Sorry to bother you again, but I still cannot do signed commits. I don't
know what else to try.
On Thu, 14 Mar 2013, Robin H. Johnson wrote:
On Thu, Mar 14, 2013 at 10:50:00AM +0700, gro...@gentoo.org wrote:
But my first attempt to do a signed commit has failed:
Your GPG agent is
On 13:37 Fri 22 Mar , gro...@gentoo.org wrote:
Sorry to bother you again, but I still cannot do signed commits. I don't
know what else to try.
...
Creating Manifest for /home/gentoo-x86/media-gfx/fotoxx
gpg: no default secret key: No secret key
gpg:
On Fri, 22 Mar 2013, Panagiotis Christopoulos wrote:
I'm not sure if it's related, but have you set PORTAGE_GPG_DIR and/or
PORTAGE_GPG_KEY in your make.conf?
Sure:
PORTAGE_GPG_DIR=/home/grozin/.gnupg
PORTAGE_GPG_KEY=00C6DAB1!
Even if I'll be able to configer gpg-agent properly, this will
On Fri, Mar 22, 2013 at 4:47 AM, gro...@gentoo.org wrote:
On Fri, 22 Mar 2013, Panagiotis Christopoulos wrote:
I'm not sure if it's related, but have you set PORTAGE_GPG_DIR and/or
PORTAGE_GPG_KEY in your make.conf?
Sure:
PORTAGE_GPG_DIR=/home/grozin/.gnupg
PORTAGE_GPG_KEY=00C6DAB1!
On 14/03/13 04:50, gro...@gentoo.org wrote:
Hello *,
I've followed all the instructions successfully (I think). By the way, the
following lines need a small correction:
perl_ldap -b user -M gpgkey gpg-id user
perl_ldap -b user -M gpgfingerprint gpg-fingerprint user
perl_ldap says that
Please don't CC me directly, you explicitly ignored the Reply-To header
that this list has.
On Thu, Mar 14, 2013 at 10:50:00AM +0700, gro...@gentoo.org wrote:
I've followed all the instructions successfully (I think). By the way, the
following lines need a small correction:
perl_ldap -b
On 03/14/2013 02:12 AM, Robin H. Johnson wrote:
But my first attempt to do a signed commit has failed:
Your GPG agent is broken/missing.
zmedico/portage-dev:
Maybe a good idea to check for agent sanity before trying to use it?
Yeah, we could have it do a test signature to verify that it's
On Thu, 14 Mar 2013 08:26:04 -0700
Zac Medico zmed...@gentoo.org wrote:
On 03/14/2013 02:12 AM, Robin H. Johnson wrote:
But my first attempt to do a signed commit has failed:
Your GPG agent is broken/missing.
zmedico/portage-dev:
Maybe a good idea to check for agent sanity before
On 03/14/2013 09:14 AM, Michał Górny wrote:
On Thu, 14 Mar 2013 08:26:04 -0700
Zac Medico zmed...@gentoo.org wrote:
On 03/14/2013 02:12 AM, Robin H. Johnson wrote:
But my first attempt to do a signed commit has failed:
Your GPG agent is broken/missing.
zmedico/portage-dev:
Maybe a good
On Thu, Mar 14, 2013 at 09:30:19AM -0700, Zac Medico wrote:
We could do that if we simply add all files using the cvs -kb option.
However, Fabian has requested that we keep the keywords for the purposes
of his prefix tree merging script:
On Thu, Mar 14, 2013 at 05:14:15PM +0100, Michał Górny wrote:
If that means doing an additional signature every time something is
going to be committed, that sounds like an overkill. If we were to do
something radical, I'd rather be in favor of disabling keyword
expansion completely and
On 03/14/2013 09:01 PM, Robin H. Johnson wrote:
On Thu, Mar 14, 2013 at 05:14:15PM +0100, Michał Górny wrote:
If that means doing an additional signature every time something is
going to be committed, that sounds like an overkill. If we were to do
something radical, I'd rather be in favor of
On Thu, Mar 14, 2013 at 10:32:30PM -0400, Michael Mol wrote:
As to how to accomplish this, it's either a throwaway sig, or poking the
agent protocol directly.
The only trouble with that is if the agent is configured to only unlock
keys for limited periods of time, then your initial check
On 03/14/2013 11:18 PM, Robin H. Johnson wrote:
On Thu, Mar 14, 2013 at 10:32:30PM -0400, Michael Mol wrote:
As to how to accomplish this, it's either a throwaway sig, or poking the
agent protocol directly.
