Lines Matching +full:strong +full:- +full:pull +full:- +full:up
12 Linux Foundation. Please read that document for more in-depth discussion
15 .. _`Protecting Code Integrity`: https://github.com/lfit/itpol/blob/master/protecting-code-integrit…
22 communication channels between developers via PGP-signed email exchange.
26 - Distributed source repositories (git)
27 - Periodic release snapshots (tarballs)
35 - git repositories provide PGP signatures on all tags
36 - tarballs provide detached PGP signatures with all downloads
41 -------------------------------------------
64 ------------
68 release -- many distributions still package both, with the default
71 $ gpg --version | head -n1
77 $ gpg2 --version | head -n1
83 GnuPG. Versions of gnupg-2.1.11 and later should be compatible for the
94 Configure gpg-agent options
102 - ``default-cache-ttl`` (seconds): If you use the same key again before
103 the time-to-live expires, the countdown will reset for another period.
105 - ``max-cache-ttl`` (seconds): Regardless of how recently you've used
106 the key since initial passphrase entry, if the maximum time-to-live
111 edit your ``~/.gnupg/gpg-agent.conf`` file to set your own values::
114 default-cache-ttl 1800
115 max-cache-ttl 7200
119 It is no longer necessary to start gpg-agent manually at the
138 -------------------------
140 A PGP key rarely consists of a single keypair -- usually it is a
145 - **[S]** keys can be used for signing
146 - **[E]** keys can be used for encryption
147 - **[A]** keys can be used for authentication
148 - **[C]** keys can be used for certifying other keys
165 subkey). All subkeys are fully independent -- a message encrypted to
175 - add or revoke other keys (subkeys) with S/E/A capabilities
176 - add, change or revoke identities (uids) associated with the key
177 - add or change the expiration date on itself or any subkey
178 - sign other people's keys for web of trust purposes
182 - One subkey carrying both Certify and Sign capabilities (**[SC]**)
183 - A separate subkey with the Encryption capability (**[E]**)
186 is what you will have. You can verify by running ``gpg --list-secret-keys``,
189 sec rsa2048 2018-01-23 [SC] [expires: 2020-01-23]
192 ssb rsa2048 2018-01-23 [E] [expires: 2020-01-23]
194 The long line under the ``sec`` entry is your key fingerprint --
195 whenever you see ``[fpr]`` in the examples below, that 40-character
198 Ensure your passphrase is strong
199 --------------------------------
207 strong passphrase. To set it or change it, use::
209 $ gpg --change-passphrase [fpr]
212 --------------------------------
218 $ gpg --quick-addkey [fpr] ed25519 sign
236 Back up your Certify key for disaster recovery
237 ----------------------------------------------
252 $ gpg --export-secret-key [fpr] | paperkey -o /tmp/key-backup.txt
258 used to be when you had created the backup -- *guaranteed*.
260 Put the resulting printout and the hand-written passphrase into an envelope
261 and store in a secure and well-protected place, preferably away from your
268 your passphrase, printing out even to "cloud-integrated" modern
271 Back up your whole GnuPG directory
272 ----------------------------------
280 disaster-level preparedness we did with ``paperkey``. You will also rely
281 on these external copies whenever you need to use your Certify key --
287 -- refer to your distro's documentation on how to accomplish this.
292 Once the encryption process is over, re-insert the USB drive and make
296 $ cp -a ~/.gnupg /media/disk/foo/gnupg-backup
300 $ gpg --homedir=/media/disk/foo/gnupg-backup --list-key [fpr]
304 need to use a random USB drive, and put in a safe place -- but not too
310 ----------------------------------------
315 - by accident when making quick homedir copies to set up a new workstation
316 - by systems administrator negligence or malice
317 - via poorly secured backups
318 - via malware in desktop apps (browsers, pdf viewers, etc)
319 - via coercion when crossing international borders
323 shoulder-surfing, or any number of other means. For this reason, the
329 Please see the previous section and make sure you have backed up
335 $ gpg --with-keygrip --list-key [fpr]
339 pub rsa2048 2018-01-24 [SC] [expires: 2020-01-24]
343 sub rsa2048 2018-01-24 [E] [expires: 2020-01-24]
345 sub ed25519 2018-01-24 [S]
352 $ cd ~/.gnupg/private-keys-v1.d
361 $ cd ~/.gnupg/private-keys-v1.d
364 Now, if you issue the ``--list-secret-keys`` command, it will show that
367 $ gpg --list-secret-keys
368 sec# rsa2048 2018-01-24 [SC] [expires: 2020-01-24]
371 ssb rsa2048 2018-01-24 [E] [expires: 2020-01-24]
372 ssb ed25519 2018-01-24 [S]
377 If you don't have the "private-keys-v1.d" directory
380 If you do not have a ``~/.gnupg/private-keys-v1.d`` directory, then your
384 ``secring.gpg`` format to use ``private-keys-v1.d`` instead.
406 --------------------------
414 backup purposes -- while that USB device is plugged in and mounted, the
418 smartcard-capable device.
421 ---------------------------
427 - `Nitrokey Start`_: Open hardware and Free Software, based on FSI
430 resistance to tampering or some side-channel attacks).
