Commit 7d61aa2c authored by Konstantin Ryabitsev's avatar Konstantin Ryabitsev Committed by Jonathan Corbet

maintainer-pgp-guide: remove keyserver instructions

Keyservers are largely a thing of the past with the replacement systems
like keys.openpgp.net specifically designed to offer no support for the
web of trust. Remove all sections that talk about keyservers and add a
small section with the link to kernel.org documentation that talks about
using the kernel.org public key repository.
Signed-off-by: default avatarKonstantin Ryabitsev <konstantin@linuxfoundation.org>
Link: https://lore.kernel.org/r/20220727-docs-pgp-guide-v2-2-e3e6954affb6@linuxfoundation.orgSigned-off-by: default avatarJonathan Corbet <corbet@lwn.net>
parent 97024e15
...@@ -121,18 +121,6 @@ edit your ``~/.gnupg/gpg-agent.conf`` file to set your own values:: ...@@ -121,18 +121,6 @@ edit your ``~/.gnupg/gpg-agent.conf`` file to set your own values::
to remove anything you had in place for older versions of GnuPG, as to remove anything you had in place for older versions of GnuPG, as
it may not be doing the right thing any more. it may not be doing the right thing any more.
Set up a refresh cronjob
~~~~~~~~~~~~~~~~~~~~~~~~
You will need to regularly refresh your keyring in order to get the
latest changes on other people's public keys, which is best done with a
daily cronjob::
@daily /usr/bin/gpg2 --refresh >/dev/null 2>&1
Check the full path to your ``gpg`` or ``gpg2`` command and use the
``gpg2`` command if regular ``gpg`` for you is the legacy GnuPG v.1.
.. _protect_your_key: .. _protect_your_key:
Protect your PGP key Protect your PGP key
...@@ -229,11 +217,6 @@ separate signing subkey:: ...@@ -229,11 +217,6 @@ separate signing subkey::
$ gpg --quick-addkey [fpr] ed25519 sign $ gpg --quick-addkey [fpr] ed25519 sign
Remember to tell the keyservers about this change, so others can pull down
your new subkey::
$ gpg --send-key [fpr]
.. note:: ECC support in GnuPG .. note:: ECC support in GnuPG
GnuPG 2.1 and later has full support for Elliptic Curve GnuPG 2.1 and later has full support for Elliptic Curve
...@@ -907,65 +890,17 @@ the new default in GnuPG v2). To set it, add (or modify) the ...@@ -907,65 +890,17 @@ the new default in GnuPG v2). To set it, add (or modify) the
trust-model tofu+pgp trust-model tofu+pgp
How to use keyservers (more) safely Using the kernel.org web of trust repository
----------------------------------- --------------------------------------------
If you get a "No public key" error when trying to validate someone's Kernel.org maintains a git repository with developers' public keys as a
tag, then you should attempt to lookup that key using a keyserver. It is replacement for replicating keyserver networks that have gone mostly
important to keep in mind that there is absolutely no guarantee that the dark in the past few years. The full documentation for how to set up
key you retrieve from PGP keyservers belongs to the actual person -- that repository as your source of public keys can be found here:
that much is by design. You are supposed to use the Web of Trust to
establish key validity. - `Kernel developer PGP Keyring`_
How to properly maintain the Web of Trust is beyond the scope of this If you are a kernel developer, please consider submitting your key for
document, simply because doing it properly requires both effort and inclusion into that keyring.
dedication that tends to be beyond the caring threshold of most human
beings. Here are some shortcuts that will help you reduce the risk of .. _`Kernel developer PGP Keyring`: https://korg.docs.kernel.org/pgpkeys.html
importing a malicious key.
First, let's say you've tried to run ``git verify-tag`` but it returned
an error saying the key is not found::
$ git verify-tag sunxi-fixes-for-4.15-2
gpg: Signature made Sun 07 Jan 2018 10:51:55 PM EST
gpg: using RSA key DA73759BF8619E484E5A3B47389A54219C0F2430
gpg: issuer "wens@...org"
gpg: Can't check signature: No public key
Let's query the keyserver for more info about that key fingerprint (the
fingerprint probably belongs to a subkey, so we can't use it directly
without finding out the ID of the master key it is associated with)::
$ gpg --search DA73759BF8619E484E5A3B47389A54219C0F2430
gpg: data source: hkp://keys.gnupg.net
(1) Chen-Yu Tsai <wens@...org>
4096 bit RSA key C94035C21B4F2AEB, created: 2017-03-14, expires: 2019-03-15
Keys 1-1 of 1 for "DA73759BF8619E484E5A3B47389A54219C0F2430". Enter number(s), N)ext, or Q)uit > q
Locate the ID of the master key in the output, in our example
``C94035C21B4F2AEB``. Now display the key of Linus Torvalds that you
have on your keyring::
$ gpg --list-key torvalds@kernel.org
pub rsa2048 2011-09-20 [SC]
ABAF11C65A2970B130ABE3C479BE3E4300411886
uid [ unknown] Linus Torvalds <torvalds@kernel.org>
sub rsa2048 2011-09-20 [E]
Next, find a trust path from Linus Torvalds to the key-id you found via ``gpg
--search`` of the unknown key. For this, you can use several tools including
https://github.com/mricon/wotmate,
https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git/tree/graphs, and
https://the.earth.li/~noodles/pathfind.html.
If you get a few decent trust paths, then it's a pretty good indication
that it is a valid key. You can add it to your keyring from the
keyserver now::
$ gpg --recv-key C94035C21B4F2AEB
This process is not perfect, and you are obviously trusting the
administrators of the PGP Pathfinder service to not be malicious (in
fact, this goes against :ref:`devs_not_infra`). However, if you
do not carefully maintain your own web of trust, then it is a marked
improvement over blindly trusting keyservers.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment