Project:Gentoo-keys

From Gentoo Wiki
Jump to: navigation, search
Gentoo Keys
Description Gentoo Keys is a Python based project that aims to manage the OpenPGP keys

used for validation on users and Gentoo's infrastructure servers.

Email gkeys@gentoo.org
IRC Channel #gentoo-keys
Lead(s)
Members
Parent Project Gentoo Linux
Subprojects (none)
Project listing

Gentoo-keys

is a project to manage, update, validate gentoo developer and release keys used for gentoo projects and released media as well as validate them.

Gentoo-keys is a python based project that will wrap the pyGPG python interface libs to gnupg's gpg command. It's main focus is to manage the installation of the required gpg keys used for gentoo's release media. Such media would include installation cd's and liveDVD's, and other gpg-signed documents such as layman's repositories.xml list. It will likely also be used on gentoo's infra servers for tasks related to the gentoo ebuild tree migration to git. It will be used as part of the gpg-signed git commits validation. As such will have functions dedicated to authenticating commits made by developers.

Contributing Members

Memeber Nick Role
Douglas Freed dwfreed Draftee
Merlijn Wajer Wizzup Member


Other members, contributors, beta testers are welcome.
Please Contact the team lead.


Recruitment

We are currently looking for users interested in helping the project with these jobs:
TitleDescriptionRequirementsContact
Members, DevelopersGentoo-keys is a management application to handle all aspects of gpg key handling and verification within the gentoo environment.Good python skills and or gpg key creation, verification knowledgedolsen@gentoo.org

Sub-project packages

Name Pacakge Desription Homepage
SSL-Fetch dev-python/ssl-fetch Breakout python lib to securely fetch files click-me
pyGPG dev-python/pyGPG Python interface lib to wrap gpg in subprocess calls.

It also mines all data available from colon-listings and stderr messaging.

click-me

Use the source Luke

While most linux distributions distribute a complete binary keyring for their authenticating. It is generaly not the Gentoo way. Binary files do not play well with utilities like etc-update and dispatch-config. Also one system/user might need only a few keys, another might need a full set of developer keys + the release media keys. So to that end, gentoo-keys, aims to distribute it's utility app "gkeys" which will be used to import the desired gpg keys into the appropriate keyrings from information contained in "seed" files. The seed files will contain information like name, keyid, longkey-id, fingerprint. From that information, it will run gpg to import the key from a keyserver and validate that the key matches the expected fingerprint from the seed. It will have options to add, delete, update keys. It will have library classes, functions to be used in other python based apps like layman to validate a gpg signed repositories.xml list. Another is the git commit hooks that will be used to validate developer commits to a new git based ebuild tree.

TODO

  • Extend pyGPG's data mining functions to parse stdout output for gpg --list-key, --list-keys since gpg does not output any info to it's --status-fd which is normally used for data gathering by pyGPG. This is needed as part of the key import and validation functions of gkeys.
  1. Create the legend.py namedtuple classes to match the data records output using "gpg --fixed-list-mode --with-colons" Done.
  2. Add the appropriate function to run list-key, list-keys
  • Add to gkeys the functions, cli options for initial import and creation of the seeds after verifying the import is correct. In progress
  • Add binary keyring import and update support.
  • Complete coding the task specific functions for installing, deleting, updating keys
  • Code the download and verification of the seed files. Started, created a new, separate lib from the work in layman and mirrorselect for secure downloads. ssl-fetch
  • Code task specific functions for validating different types of media
  1. Release media: installation cd's, liveDVD's, ...
  2. git commit validation hook functions
  • Add gpg key creation and update functionality, following the gentoo recommended settings.
  1. make the recommended settings configurable/override-able.
  2. add creation function -- in progress, can only create the primary and one subkey, a gentoo specific key must be added interactivley in gnupg as well as secondary uid's email addresses.
  3. add update function -- looks like this function is only available interactively in gnupg

Instructions and project Sub-pages

Generating GLEP 63 based OpenPGP keys

Spec-check failure report explanations and help

Gkeys Help

Links

Gentoo Keys project @ git.gentoo.org

pyGPG Project @ Github