Lines Matching full:you
66 Your distro should already have GnuPG installed by default, you just
67 need to verify that you are using version 2.x and not the legacy 1.4
73 If you see ``gpg (GnuPG) 1.4.x``, then you are using GnuPG v.1. Try the
74 ``gpg2`` command (if you don't have it, you may need to install the
79 If you see ``gpg (GnuPG) 2.x.x``, then you are good to go. This guide
80 will assume you have the version 2.2 of GnuPG (or later). If you are
82 not work, and you should consider installing the latest 2.2 version of
86 If you have both ``gpg`` and ``gpg2`` commands, you should make sure you
87 are always using GnuPG v2, not the legacy version. You can enforce this
92 You can put that in your ``.bashrc`` to make sure it's always the case.
98 you use the ``gpg`` command and run in the background with the purpose
99 of caching the private key passphrase. There are two options you should
102 - ``default-cache-ttl`` (seconds): If you use the same key again before
105 - ``max-cache-ttl`` (seconds): Regardless of how recently you've used
107 countdown expires, you'll have to enter the passphrase again. The
110 If you find either of these defaults too short (or too long), you can
120 beginning of your shell session. You may want to check your rc files
121 to remove anything you had in place for older versions of GnuPG, as
129 This guide assumes that you already have a PGP key that you use for Linux
130 kernel development purposes. If you do not yet have one, please see the
134 You should also make a new key if your current one is weaker than 2048
159 1. All subkeys are fully independent from each other. If you lose a
163 with identical capabilities (e.g. you can have 2 valid encryption
167 you may also have.
185 If you used the default parameters when generating your key, then that
186 is what you will have. You can verify by running ``gpg --list-secret-keys``,
195 whenever you see ``[fpr]`` in the examples below, that 40-character
215 so if you only have a combined **[SC]** key, then you should create a
226 compared byte for byte with 2048+ bit RSA keys. Unless you plan on
228 recommend that you create an ECC signing subkey for your kernel
231 Note, that if you plan to use a hardware device that does not
232 support ED25519 ECC keys, you should choose "nistp256" instead or
239 The more signatures you have on your PGP key from other developers, the
240 more reasons you have to create a backup version that lives on something
257 that passphrase, and if you ever change it you will not remember what it
258 used to be when you had created the backup -- *guaranteed*.
279 should you need to recover them. This is different from the
280 disaster-level preparedness we did with ``paperkey``. You will also rely
281 on these external copies whenever you need to use your Certify key --
285 Start by getting a small USB "thumb" drive (preferably two!) that you
286 will use for backup purposes. You will need to encrypt them using LUKS
289 For the encryption passphrase, you can use the same one as on your
298 You should now test to make sure everything still works::
302 If you don't get any errors, then you should be good to go. Unmount the
303 USB drive, distinctly label it so you don't blow it away next time you
305 far away, because you'll need to use it every now and again for things
329 Please see the previous section and make sure you have backed up
331 render your key useless if you do not have a usable backup!
358 All you have to do is simply remove the .key file that corresponds to
364 Now, if you issue the ``--list-secret-keys`` command, it will show that
374 You should also remove any ``secring.gpg`` files in the ``~/.gnupg``
377 If you don't have the "private-keys-v1.d" directory
380 If you do not have a ``~/.gnupg/private-keys-v1.d`` directory, then your
386 Once you get that done, make sure to delete the obsolete ``secring.gpg``
411 operating system of the computer into which you plug in the hardware
446 If you are listed in MAINTAINERS or have an account at kernel.org,
447 you `qualify for a free Nitrokey Start`_ courtesy of The Linux
460 Your smartcard device should Just Work (TM) the moment you plug it into
461 any modern Linux workstation. You can verify it by running::
465 If you see full smartcard details, then you are good to go.
467 be working for you is way beyond the scope of this guide. If you are
471 To configure your smartcard, you will need to use the GnuPG menu system, as
480 You should set the user PIN (1), Admin PIN (3), and the Reset Code (4).
482 the Admin PIN and the Reset Code (which allows you to completely wipe
483 the smartcard). You so rarely need to use the Admin PIN, that you will
484 inevitably forget what it is if you do not record it.
