Public keys for Ubuntu .deb signature verification
* Before and after generating any keys:
Because GnuPG is stuck in the '90s dark ages of crypto engineering:
% sudo mv /dev/random /dev/random.save
% sudo ln -s urandom /dev/random
...generate keys...
% sudo mv -f /dev/random.save /dev/random
Don't automate this -- only do this on an interactive laptop, or
figure out what this is about and then automate it differently with a
reliable source of entropy in a seed file.
* To create a signing key for a new principal:
Pick a nickname for the principal, called <principal>. E.g., you
might pick your username.
1. Pick an email address with <principal> in it.
2. Copy template.param to <principal>.param.
3. Edit the lines marked XXXEDITME:
- Set the name and email address to reflect the principal.
- Set the expiration date. Should be at least a couple months in
the future.
4. Add <principal> to PRINCIPALS in Makefile. (Keep sorted.)
5. Pick an empty GnuPG home for your private key to live in, e.g. on a
USB flash drive mounted at /media/user/userdebsign/20170530. You
can create it with
% mkdir -m 0700 /media/user/userdebsign/20170530
% gpg --homedir /media/user/userdebsign/20170530 --list-keys
6. Do a dry run of key generation:
% make <principal>.dry GNUPGHOME=/media/user/userdebsign/20170530
Examine the output. Tweak until it works.
7. Do a real run of key generation:
% make <principal>.asc GNUPGHOME=/media/user/userdebsign/20170530
8. Regenerate the keyring:
% make keyring
9. Commit your changes to Git.
* To retire a signing key:
1. Move <principal>.asc to archive/<principal>/<date>-<keyid32>.asc.
2. Add archive/<principal>/<date>-<keyid32> to PRINCIPALS in Makefile.
Remove <principal> if you are not generating a new signing key.
3. Commit your changes to Git.
4. After the signing key has expired, you can remove it.
* To generate a new signing key for an old principal:
Just retire the old signing key and create a new signing key as if for
a new principal.
* Why is this hard?
We want:
- To keep the key material off our laptop disks.
- Reproducible, consistent instructions for generating keys.
- Procedure for adding a new principal or retiring an old principal.
- Procedure for rotating from an old version of a principal's key to
a new version.
- No stupid GnuPG hanging while trying to generate many bytes of data
for RSA keys.
We do not currently use hardware crypto tokens. To be done in a
future version of this so that we keep the key material off our
laptops altogether.