On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT) gro...@gentoo.org wrote: > Hello *, > I am stuck and have many questions. > [In the process of becoming a dev, I've generated a gpg key, of course. It > vwas on an old notebook. When I switched to a newer notebook, I forgot to > copy it, because I don't use gpg regularly. No risk that it became known - > the disk was re-partitioned and re-formatted. Probably, that key has expired > anyway.] > 1. So, I start > gpg --gen-key > It creates ~/.gnupg/ and some files in it. Should I press ctrl-C, then edit > ~/.gnupg/gpg.conf, and then re-start gpg --gen-key? Or editing gpg.conf can > be done later?
Editing the conf should be done first, some of the preferences (e.g. personal-digest-preference and cert-digest-algo) affect the creation of keys. > 2. Then I choose 1, 3y, y, then my name and the @gentoo.org email address. > After that, > gpg --list-keys > says > /home/<username>/.gnupg/pubring.gpg > ------------------------------- > pub 4096R/0x<16_hex_digits_1> 2013-02-26 [expires: 2016-02-26] > uid [ultimate] <my_name> <my_gentoo_email_address> sub > 4096R/0x<16_hex_digits_2> 2013-02-26 [expires: 2016-02-26] > So, my key id is 0x<16_hex_digits_1>, right? Yep, but why did you bother to replace the information? > 3. Now I do > gpg --edit-key 0x<16_hex_digits_1> > addkey > Then I choose > (4) RSA (sign only) > right? Then I choose 4096, 1y, y, y, save. Now > gpg --list-keys > gives > /home/<username>/.gnupg/pubring.gpg > ------------------------------- > pub 4096R/0x<16_hex_digits_1> 2013-02-26 [expires: 2016-02-26] > uid [ultimate] <my_name> <my_gentoo_email_address> > sub 4096R/0x<16_hex_digits_2> 2013-02-26 [expires: 2016-02-26] > sub 4096R/0x<16_hex_digits_3> 2013-02-26 [expires: 2014-02-26] > 4. I do > gpg --output revoke.asc --gen-revoke 0x<16_hex_digits_1> > and choose 1. That's all correct. > > 6. Encrypted backup of your secret keys. > I don't understand this. It'd make sense to have an backup of your keys (~/.gnupg/secring.gpg) stored in a safe place, just as with everything else... If you want, you can protect it by another layer of encryption, but it's not that important, because the keys are already protected by your passphrase. > > 7. In your gpg.conf: > > # include an unambiguous indicator of which key made a signature: > > # (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234) > > sig-notation issuer-...@notations.openpgp.fifthhorseman.net=%g > I don't understand this. Neither do I (I know what it does, but I don't see what it's good for) – just leave it out, it's not necessary. > 5. I do > gpg --keyserver subkeys.pgp.net --send-key 0x<16_hex_digits_1> > 6. On dev.gentoo.org, I am supposed to do > perl_ldap -b user -M gpgkey <gpg-id> <user> > perl_ldap -b user -M gpgfingerprint <gpg-fingerprint> <user> > Is <gpg-id> 0x<16_hex_digits_1>? Or 0x<16_hex_digits_3>? What is > <gpg-fingerprint> and how do I get it? Is <user> my username on > dev.gentoo.org? > What's even more important, perl_ldap asks my ldap password. I suppose I > haven't got one. My usual Gentoo password (used in bugzilla, forums) does not > work. How do I get an ldap password? I can't help you with that, as I don't have access to any gentoo infrastructure. But IIRC, that's the password you once set on d.g.o with passwd. > 7. If I'll ever complete all the above, I'll add sign to FEATURES in > /etc/portage/make.conf, and > PORTAGE_GPG_DIR="/home/<username>/.gnupg" > and also > PORTAGE_GPG_KEY="0x<16_hex_digits_3>!" > Is this correct? Is it <16_hex_digits_3>, and not, say, <16_hex_digits_1>? > Should I add ! at the end, as suggested by mgorny? 16_hex_digits_3 (the one you added later via addkey) is the correct one. And adding a ! is absolutely necessary. > During the time I'm reading all these instructions, I could bump 10 packages. > Very complicated for a person who does not use gpg and knows next to nothing > about it. Security can be hard to grasp at times. Sadly... HTH, Luis
signature.asc
Description: PGP signature
