OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 30-Mar-2003 12:15:09
Branch: HEAD Handle: 2003033011150700
Modified files:
openpkg-web/pgp gnupg.wml template.wml
Log:
more content for the pgp.openpkg.org website
Summary:
Revision Changes Path
1.2 +142 -0 openpkg-web/pgp/gnupg.wml
1.2 +3 -1 openpkg-web/pgp/template.wml
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/pgp/gnupg.wml
============================================================================
$ cvs diff -u -r1.1 -r1.2 gnupg.wml
--- openpkg-web/pgp/gnupg.wml 29 Mar 2003 19:53:37 -0000 1.1
+++ openpkg-web/pgp/gnupg.wml 30 Mar 2003 10:15:07 -0000 1.2
@@ -1,6 +1,12 @@
#use wml::template page=gnupg
+<define-tag screen endtag=required>
+<box bdwidth=1 bdcolor="#a5a095" bdspace=10 bgcolor="#e5e0d5">\
+<pre>%body</pre>\
+</box>
+</define-tag>
+
The <a href="http://www.openpkg.org/";>OpenPKG</a> project uses <a
href="http://www.ietf.org/rfc/rfc2440.txt";>OpenPGP</a>
(RFC 2440) public key cryptography for digitally
@@ -9,5 +15,141 @@
href="http://www.openpkg.org/security.html";>Security Advisories</a> for
released packages.
+<ol>
+<li><b>Installing GnuPG</b>
+<p>
+To check the integrity of OpenPKG RPM packages and security advisories you
+first should install GnuPG (http://www.gnupg.org/). Usually you will do this
+by installing the OpenPKG <b>GnuPG</b> package, of course.
+
+<p>
+<screen>
+\# install OpenPKG GnuPG package
+$ <font color="#666699">prefix</font>/bin/rpm --rebuild
ftp://ftp.openpkg.org/release/1.2/SRC/gnupg-1.2.1-1.2.0.src.rpm
+[...]
+$ su -
+root# <font color="#666699">prefix</font>/bin/rpm -Uvh <font
color="#666699">prefix</font>/RPM/PKG/gnupg-1.2.1-1.2.0.*.rpm
+Preparing... ########################################### [100%]
+ 1:gnupg ########################################### [100%]
+root# exit
+$ PATH=<font color="#666699">prefix</font>/bin:$PATH
+</screen>
+
+<p>
+<li><b>Importing OpenPKG key into GnuPG</b>
+<p>
+Now you have to import the OpenPKG public key into GnuPG. You can either
+fetch it directly from <b>pgp.openpkg.org</b> or (if you already have
+an OpenPKG instance under <font color="#666699">prefix</font>) you
+can import the copy from there.
+
<p>
+<screen>
+\# alternative 1: import from key server
+$ gpg --recv-keys --keyserver hkp://pgp.openpkg.org 63C4CB9F
+gpg: key 63C4CB9F: public key "OpenPKG <[EMAIL PROTECTED]>" imported
+gpg: Total number processed: 1
+gpg: imported: 1
+</screen>
+
+<p>
+<screen>
+\# alternative 2: import from website
+$ lynx -source http://www.openpkg.org/openpkg.pgp | gpg --import
+gpg: key 63C4CB9F: public key "OpenPKG <[EMAIL PROTECTED]>" imported
+gpg: Total number processed: 1
+gpg: imported: 1
+</screen>
+
+<p>
+<screen>
+\# alternative 3: import from local copy
+$ gpg --import <font color="#666699">prefix</font>/etc/openpkg/openpkg.pgp
+gpg: key 63C4CB9F: public key "OpenPKG <[EMAIL PROTECTED]>" imported
+gpg: Total number processed: 1
+gpg: imported: 1
+</screen>
+
+<p>
+<li><b>Verify Integrity of Public Key</b>
+<p>
+Then you have to verify the integrity of the OpenPKG public key by
+checking its fingerprint to be "6D96 EFCF CF75 3288 10DB 40C2 8075 93E0
+63C4 CB9F".
