Project:Infrastructure/Authority Keys
OpenPGP Authority Keys provide a secure and convenient method of validating the OpenPGP keys used by Gentoo developers. The service automatically signs the @gentoo.org identifiers of developer keys, providing full compatibility with the Web of Trust model. Please note that only the fact that a particular key is listed by the owner of @gentoo.org e-mail address is confirmed. In particular, real names are not verified.
At the moment, Authority Keys and their signatures are published only on experimental Gentoo keyserver (keys.gentoo.org).
Recommended usage
First, fetch the relevant Authority Keys:
user $
gpg --locate-key openpgp-auth+{l1,l2-dev,l2-srv}@gentoo.org
gpg: key 55D3238EC050396E: public key "Gentoo Authority Key L2 for Services <openpgp-auth+l2-srv@gentoo.org>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found gpg: key 30D132FF0FF50EEB: public key "Gentoo Authority Key L2 for Developers <openpgp-auth+l2-dev@gentoo.org>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: no ultimately trusted keys found gpg: key 2839FE0D796198B1: public key "Gentoo Authority Key L1 <openpgp-auth+l1@gentoo.org>" imported gpg: Total number processed: 1 gpg: imported: 1 pub rsa2048 2019-04-01 [C] [expires: 2020-01-01] 18F703D702B1B9591373148C55D3238EC050396E uid [ unknown] Gentoo Authority Key L2 for Services <openpgp-auth+l2-srv@gentoo.org> pub rsa2048 2019-04-01 [C] [expires: 2020-01-01] 2C13823B8237310FA213034930D132FF0FF50EEB uid [ unknown] Gentoo Authority Key L2 for Developers <openpgp-auth+l2-dev@gentoo.org> pub rsa2048 2019-04-01 [C] [expires: 2020-01-01] ABD00913019D6354BA1D9A132839FE0D796198B1 uid [ unknown] Gentoo Authority Key L1 <openpgp-auth+l1@gentoo.org>
Verify the authenticity of the L1 key. Preferably do this via OpenPGP WoT. However, if your WoT does not cover the key, use fingerprints from www.gentoo.org signatures page.
Once you verify the L1 key, issue a local trust signature with depth=2, domain=gentoo.org:
user $
gpg --edit-key openpgp-auth+l1@gentoo.org
gpg (GnuPG) 2.2.15; Copyright (C) 2019 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa2048/2839FE0D796198B1 created: 2019-04-01 expires: 2020-01-01 usage: C trust: unknown validity: unknown [ unknown] (1). Gentoo Authority Key L1 <openpgp-auth+l1@gentoo.org>
gpg>
ltsign
pub rsa2048/2839FE0D796198B1 created: 2019-04-01 expires: 2020-01-01 usage: C trust: unknown validity: unknown Primary key fingerprint: ABD0 0913 019D 6354 BA1D 9A13 2839 FE0D 7961 98B1 Gentoo Authority Key L1 <openpgp-auth+l1@gentoo.org> This key is due to expire on 2020-01-01. Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I trust marginally 2 = I trust fully
Your selection?
2
Please enter the depth of this trust signature. A depth greater than 1 allows the key you are signing to make trust signatures on your behalf.
Your selection?
2
Please enter a domain to restrict this signature, or enter for none.
Your selection?
gentoo.org
Are you sure that you want to sign this key with your key "Test User <test@example.com>" (6F7956DC2AA76EA3) The signature will be marked as non-exportable.
Really sign? (y/N)
y
gpg>
save
From now on, all @gentoo.org UIDs signed with L2 keys will be considered fully valid.
If you haven't refreshed keys recently, refresh them now to get new signatures:
user $
gpg --keyserver hkps://keys.gentoo.org --refresh-keys @gentoo.org
Other usage options
You can choose between using:
- a trust signature on L1 key, and
- regular signatures on L2 keys.
A trust signature (as suggested above) issued on L1 key works recursively. That is, if you issue a trust signature with depth=2, domain=gentoo.org against the L1 key, it will respect depth=1, domain=gentoo.org signatures issued by L1 key on L2 keys, and appropriately it will also respect regular signatures made on gentoo.org UIDs by those L2 keys. Practically, this means that after verifying L1 key once, the whole system will continue working even if we rotate L2 keys.
A regular signature combined with appropriate trust value (or trust signature with depth=1) covers only direct signature made by the particular key. This means that for the system to work you need to sign L2 keys directly. If we need to rotate L2 keys, the validity of developer keys will be revoked, and you will have to verify the new L2 keys and sign them.
Furthermore, you can choose between using exportable and local (non-exportable) signatures.
Exportable signatures are uploaded along with the key to the keyservers (provided that you use --send-keys). They take part in creating WoT, and they mean that anyone who trusts you to verify keys may use this signature to verify the authenticity of the Authority Keys. Therefore, uploading exportable signatures helps others verifying Authority Keys without having to resort to directly trusting TLS certificates.
Local signatures are only stored on your computer. Therefore, they affect the validity in your OpenPGP client but nowhere else. Use this if you don't feel like certifying the authenticity of our keys to others.
The following table summarizes commands used to establish different kinds of signatures:
Exportable signature | Local signature | Notes | |
---|---|---|---|
Trust signature | tsign | ltsign | on L1 key, depth=2, domain=gentoo.org |
Regular signature | sign | lsign | on L2 keys |