486 Getting back to the main card menu, you can also set other values (such
488 additionally leak information about your smartcard should you lose it.
497 Some devices may require that you move the subkeys onto the device
498 before you can change the passphrase. Please check the documentation
505 your subkeys onto the smartcard. You will need both your PGP key
523 Using ``--edit-key`` puts us into the menu mode again, and you will
527 First, let's select the key we'll be putting onto the card -- you do
533 In the output, you should now see ``ssb*`` on the **[E]** key. The ``*``
535 meaning that if you type ``key 1`` again, the ``*`` will disappear and
546 slot. When you submit your selection, you will be prompted first for
561 You can use the **[S]** key both for Signature and Authentication, but
569 Saving the changes will delete the keys you moved to the card from your
576 If you perform ``--list-secret-keys`` now, you will see a subtle
587 available on the smartcard. If you go back into your secret keys
588 directory and look at the contents there, you will notice that the
600 To verify that the smartcard is working as intended, you can create a
607 show "Good signature" after you run ``gpg --verify``.
609 Congratulations, you have successfully made it extremely difficult to
615 Here is a quick reference for some common operations you'll need to do
621 You will need your Certify key for any of the operations below, so you
628 You want to make sure that you see ``sec`` and not ``sec#`` in the
629 output (the ``#`` means the key is not available and you're still using
644 You can also use a specific date if that is easier to remember (e.g.
656 After you make any changes to your key using the offline storage, you will
665 You can forward your gpg-agent over ssh if you need to sign tags or
671 It works more smoothly if you can modify the sshd server settings on the
682 repository is cloned to your system, you have full history of the
689 line in the commit says it was done by you, while you're pretty sure you
696 impersonate you without having access to your PGP keys.
703 If you only have one secret key in your keyring, then you don't really
705 you happen to have multiple secret keys, you can tell git which key
710 **IMPORTANT**: If you have a distinct ``gpg2`` command, then you should
735 If you are pulling a tag from another fork of the project repository,
736 git should automatically verify the signature at the tip you're pulling
737 and show you the results during the merge operation::
750 If you are verifying someone else's git tag, then you will need to
756 If you get "``gpg: Can't check signature: unknown pubkey
757 algorithm``" error, you need to tell git to use gpgv2 for
764 Chances are, if you're creating an annotated tag, you'll want to sign
765 it. To force git to always sign annotated tags, you can set a global
782 However, if you have your working git tree publicly available at some
784 then the recommendation is that you sign all your git commits even if
792 2. If you ever need to re-clone your local repository (for example,
793 after a disk failure), this lets you easily verify the repository
801 To create a signed commit, you just need to pass the ``-S`` flag to the
810 You can tell git to always sign commits::
816 Make sure you configure ``gpg-agent`` before you turn this on.
827 review tasks, you should use the tool kernel.org created for this
839 first. You can also install it from pypi using "``pip install patatt``".
841 If you already have your PGP key configured with git (via the
843 further configuration. You can start signing your patches by installing
844 the git-send-email hook in the repository you want::
848 Now any patches you send with ``git send-email`` will be automatically
854 If you are using ``b4`` to retrieve and apply patches, then it will
871 Patatt and b4 are still in active development and you should check
887 If you are not already someone with an extensive collection of other
888 developers' public keys, then you can jumpstart your keyring by relying
890 delegated trust technologies, namely DNSSEC and TLS, to get you going if
908 accounts. Once you have the above changes in your ``gpg.conf``, you can
909 auto-retrieve the keys for Linus Torvalds and Greg Kroah-Hartman (if you
914 If you have a kernel.org account, then you should `add the kernel.org
931 mechanism called "Trust on First Use" (TOFU). You can think of TOFU as
932 "the SSH-like approach to trust." With SSH, the first time you connect
934 the key changes in the future, the SSH client will alert you and refuse
935 to connect, forcing you to make a decision on whether you choose to
936 trust the changed key or not. Similarly, the first time you import
940 you will need to manually figure out which one to keep.
942 We recommend that you use the combined TOFU+PGP trust model (which is
958 If you are a kernel developer, please consider submitting your key for