On Thu, Dec 17, 2020 at 01:12:16PM -0500, Mike Gilbert wrote:
Signed-off-by: Mike Gilbert <flop...@gentoo.org> ---v2: Added "This upload is required in addition to uploading the SKS pool." glep-0063.rst | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/glep-0063.rst b/glep-0063.rst index 82541bd..ec465db 100644 --- a/glep-0063.rst +++ b/glep-0063.rst @@ -7,10 +7,10 @@ Author: Robin H. Johnson <robb...@gentoo.org>, Michał Górny <mgo...@gentoo.org> Type: Standards Track Status: Final -Version: 2.1 +Version: 2.2 Created: 2013-02-18 -Last-Modified: 2019-11-07 -Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24 +Last-Modified: 2020-12-17 +Post-History: 2013-11-10, 2018-07-03, 2018-07-21, 2019-02-24, 2020-12-17 Content-Type: text/x-rst --- @@ -28,6 +28,9 @@ OpenPGP key management policies for the Gentoo Linux distribution. Changes ======= +v2.2 + Added "Gentoo Keyserver" section under "Gentoo Infrastructure" chapter. + v2.1 A requirement for an encryption key has been added, in order to extend the GLEP beyond commit signing and into use of OpenPGP for dev-to-dev @@ -135,8 +138,11 @@ their primary key). 5. Encrypted backup of your secret keys. +Gentoo Infrstructure +==================== + Gentoo LDAP -=========== +----------- All Gentoo developers must list the complete fingerprint for their primary keys in the "``gpgfingerprint``" LDAP field. It must be exactly 40 hex digits, @@ -147,6 +153,16 @@ of the fingerprint field. In any place that presently displays the "``gpgkey``" field, the last 16 hex digits of the fingerprint should be displayed instead. +Gentoo Keyserver +---------------- + +Gentoo infrastructure uses a keyserver that is isolated from the SKS pool. +This keyserver is restricted to accepting uploads from authorized Gentoo hosts. +A script is provided on dev.gentoo.org to allow developers to upload their +keys. This upload is required in addition to uploading to the SKS pool. + +``gpg --export KEYID | ssh dev.gentoo.org /usr/local/bin/openpgp-key-upload`` + Backwards Compatibility ======================= -- 2.30.0.rc0
Thanks for doing this! You beat me to the punch. I was going to try getting to
it tomorrow.
It may be good to also change step 7 under "Bare minimum requirements" to read:
7. Upload your key to the Gentoo Keyserver before usage!
It'd give skimmers a trigger to look for the Gentoo keyserver info.
We might want to add "Upload to the SKS or some other public PGP pool" under
"Recommendations", but that's probably beyond the scope of the document now.
Lastly, should we have a link to the step-by-step guide? [1]
[1]:
https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys
signature.asc
Description: PGP signature