+
+<p>
+<screen>
+$ gpg --fingerprint 63C4CB9F
+pub 1024D/63C4CB9F 2002-01-31 OpenPKG <[EMAIL PROTECTED]>
+ Key fingerprint = 6D96 EFCF CF75 3288 10DB 40C2 8075 93E0 63C4 CB9F
+sub 2048g/DCC7EF11 2002-01-31
+</screen>
+
+<p>
+<li><b>Sign the Public Key</b>
+<p>
+If the fingerprint is ok, you usually want to either sign the key with
+your own private key (assuming you already have it created once with
+"gpg --gen-key") or at least mark it explicitly as trusted in the GnuPG
+trust database.
+
+<p>
+<screen>
+\# alternative 1: sign the OpenPKG public key with own private secret key
+$ gpg --sign-key 63C4CB9F
+gpg: checking the trustdb
+gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
+pub 1024D/63C4CB9F created: 2002-01-31 expires: never trust: -/-
+sub 2048g/DCC7EF11 created: 2002-01-31 expires: never
+(1). OpenPKG <[EMAIL PROTECTED]>
+pub 1024D/63C4CB9F created: 2002-01-31 expires: never trust: -/-
+ Primary key fingerprint: 6D96 EFCF CF75 3288 10DB 40C2 8075 93E0 63C4 CB9F
+ OpenPKG <[EMAIL PROTECTED]>
+
+How carefully have you verified the key you are about to sign actually belongs
+to the person named above? If you don't know what to answer, enter "0".
+ (0) I will not answer. (default)
+ (1) I have not checked at all.
+ (2) I have done casual checking.
+ (3) I have done very careful checking.
+Your selection? 2
+Are you really sure that you want to sign this key
+with your key: "Your Name <[EMAIL PROTECTED]>"
+
+I have checked this key casually.
+Really sign? y
+
+You need a passphrase to unlock the secret key for
+user: "Your name <[EMAIL PROTECTED]>"
+1024-bit DSA key, ID XXXXXXXX, created 200X-XX-XX
+</screen>
+
+<P>
+<screen>
+\# alternative 2: mark the OpenPKG public key as trusted
+gpg --update-trustdb --trusted-key 807593E063C4CB9F
+gpg: key 63C4CB9F marked as ultimately trusted
+gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
+</screen>
+
+<p>
+<li><b>Verify OpenPKG Security Advisories or RPM Packages</b>
+<p>
+After these preparations, you now can easily verify
+the digital signature of OpenPKG security advisories and OpenPKG RPM packages:
+
+<p>
+<screen>
+\# verify digital signature on a security advisory
+$ w3m -dump http://www.openpkg.org/security/OpenPKG-SA-2003.026-openssl.txt | gpg
--verify
+gpg: Signature made Thu Mar 20 21:20:49 2003 CET using DSA key ID 63C4CB9F
+gpg: Good signature from "OpenPKG <[EMAIL PROTECTED]>"
+
+\# verify digital signature on an RPM (release) package
+$ rpm --checksig ftp://ftp.openpkg.org/release/1.2/SRC/gnupg-1.2.1-1.2.0.src.rpm
+MD5 sum OK: 572ae1ff2a18b789b13ada544db40fad
+gpg: Signature made Tue Jan 21 15:54:41 2003 CET using DSA key ID 63C4CB9F
+gpg: Good signature from "OpenPKG <[EMAIL PROTECTED]>"
+</screen>
+</ol>
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/pgp/template.wml
============================================================================
$ cvs diff -u -r1.1 -r1.2 template.wml
--- openpkg-web/pgp/template.wml 29 Mar 2003 19:53:37 -0000 1.1
+++ openpkg-web/pgp/template.wml 30 Mar 2003 10:15:07 -0000 1.2
@@ -95,7 +95,9 @@
<table width=100%>
<tr>
<td valign=bottom align=left>
- <img src="http://www.openpkg.org/openpkg.gif"; alt="The
OpenPKG Project">
+ <a href="http://www.openpkg.org/";><img
+ src="http://www.openpkg.org/openpkg.gif"; alt="The OpenPKG
+ Project" border=0></a>
</td>
<td valign=bottom align=right>
<table cellspacing=0 cellpadding=0 border=0>
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
![http://www.openpkg.org/openpkg.gif"](http://www.openpkg.org/openpkg.gif"){kind=link}