Difference between revisions of "DeveloperWiki:Signing Packages"

From ArchWiki
Jump to: navigation, search
(Undo revision 143669 by KerrickStaley (talk) Please don't edit this page)
(Sign your packages)
 
(15 intermediate revisions by 4 users not shown)
Line 1: Line 1:
__NOTOC__
+
[[Category:DeveloperWiki]]__NOTOC__
{{Box RED|Warning:|This is just a draft and work in progress. Don't even read it.}}
+
  
==List of Packager Keys==
+
==Choose a UID==
 
+
* Use a valid e-mail address: no obfuscation.
After you finished not reading this, please go to [[DeveloperWiki:Signing_Packages/Packager_Keys]].
+
* The e-mail address should be reliable (do not use one you got from your ISP or a random free service).
 
+
* When in doubt, you should prefer using your <code>@archlinux.org</code> address.
==Choose an UID==
+
* The UID also has to be the same as the <code>PACKAGER</code> variable you use to build packages.
* Use your real name. It has to be exactly the one that can be found on official documents like your passport or driver's license. Have a look at http://wiki.cacert.org/PracticeOnNames
+
* A correct UID looks like this: <code>Pierre Schmitz <pierre@archlinux.de></code>
* Use a valid e-mail address. Means no obfuscation.
+
* We strongly advise you use your real name. It has to be exactly that found on official documents (passport, driver's license, etc.); see [http://wiki.cacert.org/PracticeOnNames CAcert's practice on names].
* The e-mail address should be reliable (so don't use the one you got from your ISP a random free mail address).
+
* If in doubt you should prefer using your archlinux.org address
+
* The UID has also to be the same as the <code>PACKAGER</code> variable you use to build packages
+
* An UID looks like this: <code>Pierre Schmitz <pierre@archlinux.de></code>
+
  
 
==Create a key pair==
 
==Create a key pair==
# install <code>gnupg</code>
+
# Install <code>gnupg</code>.
# <code>gpg --gen-key</code>
+
# Run: <code>gpg --gen-key</code>
## you may use the default options which is a 2048 Bit RSA key for encryption and signing which does not expire
+
## You may use the default: a never expiring 2048-bit RSA key for encryption and signing.
# Also create a revoke key for later use
+
# Create a revocation certificate, for use when/if your private key ever gets compromised:
## <code>gpg -o ~/.gnupg/pierre@archlinux.de-revoke.asc --gen-revoke pierre@archlinux.de</code>
+
## Run: <code>gpg -o ~/.gnupg/pierre@archlinux.de-revoke.asc --gen-revoke pierre@archlinux.de</code>
## Make sure to create a backup of this file and remove it from your system afterwards
+
## Make sure to store this file in a secure location (and/or encrypt it with a passphrase); then delete the plaintext version.
 
# Backup your private key: <code>gpg --export-secret-keys pierre@archlinux.de > pierre@archlinux.de-private.asc</code>
 
# Backup your private key: <code>gpg --export-secret-keys pierre@archlinux.de > pierre@archlinux.de-private.asc</code>
  
==Get your key signed by CAcert==
+
==Recommended: Get your key signed by CAcert==
# Get the CAcert key and import it:
+
# [https://www.cacert.org/index.php?id=1 Create an account on CAcert.]
## <code>wget https://www.cacert.org/certs/cacert.asc</code>
+
# Meet CAcert assurers and have them verify your official identification documents; see [http://www.cacert.org/policy/AssurancePolicy.php CAcert's assurance policy].
## <code>gpg --import cacert.asc</code>
+
# You will then be able to access a new part of the CAcert website and get your key signed:
# Trust this key:
+
## Export your public key: <code>gpg --export --armor pierre@archlinux.de > pierre@archlinux.de.asc</code>
## <code>gpg --edit-key gpg@cacert.org</code>
+
## Paste the content of that file into the form on the [https://www.cacert.org CAcert website].
## <code>>trust</code>
+
## Save the signed key from the CAcert website and import it: <code>gpg --import <filename></code>
## <code>>5</code>
+
# Export your key:
+
## <code>gpg --export --armor pierre@archlinux.de > pierre@archlinux.de.asc</code>
+
## Paste the content of that file into the form on the [https://www.cacert.org CAcert website] to get your signed public key.
+
# Save the signed key from the CAcert website and import it
+
## <code>gpg --import <filename></code>
+
# You might want to send your new signed key to a keyserver
+
## Check your key id with <code>gpg -k</code>
+
## <code>gpg --send-keys 9741E8AC</code>
+
## You could also export it again for uploading it on e.g. your webspace: <code>gpg --export --armor pierre@archlinux.de > pierre@archlinux.de.asc</code>
+
# You should create a backup of your keys and make sure to not forget the passphrase!
+
  
