Lines Matching refs:you
66 Your distro should already have GnuPG installed by default, you just
67 need to verify that you are using version 2.x and not the legacy 1.4
73 If you see ``gpg (GnuPG) 1.4.x``, then you are using GnuPG v.1. Try the
74 ``gpg2`` command (if you don't have it, you may need to install the
79 If you see ``gpg (GnuPG) 2.x.x``, then you are good to go. This guide
80 will assume you have the version 2.2 of GnuPG (or later). If you are
82 not work, and you should consider installing the latest 2.2 version of
86 If you have both ``gpg`` and ``gpg2`` commands, you should make sure you
98 you use the ``gpg`` command and run in the background with the purpose
99 of caching the private key passphrase. There are two options you should
102 - ``default-cache-ttl`` (seconds): If you use the same key again before
105 - ``max-cache-ttl`` (seconds): Regardless of how recently you've used
107 countdown expires, you'll have to enter the passphrase again. The
110 If you find either of these defaults too short (or too long), you can
121 to remove anything you had in place for older versions of GnuPG, as
134 ``gpg2`` command if regular ``gpg`` for you is the legacy GnuPG v.1.
141 This guide assumes that you already have a PGP key that you use for Linux
142 kernel development purposes. If you do not yet have one, please see the
168 encrypted to a subkey cannot be decrypted with the master key. If you
186 If you used the default parameters when generating your key, then that
187 is what you will have. You can verify by running ``gpg --list-secret-keys``,
199 whenever you see ``[fpr]`` in the examples below, that 40-character
219 if you only have a combined **[SC]** key, then you should create a separate
235 compared byte for byte with 2048+ bit RSA keys. Unless you plan on
237 recommend that you create an ECC signing subkey for your kernel
240 If for some reason you prefer to stay with RSA subkeys, just replace
241 "ed25519" with "rsa2048" in the above command. Additionally, if you
243 keys, like Nitrokey Pro or a Yubikey, then you should use
250 The more signatures you have on your PGP key from other developers, the
251 more reasons you have to create a backup version that lives on something
268 that passphrase, and if you ever change it you will not remember what it
269 used to be when you had created the backup -- *guaranteed*.
281 change the passphrase on your master key immediately after you are
292 should you need to recover them. This is different from the
294 on these external copies whenever you need to use your Certify key --
298 Start by getting a small USB "thumb" drive (preferably two!) that you
302 For the encryption passphrase, you can use the same one as on your
315 If you don't get any errors, then you should be good to go. Unmount the
316 USB drive, distinctly label it so you don't blow it away next time you
318 far away, because you'll need to use it every now and again for things
342 Please see the previous section and make sure you have backed up
344 render your key useless if you do not have a usable backup!
371 All you have to do is simply remove the .key file that corresponds to
377 Now, if you issue the ``--list-secret-keys`` command, it will show that
390 If you don't have the "private-keys-v1.d" directory
393 If you do not have a ``~/.gnupg/private-keys-v1.d`` directory, then your
399 Once you get that done, make sure to delete the obsolete ``secring.gpg``
424 operating system of the computer into which you plug in the hardware
458 If you are listed in MAINTAINERS or have an account at kernel.org,
459 you `qualify for a free Nitrokey Start`_ courtesy of The Linux
472 Your smartcard device should Just Work (TM) the moment you plug it into
477 If you see full smartcard details, then you are good to go.
479 be working for you is way beyond the scope of this guide. If you are
483 To configure your smartcard, you will need to use the GnuPG menu system, as
494 the Admin PIN and the Reset Code (which allows you to completely wipe
495 the smartcard). You so rarely need to use the Admin PIN, that you will
496 inevitably forget what it is if you do not record it.
498 Getting back to the main card menu, you can also set other values (such
500 additionally leak information about your smartcard should you lose it.
509 Some devices may require that you move the subkeys onto the device
510 before you can change the passphrase. Please check the documentation
535 Using ``--edit-key`` puts us into the menu mode again, and you will
539 First, let's select the key we'll be putting onto the card -- you do
545 In the output, you should now see ``ssb*`` on the **[E]** key. The ``*``
547 meaning that if you type ``key 1`` again, the ``*`` will disappear and
558 slot. When you submit your selection, you will be prompted first for
581 Saving the changes will delete the keys you moved to the card from your
588 If you perform ``--list-secret-keys`` now, you will see a subtle
599 available on the smartcard. If you go back into your secret keys
600 directory and look at the contents there, you will notice that the
612 To verify that the smartcard is working as intended, you can create a
619 show "Good signature" after you run ``gpg --verify``.
621 Congratulations, you have successfully made it extremely difficult to
627 Here is a quick reference for some common operations you'll need to do
633 You will need your master key for any of the operations below, so you
640 You want to make sure that you see ``sec`` and not ``sec#`` in the
641 output (the ``#`` means the key is not available and you're still using
668 After you make any changes to your key using the offline storage, you will
677 You can forward your gpg-agent over ssh if you need to sign tags or
683 It works more smoothly if you can modify the sshd server settings on the
693 repository is cloned to your system, you have full history of the
700 line in the commit says it was done by you, while you're pretty sure you
707 impersonate you without having access to your PGP keys.
714 If you only have one secret key in your keyring, then you don't really
716 you happen to have multiple secret keys, you can tell git which key
721 **IMPORTANT**: If you have a distinct ``gpg2`` command, then you should
746 If you are pulling a tag from another fork of the project repository,
747 git should automatically verify the signature at the tip you're pulling
748 and show you the results during the merge operation::
761 If you are verifying someone else's git tag, then you will need to
767 If you get "``gpg: Can't check signature: unknown pubkey
768 algorithm``" error, you need to tell git to use gpgv2 for
775 Chances are, if you're creating an annotated tag, you'll want to sign
776 it. To force git to always sign annotated tags, you can set a global
793 However, if you have your working git tree publicly available at some
795 then the recommendation is that you sign all your git commits even if
803 2. If you ever need to re-clone your local repository (for example,
804 after a disk failure), this lets you easily verify the repository
812 To create a signed commit, you just need to pass the ``-S`` flag to the
827 Make sure you configure ``gpg-agent`` before you turn this on.
841 If you are not already someone with an extensive collection of other
842 developers' public keys, then you can jumpstart your keyring by relying
844 delegated trust technologies, namely DNSSEC and TLS, to get you going if
862 accounts. Once you have the above changes in your ``gpg.conf``, you can
863 auto-retrieve the keys for Linus Torvalds and Greg Kroah-Hartman (if you
868 If you have a kernel.org account, then you should `add the kernel.org
886 "the SSH-like approach to trust." With SSH, the first time you connect
888 the key changes in the future, the SSH client will alert you and refuse
889 to connect, forcing you to make a decision on whether you choose to
890 trust the changed key or not. Similarly, the first time you import
894 you will need to manually figure out which one to keep.
896 We recommend that you use the combined TOFU+PGP trust model (which is
905 If you get a "No public key" error when trying to validate someone's
906 tag, then you should attempt to lookup that key using a keyserver. It is
908 key you retrieve from PGP keyservers belongs to the actual person --
915 beings. Here are some shortcuts that will help you reduce the risk of
918 First, let's say you've tried to run ``git verify-tag`` but it returned
938 ``C94035C21B4F2AEB``. Now display the key of Linus Torvalds that you
949 paste the key-id you found via ``gpg --search`` of the unknown key, and
954 If you get a few decent trust paths, then it's a pretty good indication
960 This process is not perfect, and you are obviously trusting the
962 fact, this goes against :ref:`devs_not_infra`). However, if you