Release Management/Keys
Contents |
Introduction
A Release Management Team member requires having SSH and GPG keys for their daily work. This is a short initiation guide.
GPG
Key generation
$ gpg --gen-key gpg (GnuPG) 2.0.11; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. ELG keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 2048 Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: John Doe Email address: john.doe@openbravo.com Comment: You selected this USER-ID: "John Doe <john.doe@openbravo.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. (enter a passphrase twice) We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 260B15C0 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u pub 1024D/260B15C0 2009-07-07 Key fingerprint = 301A 945D 654E BD5C A83E E9B6 DE1E 5E4B 260B 15C0 uid John Doe <john.doe@openbravo.com> sub 2048g/7F9F130D 2009-07-07
Key sharing
It is a common and useful practice to share the public part of the key. In the previous example:
gpg --send-keys --keyserver hkp://keys.gnupg.net 260B15C0
Moving keys among systems
To export the public and private parts of the GPG key:
gpg --output mygpgkey_pub.gpg --armor --export 260B15C0 gpg --output mygpgkey_sec.gpg --armor --export-secret-key 7F9F130D
Copy mygpgkey_pub.gpg and mygpgkey_sec.gpg to the target machine, and then import them:
gpg --import mygpgkey_pub.gpg gpg --import mygpgkey_sec.gpg
Finally, set your level of trust to maximum:
$ gpg --edit-key 260B15C0 gpg (GnuPG) 2.0.11; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 1024D/260B15C0 created: 2009-07-07 expires: never usage: SC trust: ultimate validity: ultimate sub 2048g/7F9F130D created: 2009-07-07 expires: never usage: E [ultimate] (1). John Doe <john.doe@openbravo.com> Command> trust pub 1024D/260B15C0 created: 2009-07-07 expires: never usage: SC trust: ultimate validity: ultimate sub 2048g/7F9F130D created: 2009-07-07 expires: never usage: E [ultimate] (1). John Doe <john.doe@openbravo.com> Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y pub 1024D/260B15C0 created: 2009-07-07 expires: never usage: SC trust: ultimate validity: ultimate sub 2048g/7F9F130D created: 2009-07-07 expires: never usage: E [ultimate] (1). John Doe <john.doe@openbravo.com> Command> quit