The only trouble with that is if the agent is configured to only unlock
keys for
On Fri, 15 Mar 2013 03:18:18 +
Robin H. Johnson robb...@gentoo.org wrote:
if one-phase commit:
- gpg test
- gpg sign
- commit1
Why do we need additional 'gpg test' here?
--
Best regards,
Michał Górny
signature.asc
Description: PGP signature
On Fri, Mar 15, 2013 at 05:44:20AM +0100, Michał Górny wrote:
On Fri, 15 Mar 2013 03:18:18 +
Robin H. Johnson robb...@gentoo.org wrote:
if one-phase commit:
- gpg test
- gpg sign
- commit1
Why do we need additional 'gpg test' here?
In the case of git commit signing, repoman is not
On Thu, Mar 14, 2013 at 11:33:36PM -0400, Michael Mol wrote:
So Debian has a test-gpg function already? Do you know where in their
codebase it is?
No idea; a build system I'd cobbled together at the time prodded
gpg-agent to get an interactive auth. The build-and-package step took
too long,
Hello *,
I've followed all the instructions successfully (I think). By the way, the
following lines need a small correction:
perl_ldap -b user -M gpgkey gpg-id user
perl_ldap -b user -M gpgfingerprint gpg-fingerprint user
perl_ldap says that attributes of type multiple cannot be modified. I
On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT)
gro...@gentoo.org wrote:
Hello *,
I am stuck and have many questions.
[In the process of becoming a dev, I've generated a gpg key, of course. It
vwas on an old notebook. When I switched to a newer notebook, I forgot to
copy it, because I don't use
Thanks for the partial response Luis.
On Wed, Feb 27, 2013 at 04:12:14PM +0100, Luis Ressel wrote:
On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT)
gro...@gentoo.org wrote:
Hello *,
I am stuck and have many questions.
New addition to the instructions:
0. Copy /usr/share/gnupg/gpg-conf.skel to
On Wed, Feb 27, 2013 at 11:04 AM, Robin H. Johnson robb...@gentoo.org wrote:
Thanks for the partial response Luis.
On Wed, Feb 27, 2013 at 04:12:14PM +0100, Luis Ressel wrote:
On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT)
gro...@gentoo.org wrote:
Hello *,
I am stuck and have many questions.
Hello *,
I am stuck and have many questions.
[In the process of becoming a dev, I've generated a gpg key, of course. It
vwas on an old notebook. When I switched to a newer notebook, I forgot to
copy it, because I don't use gpg regularly. No risk that it became known -
the disk was
On Mon, 18 Feb 2013 23:27:46 +
Robin H. Johnson robb...@gentoo.org wrote:
Recommendations:
3. Dedicated Gentoo signing subkey of EITHER:
3.1. DSA 2048 bits
3.2. RSA 4096 bits
As a note for those who didn't know this; to make gpg use the dedicated
subkey, you need to
On 21 February 2013 09:09, Michał Górny mgo...@gentoo.org wrote:
On Mon, 18 Feb 2013 23:27:46 +
Robin H. Johnson robb...@gentoo.org wrote:
Recommendations:
3. Dedicated Gentoo signing subkey of EITHER:
3.1. DSA 2048 bits
3.2. RSA 4096 bits
As a note for those who
On Tue, Feb 19, 2013 at 10:32:13PM -0800, Alec Warner wrote:
I agree that a smartcard is much better security vs a longer key. I
don't think attackers targetting Gentoo are going to brute force the
key. They are going to steal the key, trivially, by exploiting a 0-day
in a crappy browser, or
RHJ == Robin H Johnson robb...@gentoo.org writes:
RHJ 2. Root key type of RSA, 4096 bits
rsa 4k provides no real benefits over rsa 3k here; it is just slower
for everyone, signing or verifying.
Cf, eg, http://www.nsa.gov/business/programs/elliptic_curve.shtml which
recommends rsa 3k for use
On Wed, Feb 20, 2013 at 01:41:03PM -0500, James Cloos wrote:
RHJ == Robin H Johnson robb...@gentoo.org writes:
RHJ 2. Root key type of RSA, 4096 bits
rsa 4k provides no real benefits over rsa 3k here; it is just slower
for everyone, signing or verifying.
You can shorten the subkeys, but the
Am Mittwoch, 20. Februar 2013, 20:36:22 schrieb Robin H. Johnson:
Speed for i7-2600K CPU:
DSA1024 0.007980s
DSA2048 0.011940s
DSA3072 0.013530s
RSA1024 0.007000s
RSA2048 0.012290s
RSA3072 0.018420s
RSA4096 0.030800s
Which of course brings up the question, why the hardcoded 4096 limit
On Mon, 18 Feb 2013 23:27:46 +
Robin H. Johnson robb...@gentoo.org wrote:
3. Dedicated Gentoo signing subkey
What's the point of this, btw?
