Project:Gentoo-keys/Spec-check

spec-check is a sub-command passed to the gkeys command to compare OpenPGP keys to the chosen specification and identify problems (if any) that need to be corrected in order to consider the keys compliant with GLEP 63.

Fetching the seed file
Before checking the keys, make sure the seed file has been installed. To do this, execute the following commands as root:

After the fetch finishes run the following command:

This should output a long list of metadata for each Gentoo Developer and their associated OpenPGP keys. It will proceed to download each key from a keyserver; the process can take a while (about ten minutes).

Checking keys
Keys can be checked using the following command:

There are other options (accessible with ), but the above command is what is needed to check an individual developer's gpg key.

If a key passes the check the output should look similar to the following:

{{Cmd|gkeys spec-check -C gentoo -n gkeys|output=

Checking keys...

gkeys, Gentoo-Linux Gentoo-keys Project Signing Key: 0x825533CBF6CD6C97

=
=================================

-- Fingerprint......: D2DE1DBBA0F43EBA341B97D8825533CBF6CD6C97 Key type ........: PUB   Capabilities.: cSC Algorithm........: Pass  Bit Length...: Pass Create Date......: Pass  Expire Date..: Pass Key Version......: Pass  Validity.....: -, Unknown Days till expiry.: 855 Capability.......: Pass Qualified ID.....: Pass This primary key.: Pass

-- Fingerprint......: C287167569B3C1F9E9CED677A41DBBD9151C3FC7 Key type ........: SUB   Capabilities.: s  sign Algorithm........: Pass  Bit Length...: Pass Create Date......: Pass  Expire Date..: Pass Key Version......: Pass  Validity.....: -, Unknown Days till expiry.: 855 Capability.......: Pass Qualified ID.....: Pass This subkey......: Pass

Key summary primary..........: Pass        signing subkey: Pass encryption subkey: No   authentication subkey: No  SPEC requirements: Pass

No Encryption capable subkey (Notice only): Gentoo-Linux Gentoo-keys Project Signing Key : D2DE1DBBA0F43EBA341B97D8825533CBF6CD6C97

SPEC Approved: Gentoo-Linux Gentoo-keys Project Signing Key : D2DE1DBBA0F43EBA341B97D8825533CBF6CD6C97

Gkey task results: Found Failures: ---   Revoked................: 0 Invalid................: 0 No Signing subkey......: 0 No Encryption subkey...: 1 Algorithm..............: 0 Bit length.............: 0 Expiry.................: 0 Expiry Warnings........: 0 SPEC requirements......: 0 =============================   SPEC Approved..........: 1 }}

Notice the  field in the last line of the output says.

All spec requirements will show a pass/fail grade, while non-spec check indicators will be Yes/No and are for user information only. That is why even though it shows the lack of an encryption sub-key  in the failures summary. It still shows that the key passes spec.