431 - `Nitrokey Pro 2`_: Similar to the Nitrokey Start, but more
432 tamper-resistant and offers more security features. Pro 2 supports ECC
434 - `Yubikey 5`_: proprietary hardware and software, but cheaper than
435 Nitrokey Pro and comes available in the USB-C form that is more useful
450 .. _`Nitrokey Start`: https://shop.nitrokey.com/shop/product/nitrokey-start-6
451 .. _`Nitrokey Pro 2`: https://shop.nitrokey.com/shop/product/nkpr2-nitrokey-pro-2-3
452 .. _`Yubikey 5`: https://www.yubico.com/products/yubikey-5-overview/
453 .. _Gnuk: https://www.fsij.org/doc-gnuk/
455 .. _`qualify for a free Nitrokey Start`: https://www.kernel.org/nitrokey-digital-tokens-for-kernel-…
458 -------------------------------
463 $ gpg --card-status
472 there are no convenient command-line switches::
474 $ gpg --card-edit
481 Please make sure to record and store these in a safe place -- especially
502 ----------------------------------
508 $ gpg --edit-key [fpr]
513 created: 2018-01-23 expires: 2020-01-23 usage: SC
516 created: 2018-01-23 expires: never usage: E
518 created: 2017-12-07 expires: never usage: S
523 Using ``--edit-key`` puts us into the menu mode again, and you will
527 First, let's select the key we'll be putting onto the card -- you do
576 If you perform ``--list-secret-keys`` now, you will see a subtle
579 $ gpg --list-secret-keys
580 sec# rsa2048 2018-01-24 [SC] [expires: 2020-01-24]
583 ssb> rsa2048 2018-01-24 [E] [expires: 2020-01-24]
584 ssb> ed25519 2018-01-24 [S]
591 $ cd ~/.gnupg/private-keys-v1.d
592 $ strings *.key | grep 'private-key'
594 The output should contain ``shadowed-private-key`` to indicate that
603 $ echo "Hello world" | gpg --clearsign > /tmp/test.asc
604 $ gpg --verify /tmp/test.asc
607 show "Good signature" after you run ``gpg --verify``.
613 -----------------------------
625 $ export GNUPGHOME=/media/disk/foo/gnupg-backup
626 $ gpg --list-secret-keys
642 $ gpg --quick-set-expire [fpr] 1y
647 $ gpg --quick-set-expire [fpr] 2020-07-01
651 $ gpg --send-key [fpr]
659 $ gpg --export | gpg --homedir ~/.gnupg --import
662 Using gpg-agent over ssh
665 You can forward your gpg-agent over ssh if you need to sign tags or
669 - `Agent Forwarding over SSH`_
681 One of the core features of Git is its decentralized nature -- once a
698 .. _`nothing to do with it`: https://github.com/jayphelps/git-blame-someone-else
701 ---------------------------------
708 $ git config --global user.signingKey [fpr]
713 $ git config --global gpg.program gpg2
714 $ git config --global gpgv.program gpgv2
717 ----------------------------
719 To create a signed tag, simply pass the ``-s`` switch to the tag
722 $ git tag -s [tagname]
731 To verify a signed tag, simply use the ``verify-tag`` command::
733 $ git verify-tag [tagname]
739 $ git pull [url] tags/sometag
768 $ git config --global tag.forceSignAnnotated true
771 -------------------------------
777 upstream, even your own PGP commit signatures will end up discarded. For
792 2. If you ever need to re-clone your local repository (for example,
795 3. If someone needs to cherry-pick your commits, this allows them to
801 To create a signed commit, you just need to pass the ``-S`` flag to the
802 ``git commit`` command (it's capital ``-S`` due to collision with
805 $ git commit -S
812 git config --global commit.gpgSign true
816 Make sure you configure ``gpg-agent`` before you turn this on.
822 -------------------------------
826 (PGP-Mime or PGP-inline) tend to cause problems with regular code
829 headers (a-la DKIM):
831 - `Patatt Patch Attestation`_
844 the git-send-email hook in the repository you want::
846 patatt install-hook
848 Now any patches you send with ``git send-email`` will be automatically
858 $ b4 am 20220720205013.890942-1-broonie@kernel.org
861 ---
865 ---
884 Configure auto-key-retrieval using WKD and DANE
885 -----------------------------------------------
889 on key auto-discovery and auto-retrieval. GnuPG can piggyback on other
896 auto-key-locate wkd,dane,local
897 auto-key-retrieve
899 DNS-Based Authentication of Named Entities ("DANE") is a method for
903 looking up public keys, GnuPG will validate DNSSEC or TLS certificates,
904 respectively, before adding auto-retrieved public keys to your local
909 auto-retrieve the keys for Linus Torvalds and Greg Kroah-Hartman (if you
912 $ gpg --locate-keys torvalds@kernel.org gregkh@kernel.org
920 ------------------------------------------------
932 "the SSH-like approach to trust." With SSH, the first time you connect
944 ``trust-model`` setting in ``~/.gnupg/gpg.conf``::
946 trust-model tofu+pgp
949 --------------------------------------------
953 dark in the past few years. The full documentation for how to set up
956 - `Kernel developer PGP Keyring`_