Luis
signature.asc
Description: PGP signature
On Wed, Feb 20, 2013 at 09:22:05PM +0100, Andreas K. Huettel wrote:
Which of course brings up the question, why the hardcoded 4096 limit in
GnuPG... but I guess that's not our problem yet.
https://www.google.de/search?q=gnupg+rsa+8192
Standards interoperability. RSA4096 will not work on legacy
On Wed, Feb 20, 2013 at 09:38:38PM +0100, Luis Ressel wrote:
On Mon, 18 Feb 2013 23:27:46 +
Robin H. Johnson robb...@gentoo.org wrote:
3. Dedicated Gentoo signing subkey
What's the point of this, btw?
Ideally keeping your primary key offline to increase security.
However, the original
On Wed, 20 Feb 2013 21:37:38 +
Robin H. Johnson robb...@gentoo.org wrote:
Ideally keeping your primary key offline to increase security.
However, the original theory was that if there was some attack that
required a large amount of ciphertext or a targeted plaintext input,
you would be
On Mon, Feb 18, 2013 at 11:38 PM, Kent Fredric kentfred...@gmail.com wrote:
The key rotation as described in RiseUp best practices should be a very
rare occurrence. Each dev is going to run it at most once.
Some material I read recommended doing a key rotation every 6 months,
which I did for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Just some quick thoughts on this:
2. root key signing subkey of EITHER: 2.1. DSA, 1024 or 2048 bits
2.2. RSA, =2048 bits
I don't really agree. From your own link
(https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#dont-use-pgp-mit-edu):
On Wed, Feb 20, 2013 at 01:34:57AM +0100, Stefan Behte wrote:
2. root key signing subkey of EITHER: 2.1. DSA, 1024 or 2048 bits
2.2. RSA, =2048 bits
...
1024 DSA keys seem pretty short to me. Surely it might be inconvenient
for some (2-3? please write a mail here!) people with smart cards.
On Tue, Feb 19, 2013 at 7:12 PM, Robin H. Johnson robb...@gentoo.org wrote:
On Wed, Feb 20, 2013 at 01:34:57AM +0100, Stefan Behte wrote:
2. root key signing subkey of EITHER: 2.1. DSA, 1024 or 2048 bits
2.2. RSA, =2048 bits
...
1024 DSA keys seem pretty short to me. Surely it might be
Hi all,
I've been asked a couple of times in IRC and other mediums, about what
GPG key settings etc to use. I would not not call these final yet, but should
be fairly close to final.
This was originally intended to be part of the tree-signing GLEP series, but
was in one of the unpublished ones
On Mon, Feb 18, 2013 at 11:27:46PM +, Robin H. Johnson wrote:
2. root key signing subkey of EITHER:
2.1. DSA, 1024 or 2048 bits
2.2. RSA, =2048 bits
3. Key expiry: 5 years.
Clarification on reason:
These key sizes are the largest supported by many smartcards.
--
Robin Hugh Johnson
It may be advantageous to have a gentoo wrapper script that calls GPG
with recommended settings to make some tasks easier,
gentoo-gpg-create --recommended
EDITOR=vim gentoo-gpg-rotation --recommended --old=DEADBEEF
and gentoo-gpg-rotation would make a templated key-expiry document ,
edited
On Tue, Feb 19, 2013 at 04:36:08PM +1300, Kent Fredric wrote:
It may be advantageous to have a gentoo wrapper script that calls GPG
with recommended settings to make some tasks easier,
gentoo-gpg-create --recommended
EDITOR=vim gentoo-gpg-rotation --recommended --old=DEADBEEF
and
On Tue, 2013-02-19 at 04:09 +, Robin H. Johnson wrote:
On Tue, Feb 19, 2013 at 04:36:08PM +1300, Kent Fredric wrote:
It may be advantageous to have a gentoo wrapper script that calls GPG
with recommended settings to make some tasks easier,
gentoo-gpg-create --recommended
On Mon, Feb 18, 2013 at 11:27:46PM +, Robin H. Johnson wrote:
Bare minimum requirements:
--
[...]
3. Key expiry: 5 years.
I am assuming we are requiring a maximum of 5 years for key expiry. We
might want to make it explicit. On first reading, it sounded like key
The key rotation as described in RiseUp best practices should be a very
rare occurrence. Each dev is going to run it at most once.
Some material I read recommended doing a key rotation every 6 months,
which I did for a while until it got tiresome to perform the rotation.
I believe the
43 matches
Mail list logo