==Sign your packages==
+
==Recommended: Get your key signed by other devs==
# Install devtools 0.9.22 or later
+
# When ever you meet with another dev, sign each others' keys.
# add <code>SIGNPKG=y</code> to your <code>~/.makepkg.conf</code>
+
# Take this seriously: never sign a key when you cannot verify the other person's identity.
# If you want to sign with a specific key also add <code>GPGKEY=<id></code>
+
# See [http://www.cacert.org/policy/AssurancePolicy.php CAcert's assurance policy] for good guidelines.
# <code>commitpkg</code> and its aliases like <code>extrapkg</code> or <code>testingpkg</code> will now sign your packages and upload the package including its signature.
+
  
==Verify a signed package (just for testing)==
+
==Publish your public key==
# Install and trust the CAcert key
+
# Send your public key to a keyserver:
## <code>wget https://www.cacert.org/certs/cacert.asc</code>
+
## Check your key id with: <code>gpg -k</code>
## <code>gpg --import cacert.asc</code>
+
## Run: <code>gpg --send-keys KEY-ID</code>
## <code>gpg --edit-key gpg@cacert.org</code>
+
# Add your key fingerprint to your profile at https://www.archlinux.org/devel/profile/
## <code>>trust</code>
+
## <code>>5</code>
+
# Search and import the packager's key
+
## <code>gpg --search-keys 9741E8AC</code>
+
# Verify the package
+
## <code>gpg --verify devtools-*.pkg.tar.xz.sig</code>
+
  
==Open questions==
+
==Be safe!==
* How do we handle keys that expire?
+
# Create a backup of your keys and be sure not to forget the passphrase!
* Will we re-sign packages of a dev who left the team?
+
* How do we verify the identity of devs who have no CAcert assurers near their location?
+

Latest revision as of 10:37, 15 February 2012


Choose a UID

  • Use a valid e-mail address: no obfuscation.
  • The e-mail address should be reliable (do not use one you got from your ISP or a random free service).
  • When in doubt, you should prefer using your @archlinux.org address.
  • The UID also has to be the same as the PACKAGER variable you use to build packages.
  • A correct UID looks like this: Pierre Schmitz <pierre@archlinux.de>
  • We strongly advise you use your real name. It has to be exactly that found on official documents (passport, driver's license, etc.); see CAcert's practice on names.

Create a key pair

  1. Install gnupg.
  2. Run: gpg --gen-key
    1. You may use the default: a never expiring 2048-bit RSA key for encryption and signing.
  3. Create a revocation certificate, for use when/if your private key ever gets compromised:
    1. Run: gpg -o ~/.gnupg/pierre@archlinux.de-revoke.asc --gen-revoke pierre@archlinux.de
    2. Make sure to store this file in a secure location (and/or encrypt it with a passphrase); then delete the plaintext version.
  4. Backup your private key: gpg --export-secret-keys pierre@archlinux.de > pierre@archlinux.de-private.asc

Recommended: Get your key signed by CAcert

  1. Create an account on CAcert.
  2. Meet CAcert assurers and have them verify your official identification documents; see CAcert's assurance policy.
  3. You will then be able to access a new part of the CAcert website and get your key signed:
    1. Export your public key: gpg --export --armor pierre@archlinux.de > pierre@archlinux.de.asc
    2. Paste the content of that file into the form on the CAcert website.
    3. Save the signed key from the CAcert website and import it: gpg --import <filename>

Recommended: Get your key signed by other devs

  1. When ever you meet with another dev, sign each others' keys.
  2. Take this seriously: never sign a key when you cannot verify the other person's identity.
  3. See CAcert's assurance policy for good guidelines.

Publish your public key

  1. Send your public key to a keyserver:
    1. Check your key id with: gpg -k
    2. Run: gpg --send-keys KEY-ID
  2. Add your key fingerprint to your profile at https://www.archlinux.org/devel/profile/

Be safe!

  1. Create a backup of your keys and be sure not to forget the passphrase!