Project:Infrastructure/Authority Keys

From Gentoo Wiki
Jump to: navigation, search

OpenPGP Authority Keys provide a secure and convenient method of validating the OpenPGP keys used by Gentoo developers. The service automatically signs the @gentoo.org identifiers of developer keys, providing full compatibility with the Web of Trust model. Please note that only the fact that a particular key is listed by the owner of @gentoo.org e-mail address is confirmed. In particular, real names are not verified.

Note
At the moment, Authority Keys and their signatures are published only on experimental Gentoo keyserver (keys.gentoo.org).

Recommended usage

First, fetch the relevant Authority Keys:

user $gpg --locate-key openpgp-auth+{l1,l2-dev,l2-srv}@gentoo.org
gpg: key 55D3238EC050396E: public key "Gentoo Authority Key L2 for Services <openpgp-auth+l2-srv@gentoo.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found
gpg: key 30D132FF0FF50EEB: public key "Gentoo Authority Key L2 for Developers <openpgp-auth+l2-dev@gentoo.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: no ultimately trusted keys found
gpg: key 2839FE0D796198B1: public key "Gentoo Authority Key L1 <openpgp-auth+l1@gentoo.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
pub   rsa2048 2019-04-01 [C] [expires: 2020-01-01]
      18F703D702B1B9591373148C55D3238EC050396E
uid           [ unknown] Gentoo Authority Key L2 for Services <openpgp-auth+l2-srv@gentoo.org>

pub   rsa2048 2019-04-01 [C] [expires: 2020-01-01]
      2C13823B8237310FA213034930D132FF0FF50EEB
uid           [ unknown] Gentoo Authority Key L2 for Developers <openpgp-auth+l2-dev@gentoo.org>

pub   rsa2048 2019-04-01 [C] [expires: 2020-01-01]
      ABD00913019D6354BA1D9A132839FE0D796198B1
uid           [ unknown] Gentoo Authority Key L1 <openpgp-auth+l1@gentoo.org>

Verify the authenticity of the L1 key. Preferably do this via OpenPGP WoT. However, if your WoT does not cover the key, use fingerprints from www.gentoo.org signatures page.

Once you verify the L1 key, issue a local trust signature with depth=2, domain=gentoo.org:

user $gpg --edit-key openpgp-auth+l1@gentoo.org
gpg (GnuPG) 2.2.15; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  rsa2048/2839FE0D796198B1
     created: 2019-04-01  expires: 2020-01-01  usage: C   
     trust: unknown       validity: unknown
[ unknown] (1). Gentoo Authority Key L1 <openpgp-auth+l1@gentoo.org>
gpg>ltsign

pub  rsa2048/2839FE0D796198B1
     created: 2019-04-01  expires: 2020-01-01  usage: C   
     trust: unknown       validity: unknown
 Primary key fingerprint: ABD0 0913 019D 6354 BA1D  9A13 2839 FE0D 7961 98B1

     Gentoo Authority Key L1 <openpgp-auth+l1@gentoo.org>

This key is due to expire on 2020-01-01.
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I trust marginally
  2 = I trust fully
Your selection?2
Please enter the depth of this trust signature.
A depth greater than 1 allows the key you are signing to make
trust signatures on your behalf.
Your selection?2
Please enter a domain to restrict this signature, or enter for none.
Your selection?gentoo.org
Are you sure that you want to sign this key with your
key "Test User <test@example.com>" (6F7956DC2AA76EA3)

The signature will be marked as non-exportable.
Really sign? (y/N)y
gpg>save

From now on, all @gentoo.org UIDs signed with L2 keys will be considered fully valid.

If you haven't refreshed keys recently, refresh them now to get new signatures:

user $gpg --keyserver hkps://keys.gentoo.org --refresh-keys

Other usage options

You can choose between using:

  • a trust signature on L1 key, and
  • regular signatures on L2 keys.

A trust signature (as suggested above) issued on L1 key works recursively. That is, if you issue a trust signature with depth=2, domain=gentoo.org against the L1 key, it will respect depth=1, domain=gentoo.org signatures issued by L1 key on L2 keys, and appropriately it will also respect regular signatures made on gentoo.org UIDs by those L2 keys. Practically, this means that after verifying L1 key once, the whole system will continue working even if we rotate L2 keys.

A regular signature combined with appropriate trust value (or trust signature with depth=1) covers only direct signature made by the particular key. This means that for the system to work you need to sign L2 keys directly. If we need to rotate L2 keys, the validity of developer keys will be revoked, and you will have to verify the new L2 keys and sign them.

Furthermore, you can choose between using exportable and local (non-exportable) signatures.

Exportable signatures are uploaded along with the key to the keyservers (provided that you use --send-keys). They take part in creating WoT, and they mean that anyone who trusts you to verify keys may use this signature to verify the authenticity of the Authority Keys. Therefore, uploading exportable signatures helps others verifying Authority Keys without having to resort to directly trusting TLS certificates.

Local signatures are only stored on your computer. Therefore, they affect the validity in your OpenPGP client but nowhere else. Use this if you don't feel like certifying the authenticity of our keys to others.

The following table summarizes commands used to establish different kinds of signatures:

Exportable signature Local signature Notes
Trust signature tsign ltsign on L1 key, depth=2, domain=gentoo.org
Regular signature sign lsign on L2 keys