Difference between revisions of "DeveloperWiki:Signing Packages"
(Created page with "'''Warning: This is just a draft''' ==Create a key pair== # install <code>gnupg</code> # <code>gpg --gen-key</code> ## you may use the default options which is a 2048 Bit RSA ke...") |
(→Sign your packages) |
||
(27 intermediate revisions by 6 users not shown) | |||
Line 1: | Line 1: | ||
− | + | [[Category:DeveloperWiki]]__NOTOC__ | |
+ | |||
+ | ==Choose a UID== | ||
+ | * Use a valid e-mail address: no obfuscation. | ||
+ | * The e-mail address should be reliable (do not use one you got from your ISP or a random free service). | ||
+ | * When in doubt, you should prefer using your <code>@archlinux.org</code> address. | ||
+ | * The UID also has to be the same as the <code>PACKAGER</code> variable you use to build packages. | ||
+ | * A correct UID looks like this: <code>Pierre Schmitz <pierre@archlinux.de></code> | ||
+ | * We strongly advise you use your real name. It has to be exactly that found on official documents (passport, driver's license, etc.); see [http://wiki.cacert.org/PracticeOnNames CAcert's practice on names]. | ||
==Create a key pair== | ==Create a key pair== | ||
− | # | + | # Install <code>gnupg</code>. |
− | # <code>gpg --gen-key</code> | + | # Run: <code>gpg --gen-key</code> |
− | ## | + | ## You may use the default: a never expiring 2048-bit RSA key for encryption and signing. |
− | # | + | # Create a revocation certificate, for use when/if your private key ever gets compromised: |
− | ## <code>gpg -o ~/.gnupg/pierre@archlinux.de-revoke.asc --gen-revoke pierre@archlinux.de</code> | + | ## Run: <code>gpg -o ~/.gnupg/pierre@archlinux.de-revoke.asc --gen-revoke pierre@archlinux.de</code> |
− | ## Make sure to | + | ## Make sure to store this file in a secure location (and/or encrypt it with a passphrase); then delete the plaintext version. |
+ | # Backup your private key: <code>gpg --export-secret-keys pierre@archlinux.de > pierre@archlinux.de-private.asc</code> | ||
+ | |||
+ | ==Recommended: Get your key signed by CAcert== | ||
+ | # [https://www.cacert.org/index.php?id=1 Create an account on CAcert.] | ||
+ | # Meet CAcert assurers and have them verify your official identification documents; see [http://www.cacert.org/policy/AssurancePolicy.php CAcert's assurance policy]. | ||
+ | # You will then be able to access a new part of the CAcert website and get your key signed: | ||
+ | ## Export your public key: <code>gpg --export --armor pierre@archlinux.de > pierre@archlinux.de.asc</code> | ||
+ | ## Paste the content of that file into the form on the [https://www.cacert.org CAcert website]. | ||
+ | ## Save the signed key from the CAcert website and import it: <code>gpg --import <filename></code> | ||
+ | |||
+ | ==Recommended: Get your key signed by other devs== | ||
+ | # When ever you meet with another dev, sign each others' keys. | ||
+ | # Take this seriously: never sign a key when you cannot verify the other person's identity. | ||
+ | # See [http://www.cacert.org/policy/AssurancePolicy.php CAcert's assurance policy] for good guidelines. | ||
− | == | + | ==Publish your public key== |
− | # | + | # Send your public key to a keyserver: |
− | + | ## Check your key id with: <code>gpg -k</code> | |
− | + | ## Run: <code>gpg --send-keys KEY-ID</code> | |
− | + | # Add your key fingerprint to your profile at https://www.archlinux.org/devel/profile/ | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | ## Check your key id with <code>gpg -k</code> | ||
− | ## <code>gpg --send-keys | ||
− | # | ||
− | |||
− | == | + | ==Be safe!== |
− | # | + | # Create a backup of your keys and be sure not to forget the passphrase! |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− |
Latest revision as of 10:37, 15 February 2012
Choose a UID
- Use a valid e-mail address: no obfuscation.
- The e-mail address should be reliable (do not use one you got from your ISP or a random free service).
- When in doubt, you should prefer using your
@archlinux.org
address. - The UID also has to be the same as the
PACKAGER
variable you use to build packages. - A correct UID looks like this:
Pierre Schmitz <pierre@archlinux.de>
- We strongly advise you use your real name. It has to be exactly that found on official documents (passport, driver's license, etc.); see CAcert's practice on names.
Create a key pair
- Install
gnupg
. - Run:
gpg --gen-key
- You may use the default: a never expiring 2048-bit RSA key for encryption and signing.
- Create a revocation certificate, for use when/if your private key ever gets compromised:
- Run:
gpg -o ~/.gnupg/pierre@archlinux.de-revoke.asc --gen-revoke pierre@archlinux.de
- Make sure to store this file in a secure location (and/or encrypt it with a passphrase); then delete the plaintext version.
- Run:
- Backup your private key:
gpg --export-secret-keys pierre@archlinux.de > pierre@archlinux.de-private.asc
Recommended: Get your key signed by CAcert
- Create an account on CAcert.
- Meet CAcert assurers and have them verify your official identification documents; see CAcert's assurance policy.
- You will then be able to access a new part of the CAcert website and get your key signed:
- Export your public key:
gpg --export --armor pierre@archlinux.de > pierre@archlinux.de.asc
- Paste the content of that file into the form on the CAcert website.
- Save the signed key from the CAcert website and import it:
gpg --import <filename>
- Export your public key:
Recommended: Get your key signed by other devs
- When ever you meet with another dev, sign each others' keys.
- Take this seriously: never sign a key when you cannot verify the other person's identity.
- See CAcert's assurance policy for good guidelines.
Publish your public key
- Send your public key to a keyserver:
- Check your key id with:
gpg -k
- Run:
gpg --send-keys KEY-ID
- Check your key id with:
- Add your key fingerprint to your profile at https://www.archlinux.org/devel/profile/
Be safe!
- Create a backup of your keys and be sure not to forget the passphrase!