-
Notifications
You must be signed in to change notification settings - Fork 382
Creating a GPG key
This page describes how to create and get a GPG key signed for use by the SELinux open source project. This is only needed for SELinux maintainers. Derived from an email from Jason Zaman, one of the SELinux userspace maintainers.
For people that don't have keys yet, or have ancient (read DSA or <2048 etc) keys then here are some useful docs for how to make a good key:
- https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys
- https://keyring.debian.org/creating-key.html
- https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/
The important thing is that your .gnupg.conf file has: keyid-format 0xlong
My preference for keys is the master key (with Cert or Cert+Sign) is kept offline and instead have subkeys for Sign+Encrypt. It should look something like this:
sec# rsa4096/0x7EF137EC935B0EAF 2014-03-26 [SC] [expires: 2022-09-07]
63191CE94183098689CAB8DB7EF137EC935B0EAF
uid [ultimate] Jason Zaman <notmyrealemail AT test.com>
ssb> rsa4096/0x3C5B5F43DE9F01FC 2014-03-26 [E] [expires: 2022-09-07]
ssb> rsa4096/0x2BBED9CB1A68EF55 2014-09-23 [S] [expires: 2022-09-07]
ssb> rsa4096/0x47871DE1B8A30571 2019-05-14 [A] [expires: 2022-09-07]
The "sec#" means the private part of my master key is not available.
But pretty much all distros have quite similar requirements nowadays so if you have a key don't make a new one.
On the call we just need to verify everyone's fingerprint + ID. I will have passport but anything with name + picture is fine since we basically all know each other already.
Before the call:
-
Make sure your key looks okay:
gpg -k --fingerprint 0xMyKeyID
-
Make sure your key is on the keyservers:
gpg --keyserver keyserver.ubuntu.com --send-keys 0xMyKeyID
During the call we take turns:
-
Show ID to the camera
-
Verbally read out own fingerprint. Everyone else must verify somewhere that can't be changed. e.g. don't use the meeting chat as your source of truth, instead copy paste into a text file or write on paper.
After the call:
-
You can sign using something like caff: https://wiki.debian.org/caff
-
If you do it manually, then make sure you specify the --ask-cert-level
This should be the rough steps to sign it manually. I dug them up from my notes last time I did this because I keep forgetting.
gpg --keyserver keyserver.ubuntu.com --refresh-keys
gpg -k --fingerprint 0xOtherKeyID # this fingerprint must match the one from the call
gpg --ask-cert-level --sign-key 0xOtherKeyID
gpg --list-sigs 0xOtherKeyID # This should now show a "sig3" line with your new sig
gpg --armor --export 0xOtherKeyID > 0xKeyID_signed.asc
Send gpg-encrypted email with 0xKeyID_signed.asc attached.
-
When you get your 0xKeyID_signed.asc from someone:
gpg --import 0xKeyID_signed.asc gpg --list-sigs 0xMyKeyID
If all looks good:
gpg --keyserver keyserver.ubuntu.com --send-keys 0xMyKeyID
Best practice is to email the sig back to the owner so they can upload it themselves because that also verifies the email address and that they can decrypt emails correctly, but it is a lot more work so if y'all want we could just upload directly instead of emailing.
It is also a good idea to add the signed GPG key to your GitHub account under Settings so that others can download it from github.com/yourusername.gpg.