https://github.com/probcomp/probcomp-ubuntu-keyring

Ubuntu .deb signature keyring
https://github.com/probcomp/probcomp-ubuntu-keyring

Last synced: 5 months ago
JSON representation

Ubuntu .deb signature keyring

• Host: GitHub
• URL: https://github.com/probcomp/probcomp-ubuntu-keyring
• Owner: probcomp
• Created: 2017-03-29T13:28:01.000Z (about 9 years ago)
• Default Branch: master
• Last Pushed: 2017-08-15T19:45:08.000Z (almost 9 years ago)
• Last Synced: 2025-05-08T22:57:34.483Z (about 1 year ago)
• Language: Makefile
• Size: 53.7 KB
• Stars: 0
• Watchers: 6
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README

Awesome Lists containing this project

README

          
Public keys for Ubuntu .deb signature verification

* Before and after generating any keys:

Because GnuPG is stuck in the '90s dark ages of crypto engineering:

% sudo mv /dev/random /dev/random.save

% sudo ln -s urandom /dev/random

...generate keys...

% sudo mv -f /dev/random.save /dev/random

Don't automate this -- only do this on an interactive laptop, or

figure out what this is about and then automate it differently with a

reliable source of entropy in a seed file.

* To create a signing key for a new principal:

Pick a nickname for the principal, called .  E.g., you

might pick your username.

1. Pick an email address with  in it.

2. Copy template.param to .param.

3. Edit the lines marked XXXEDITME:

   - Set the name and email address to reflect the principal.

   - Set the expiration date.  Should be at least a couple months in

     the future.

4. Add  to PRINCIPALS in Makefile.  (Keep sorted.)

5. Pick an empty GnuPG home for your private key to live in, e.g. on a

   USB flash drive mounted at /media/user/userdebsign/20170530.  You

   can create it with

      % mkdir -m 0700 /media/user/userdebsign/20170530

      % gpg --homedir /media/user/userdebsign/20170530 --list-keys

6. Do a dry run of key generation:

      % make .dry GNUPGHOME=/media/user/userdebsign/20170530

   Examine the output.  Tweak until it works.

7. Do a real run of key generation:

      % make .asc GNUPGHOME=/media/user/userdebsign/20170530

8. Regenerate the keyring:

      % make keyring

9. Commit your changes to Git.

* To retire a signing key:

1. Move .asc to archive//-.asc.

2. Add archive//- to PRINCIPALS in Makefile.

   Remove  if you are not generating a new signing key.

3. Commit your changes to Git.

4. After the signing key has expired, you can remove it.

* To generate a new signing key for an old principal:

Just retire the old signing key and create a new signing key as if for

a new principal.

* Why is this hard?

We want:

- To keep the key material off our laptop disks.

- Reproducible, consistent instructions for generating keys.

- Procedure for adding a new principal or retiring an old principal.

- Procedure for rotating from an old version of a principal's key to

  a new version.

- No stupid GnuPG hanging while trying to generate many bytes of data

  for RSA keys.

We do not currently use hardware crypto tokens.  To be done in a

future version of this so that we keep the key material off our

laptops altogether.