Difference between revisions of "DeveloperWiki:Signing Packages"

From ArchWiki
Jump to: navigation, search
Line 1: Line 1:
 +
__NOTOC__
 
{{Box RED|Warning:|This is just a draft and work in progress. Don't even read it.}}
 
{{Box RED|Warning:|This is just a draft and work in progress. Don't even read it.}}
 +
 +
==Choose an UID==
 +
* Use your real name. It has to be exactly the one that can be found on official documents like your passport or driver's license.
 +
* Use a valid e-mail address. Means no obfuscation.
 +
* The e-mail address should be reliable (so don't use the one you got from your ISP a random free mail address).
 +
* If in doubt you should prefer using your archlinux.org address
 +
* The UID has also to be the same as the <code>PACKAGER</code> variable you use to build packages
 +
* An UID looks like this: <code>Pierre Schmitz <pierre@archlinux.de></code>
  
 
==Create a key pair==
 
==Create a key pair==
Line 7: Line 16:
 
# Also create a revoke key for later use
 
# Also create a revoke key for later use
 
## <code>gpg -o ~/.gnupg/pierre@archlinux.de-revoke.asc --gen-revoke pierre@archlinux.de</code>
 
## <code>gpg -o ~/.gnupg/pierre@archlinux.de-revoke.asc --gen-revoke pierre@archlinux.de</code>
## Make sure to create a backup of this file and probably remove it from your system afterwards
+
## Make sure to create a backup of this file and remove it from your system afterwards
 +
# Backup your private key: <code>gpg --export-secret-keys pierre@archlinux.de > pierre@archlinux.de-private.asc</code>
  
 
==Get your key signed by CAcert==
 
==Get your key signed by CAcert==
# Get the cacert key and import it:
+
# Get the CAcert key and import it:
 
## <code>wget https://www.cacert.org/certs/cacert.asc</code>
 
## <code>wget https://www.cacert.org/certs/cacert.asc</code>
 
## <code>gpg --import cacert.asc</code>
 
## <code>gpg --import cacert.asc</code>
Line 16: Line 26:
 
## <code>gpg --edit-key gpg@cacert.org</code>
 
## <code>gpg --edit-key gpg@cacert.org</code>
 
## <code>>trust</code>
 
## <code>>trust</code>
## <code>>5</code>
+
## <code>>4</code>
 
# Export your key:
 
# Export your key:
 
## <code>gpg --export --armor pierre@archlinux.de > pierre@archlinux.de.asc</code>
 
## <code>gpg --export --armor pierre@archlinux.de > pierre@archlinux.de.asc</code>
## Paste the content of that file into the form on the cacert website to get your signed public key.
+
## Paste the content of that file into the form on the [https://www.cacert.org CAcert website] to get your signed public key.
# Save the signed key from the cacert website and import it
+
# Save the signed key from the CAcert website and import it
 
## <code>gpg --import <filename></code>
 
## <code>gpg --import <filename></code>
 
# You might want to send your new signed key to a keyserver
 
# You might want to send your new signed key to a keyserver
Line 30: Line 40:
 
==Sign your packages==
 
==Sign your packages==
 
# Install devtools 0.9.21 or later
 
# Install devtools 0.9.21 or later
# add "SIGNPKG=y" to your ~/.makepkg.conf
+
# add <code>SIGNPKG=y</code> to your <code>~/.makepkg.conf</code>
# commitpkg and its aliases like extrapkg or testingpkg will now sign your packages and will upload the package and its signature.
+
# <code>commitpkg</code> and its aliases like <code>extrapkg</code> or <code>testingpkg</code> will now sign your packages and upload the package including its signature.
  
==Verify a signed package==
+
==Verify a signed package (just for testing)==
# Install and trust the cacert key
+
# Install and trust the CAcert key
 
## <code>wget https://www.cacert.org/certs/cacert.asc</code>
 
## <code>wget https://www.cacert.org/certs/cacert.asc</code>
 
## <code>gpg --import cacert.asc</code>
 
## <code>gpg --import cacert.asc</code>
 
## <code>gpg --edit-key gpg@cacert.org</code>
 
## <code>gpg --edit-key gpg@cacert.org</code>
 
## <code>>trust</code>
 
## <code>>trust</code>
## <code>>5</code>
+
## <code>>4</code>
 
# Search and import the packager's key
 
# Search and import the packager's key
 
## <code>gpg --search-keys 9741E8AC</code>
 
## <code>gpg --search-keys 9741E8AC</code>
 
# Verify the package
 
# Verify the package
 
## <code>gpg --verify devtools-*.pkg.tar.xz.sig</code>
 
## <code>gpg --verify devtools-*.pkg.tar.xz.sig</code>

Revision as of 21:29, 16 April 2011

Warning: This is just a draft and work in progress. Don't even read it.

Choose an UID

  • Use your real name. It has to be exactly the one that can be found on official documents like your passport or driver's license.
  • Use a valid e-mail address. Means no obfuscation.
  • The e-mail address should be reliable (so don't use the one you got from your ISP a random free mail address).
  • If in doubt you should prefer using your archlinux.org address
  • The UID has also to be the same as the PACKAGER variable you use to build packages
  • An UID looks like this: Pierre Schmitz <pierre@archlinux.de>

Create a key pair

  1. install gnupg
  2. gpg --gen-key
    1. you may use the default options which is a 2048 Bit RSA key for encryption and signing which does not expire
  3. Also create a revoke key for later use
    1. gpg -o ~/.gnupg/pierre@archlinux.de-revoke.asc --gen-revoke pierre@archlinux.de
    2. Make sure to create a backup of this file and remove it from your system afterwards
  4. Backup your private key: gpg --export-secret-keys pierre@archlinux.de > pierre@archlinux.de-private.asc

Get your key signed by CAcert

  1. Get the CAcert key and import it:
    1. wget https://www.cacert.org/certs/cacert.asc
    2. gpg --import cacert.asc
  2. Trust this key:
    1. gpg --edit-key gpg@cacert.org
    2. >trust
    3. >4
  3. Export your key:
    1. gpg --export --armor pierre@archlinux.de > pierre@archlinux.de.asc
    2. Paste the content of that file into the form on the CAcert website to get your signed public key.
  4. Save the signed key from the CAcert website and import it
    1. gpg --import <filename>
  5. You might want to send your new signed key to a keyserver
    1. Check your key id with gpg -k
    2. gpg --send-keys 9741E8AC
    3. You could also export it again for uploading it on e.g. your webspace: gpg --export --armor pierre@archlinux.de > pierre@archlinux.de.asc
  6. You should create a backup of your keys and make sure to not forget the passphrase!

Sign your packages

  1. Install devtools 0.9.21 or later
  2. add SIGNPKG=y to your ~/.makepkg.conf
  3. commitpkg and its aliases like extrapkg or testingpkg will now sign your packages and upload the package including its signature.

Verify a signed package (just for testing)

  1. Install and trust the CAcert key
    1. wget https://www.cacert.org/certs/cacert.asc
    2. gpg --import cacert.asc
    3. gpg --edit-key gpg@cacert.org
    4. >trust
    5. >4
  2. Search and import the packager's key
    1. gpg --search-keys 9741E8AC
  3. Verify the package
    1. gpg --verify devtools-*.pkg.tar.xz.sig