On Thu, Apr 25, 2019 at 4:34 PM James Le Cuirot <ch...@gentoo.org> wrote: > > On Thu, 25 Apr 2019 11:30:27 -0400 > Alec Warner <anta...@gentoo.org> wrote: > > > > Seeing as separating the primary and the signing key has been part of > > > OpenPGP best practices for a long, long time, I have got highly mixed > > > feelings about this statement. On the one hand, it is not reasonable to > > > expect someone with no or minimal prior knowledge of OpenPGP to master > > > it overnight. On the other, we are not just some random people from Teh > > > Intarwebz and we *have* been using OpenPGP signatures on commits for > > > quite a while now. > > > > > > > This is untrue though; we *are* random people from teh interwebs. > > > > I store my primary key on my desktop. > > I don't have copies of my primary key. > > My primary key is protected by a passphrase. > > Most of the time its cached in gpg-agent, so the passphrase is easily > > stealable by local attackers. > > I've been a dev for like > 10 years. > > > > I assume that every other dev does the same. Obviously some do not (and > > I've spoken to many who have better practices) but I assume > > people do the lazy / easy thing and I highly recommend this assumption. If > > you assume that people have your security practices, you should prepare to > > be disappointed. > > > > Many devs have *no idea* how GPG works. > > GPG is quite possibly the worst program I've even been forced to use in > > terms of doing any operation, particularly around setup (hmm maybe Imation > > Ironkeys were worse?) > > Many devs are just following the wiki instructions and get what they get. > > I can sort of echo this. I believe I'm close to the recommendations now > but it took me several evenings to actually wrap my head around all > this and even then, I still felt very nervous setting it up and I had > to rehearse it beforehand. As a professional software engineer for many > years, it really shouldn't be this hard. People talk about GPG best > practices but it was really difficult to find a reliable update-to-date > guide and it certainly doesn't feel like best practise when you have to > manually delete ~/.gnupg/private-keys-v1.d/KEYGRIP.key, where KEYGRIP > is returned by the obscure --with-keygrip option.
I think a big problem is that gpg is sorely lacking in command line commands/options for key management. Almost anything having to do with key management involves a back-and-forth console interaction. This means that you can't just tell somebody to run "gpg --long --list --of --options" and have it just do the right thing. You also can't script anything unless you feed input or even worse use something like expect. Some of the guides I've seen require editing config files because presumably these options can't be set on the command line. I completely get what asymmetric crypto is. It is just a royal PITA to actually get gpg to do something very specific like have a separate signing key without pouring through manpages. Generating a key with the default options is easy, but after that you're on your own largely. Oh sure, once you know how to do it then it isn't a big deal. Until you have to do it again because you don't generate new gpg keys every other week... -- Rich