Lines Matching refs:you
66 Your distro should already have GnuPG installed by default, you just
67 need to verify that you are using version 2.x and not the legacy 1.4
73 If you see ``gpg (GnuPG) 1.4.x``, then you are using GnuPG v.1. Try the
74 ``gpg2`` command (if you don't have it, you may need to install the
79 If you see ``gpg (GnuPG) 2.x.x``, then you are good to go. This guide
80 will assume you have the version 2.2 of GnuPG (or later). If you are
82 not work, and you should consider installing the latest 2.2 version of
86 If you have both ``gpg`` and ``gpg2`` commands, you should make sure you
98 you use the ``gpg`` command and run in the background with the purpose
99 of caching the private key passphrase. There are two options you should
102 - ``default-cache-ttl`` (seconds): If you use the same key again before
105 - ``max-cache-ttl`` (seconds): Regardless of how recently you've used
107 countdown expires, you'll have to enter the passphrase again. The
110 If you find either of these defaults too short (or too long), you can
121 to remove anything you had in place for older versions of GnuPG, as
134 ``gpg2`` command if regular ``gpg`` for you is the legacy GnuPG v.1.
141 This guide assumes that you already have a PGP key that you use for Linux
142 kernel development purposes. If you do not yet have one, please see the
168 encrypted to a subkey cannot be decrypted with the master key. If you
186 If you used the default parameters when generating your key, then that
187 is what you will have. You can verify by running ``gpg --list-secret-keys``,
199 whenever you see ``[fpr]`` in the examples below, that 40-character
219 if you only have a combined **[SC]** key, then you should create a separate
235 compared byte for byte with 2048+ bit RSA keys. Unless you plan on
237 recommend that you create an ECC signing subkey for your kernel
240 If for some reason you prefer to stay with RSA subkeys, just replace
247 The more signatures you have on your PGP key from other developers, the
248 more reasons you have to create a backup version that lives on something
265 that passphrase, and if you ever change it you will not remember what it
266 used to be when you had created the backup -- *guaranteed*.
278 change the passphrase on your master key immediately after you are
289 should you need to recover them. This is different from the
291 on these external copies whenever you need to use your Certify key --
295 Start by getting a small USB "thumb" drive (preferably two!) that you
299 For the encryption passphrase, you can use the same one as on your
312 If you don't get any errors, then you should be good to go. Unmount the
313 USB drive, distinctly label it so you don't blow it away next time you
315 far away, because you'll need to use it every now and again for things
339 Please see the previous section and make sure you have backed up
341 render your key useless if you do not have a usable backup!
368 All you have to do is simply remove the .key file that corresponds to
374 Now, if you issue the ``--list-secret-keys`` command, it will show that
387 If you don't have the "private-keys-v1.d" directory
390 If you do not have a ``~/.gnupg/private-keys-v1.d`` directory, then your
396 Once you get that done, make sure to delete the obsolete ``secring.gpg``
421 operating system of the computer into which you plug in the hardware
450 others. If you want to use ECC keys, your best bet among commercially
455 If you are listed in MAINTAINERS or have an account at kernel.org,
456 you `qualify for a free Nitrokey Start`_ courtesy of The Linux
469 Your smartcard device should Just Work (TM) the moment you plug it into
474 If you see full smartcard details, then you are good to go.
476 be working for you is way beyond the scope of this guide. If you are
480 To configure your smartcard, you will need to use the GnuPG menu system, as
491 the Admin PIN and the Reset Code (which allows you to completely wipe
492 the smartcard). You so rarely need to use the Admin PIN, that you will
493 inevitably forget what it is if you do not record it.
495 Getting back to the main card menu, you can also set other values (such
497 additionally leak information about your smartcard should you lose it.
506 Some devices may require that you move the subkeys onto the device
507 before you can change the passphrase. Please check the documentation
532 Using ``--edit-key`` puts us into the menu mode again, and you will
536 First, let's select the key we'll be putting onto the card -- you do
542 In the output, you should now see ``ssb*`` on the **[E]** key. The ``*``
544 meaning that if you type ``key 1`` again, the ``*`` will disappear and
555 slot. When you submit your selection, you will be prompted first for
578 Saving the changes will delete the keys you moved to the card from your
585 If you perform ``--list-secret-keys`` now, you will see a subtle
596 available on the smartcard. If you go back into your secret keys
597 directory and look at the contents there, you will notice that the
609 To verify that the smartcard is working as intended, you can create a
616 show "Good signature" after you run ``gpg --verify``.
618 Congratulations, you have successfully made it extremely difficult to
624 Here is a quick reference for some common operations you'll need to do
630 You will need your master key for any of the operations below, so you
637 You want to make sure that you see ``sec`` and not ``sec#`` in the
638 output (the ``#`` means the key is not available and you're still using
665 After you make any changes to your key using the offline storage, you will
674 You can forward your gpg-agent over ssh if you need to sign tags or
680 It works more smoothly if you can modify the sshd server settings on the
690 repository is cloned to your system, you have full history of the
697 line in the commit says it was done by you, while you're pretty sure you
704 impersonate you without having access to your PGP keys.
711 If you only have one secret key in your keyring, then you don't really
713 you happen to have multiple secret keys, you can tell git which key
718 **IMPORTANT**: If you have a distinct ``gpg2`` command, then you should
743 If you are pulling a tag from another fork of the project repository,
744 git should automatically verify the signature at the tip you're pulling
745 and show you the results during the merge operation::
758 If you are verifying someone else's git tag, then you will need to
764 If you get "``gpg: Can't check signature: unknown pubkey
765 algorithm``" error, you need to tell git to use gpgv2 for
772 Chances are, if you're creating an annotated tag, you'll want to sign
773 it. To force git to always sign annotated tags, you can set a global
790 However, if you have your working git tree publicly available at some
792 then the recommendation is that you sign all your git commits even if
800 2. If you ever need to re-clone your local repository (for example,
801 after a disk failure), this lets you easily verify the repository
809 To create a signed commit, you just need to pass the ``-S`` flag to the
824 Make sure you configure ``gpg-agent`` before you turn this on.
838 If you are not already someone with an extensive collection of other
839 developers' public keys, then you can jumpstart your keyring by relying
841 delegated trust technologies, namely DNSSEC and TLS, to get you going if
859 accounts. Once you have the above changes in your ``gpg.conf``, you can
860 auto-retrieve the keys for Linus Torvalds and Greg Kroah-Hartman (if you
865 If you have a kernel.org account, then you should `add the kernel.org
883 "the SSH-like approach to trust." With SSH, the first time you connect
885 the key changes in the future, the SSH client will alert you and refuse
886 to connect, forcing you to make a decision on whether you choose to
887 trust the changed key or not. Similarly, the first time you import
891 you will need to manually figure out which one to keep.
893 We recommend that you use the combined TOFU+PGP trust model (which is
902 If you get a "No public key" error when trying to validate someone's
903 tag, then you should attempt to lookup that key using a keyserver. It is
905 key you retrieve from PGP keyservers belongs to the actual person --
912 beings. Here are some shortcuts that will help you reduce the risk of
915 First, let's say you've tried to run ``git verify-tag`` but it returned
935 ``C94035C21B4F2AEB``. Now display the key of Linus Torvalds that you
946 paste they key-id you found via ``gpg --search`` of the unknown key, and
951 If you get a few decent trust paths, then it's a pretty good indication
957 This process is not perfect, and you are obviously trusting the
959 fact, this goes against :ref:`devs_not_infra`). However, if you