to only support one key, or perhaps one key per dist, so we don't believe we can sign releases with different keys.

11

12

RPM users are told in install & upgrade documentation to install foreman-release from the new release, which can contain the keys for that release, making distribution easy.

13

14

h2. Generating a new key

15

16

Consider using a new directory per key, and use --homedir to specify it.

17

18

<pre>

19

[dcleal@cobalt gnupg]$ mkdir 2014

20

[dcleal@cobalt gnupg]$ chmod 0700 2014

21

[dcleal@cobalt 2014]$ gpg --homedir . --gen-key

22

gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.

23

This is free software: you are free to change and redistribute it.

24

There is NO WARRANTY, to the extent permitted by law.

25

26

gpg: keyring `./secring.gpg' created

27

gpg: keyring `./pubring.gpg' created

28

Please select what kind of key you want:

29

   (1) RSA and RSA (default)

30

   (2) DSA and Elgamal

31

   (3) DSA (sign only)

32

   (4) RSA (sign only)

33

Your selection? 1

34

RSA keys may be between 1024 and 4096 bits long.

35

What keysize do you want? (2048) 4096

36

Requested keysize is 4096 bits

37

</pre>

38

39

*Time based keys* will last two years, *release keys* last one year.

40

41

<pre>

42

Please specify how long the key should be valid.

43

         0 = key does not expire

44

      <n>  = key expires in n days

45

      <n>w = key expires in n weeks

46

      <n>m = key expires in n months

47

      <n>y = key expires in n years

48

Key is valid for? (0) 2y

49

Key expires at Thu 30 Jun 2016 18:00:07 BST

50

Is this correct? (y/N) y

51

52

You need a user ID to identify your key; the software constructs the user ID

53

from the Real Name, Comment and Email Address in this form:

54

    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

55

</pre>

56

57

For time based keys, note that we're using the year the key starts:

58

59

<pre>

60

Real name: Foreman Automatic Signing Key

61

Email address: packages@theforeman.org

62

Comment: 2014

63

You selected this USER-ID:

64

    "Foreman Automatic Signing Key (2014) <packages@theforeman.org>"

65

</pre>

66

67

For release keys note the different name and release number in the comment field:

68

69

<pre>

70

Real name: Foreman Release Signing Key

71

Email address: packages@theforeman.org

72

Comment: 1.6

73

You selected this USER-ID:

74

    "Foreman Release Signing Key (1.6) <packages@theforeman.org>"

75

</pre>

76

77

It's suggested you use a passphrase locally, but to distribute it to others you'll probably want to create a copy with it removed and encourage others to add one they know at their side.

78

79

<pre>

80

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

81

You need a Passphrase to protect your secret key.

82

</pre>

83

84

Success:

85

86

<pre>

87

gpg: ./trustdb.gpg: trustdb created

88

gpg: key 1AA043B8 marked as ultimately trusted

89

public and secret key created and signed.

90

91

gpg: checking the trustdb

92

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

93

gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

94

gpg: next trustdb check due at 2016-06-30

95

pub   4096R/1AA043B8 2014-07-01 [expires: 2016-06-30]

96

      Key fingerprint = 7059 542D 5AEA 367F 7873  2D02 B348 4CB7 1AA0 43B8

97

uid                  Foreman Automatic Signing Key (2014) <packages@theforeman.org>

98

sub   4096R/3A85FC71 2014-07-01 [expires: 2016-06-30]

99

</pre>

100

101

Lastly, sign the new packaging key with your own key to prove its authenticity:

102

103

<pre>

104

$ gpg --homedir . --armor --export 0x1AA043B8 | gpg --import

105

106

$ gpg --edit-key 0x1AA043B8

107

108

pub  4096R/1AA043B8  created: 2014-07-01  expires: 2016-06-30  usage: SC

109

                     trust: unknown       validity: unknown

110

sub  4096R/3A85FC71  created: 2014-07-01  expires: 2016-06-30  usage: E

111

[ unknown] (1). Foreman Automatic Signing Key (2014) <packages@theforeman.org>

112

113

gpg> fpr

114

pub   4096R/1AA043B8 2014-07-01 Foreman Automatic Signing Key (2014) <packages@theforeman.org>

115

 Primary key fingerprint: 7059 542D 5AEA 367F 7873  2D02 B348 4CB7 1AA0 43B8

116

117

gpg> sign

118

119

pub  4096R/1AA043B8  created: 2014-07-01  expires: 2016-06-30  usage: SC

120

                     trust: unknown       validity: unknown

121

 Primary key fingerprint: 7059 542D 5AEA 367F 7873  2D02 B348 4CB7 1AA0 43B8

122

123

     Foreman Automatic Signing Key (2014) <packages@theforeman.org>

124

125

This key is due to expire on 2016-06-30.

126

Are you sure that you want to sign this key with your

127

key "Dominic Cleal <dominic@computerkb.co.uk>" (2C2B72CC)

128

129

Really sign? (y/N) y

130

131

gpg> check

132

uid  Foreman Automatic Signing Key (2014) <packages@theforeman.org>

133

sig!3        1AA043B8 2014-07-01  [self-signature]

134

sig!         2C2B72CC 2014-07-01  Dominic Cleal <dominic@computerkb.co.uk>

135

136

gpg> Save changes? (y/N) y

137

138

$ gpg --keyserver pgp.mit.edu --send-keys 0x1AA043B8

139

</pre>

Project

General

Profile

GPG Keys » History » Version 1