Lines Matching +full:3 +full:- +full:2022
12 Linux Foundation. Please read that document for more in-depth discussion
15 .. _`Protecting Code Integrity`: https://github.com/lfit/itpol/blob/master/protecting-code-integrit…
22 communication channels between developers via PGP-signed email exchange.
26 - Distributed source repositories (git)
27 - Periodic release snapshots (tarballs)
35 - git repositories provide PGP signatures on all tags
36 - tarballs provide detached PGP signatures with all downloads
41 -------------------------------------------
64 ----------------------
70 $ gpg --version | head -n1
76 Configure gpg-agent options
84 - ``default-cache-ttl`` (seconds): If you use the same key again before
85 the time-to-live expires, the countdown will reset for another period.
87 - ``max-cache-ttl`` (seconds): Regardless of how recently you've used
88 the key since initial passphrase entry, if the maximum time-to-live
93 edit your ``~/.gnupg/gpg-agent.conf`` file to set your own values::
96 default-cache-ttl 1800
97 max-cache-ttl 7200
101 It is no longer necessary to start gpg-agent manually at the
120 -------------------------
122 A PGP key rarely consists of a single keypair -- usually it is a
127 - **[S]** keys can be used for signing
128 - **[E]** keys can be used for encryption
129 - **[A]** keys can be used for authentication
130 - **[C]** keys can be used for certifying other keys
146 subkeys, 3 valid signing subkeys, but only one valid certification
147 subkey). All subkeys are fully independent -- a message encrypted to
150 3. A single subkey may have multiple capabilities (e.g. your **[C]** key
157 - add or revoke other keys (subkeys) with S/E/A capabilities
158 - add, change or revoke identities (uids) associated with the key
159 - add or change the expiration date on itself or any subkey
160 - sign other people's keys for web of trust purposes
164 - One subkey carrying both Certify and Sign capabilities (**[SC]**)
165 - A separate subkey with the Encryption capability (**[E]**)
168 is what you will have. You can verify by running ``gpg --list-secret-keys``,
171 sec ed25519 2022-12-20 [SC] [expires: 2024-12-19]
174 ssb cv25519 2022-12-20 [E] [expires: 2024-12-19]
176 The long line under the ``sec`` entry is your key fingerprint --
177 whenever you see ``[fpr]`` in the examples below, that 40-character
181 --------------------------------
191 $ gpg --change-passphrase [fpr]
194 --------------------------------
200 $ gpg --quick-addkey [fpr] ed25519 sign
210 ----------------------------------------------
225 $ gpg --export-secret-key [fpr] | paperkey -o /tmp/key-backup.txt
231 used to be when you had created the backup -- *guaranteed*.
233 Put the resulting printout and the hand-written passphrase into an envelope
234 and store in a secure and well-protected place, preferably away from your
241 your passphrase, printing out even to "cloud-integrated" modern
245 ----------------------------------
253 disaster-level preparedness we did with ``paperkey``. You will also rely
254 on these external copies whenever you need to use your Certify key --
260 -- refer to your distro's documentation on how to accomplish this.
265 Once the encryption process is over, re-insert the USB drive and make
269 $ cp -a ~/.gnupg /media/disk/foo/gnupg-backup
273 $ gpg --homedir=/media/disk/foo/gnupg-backup --list-key [fpr]
277 need to use a random USB drive, and put in a safe place -- but not too
283 ----------------------------------------
288 - by accident when making quick homedir copies to set up a new workstation
289 - by systems administrator negligence or malice
290 - via poorly secured backups
291 - via malware in desktop apps (browsers, pdf viewers, etc)
292 - via coercion when crossing international borders
296 shoulder-surfing, or any number of other means. For this reason, the
308 $ gpg --with-keygrip --list-key [fpr]
312 pub ed25519 2022-12-20 [SC] [expires: 2022-12-19]
316 sub cv25519 2022-12-20 [E] [expires: 2022-12-19]
318 sub ed25519 2022-12-20 [S]
325 $ cd ~/.gnupg/private-keys-v1.d
334 $ cd ~/.gnupg/private-keys-v1.d
337 Now, if you issue the ``--list-secret-keys`` command, it will show that
340 $ gpg --list-secret-keys
341 sec# ed25519 2022-12-20 [SC] [expires: 2024-12-19]
344 ssb cv25519 2022-12-20 [E] [expires: 2024-12-19]
345 ssb ed25519 2022-12-20 [S]
350 If you don't have the "private-keys-v1.d" directory
353 If you do not have a ``~/.gnupg/private-keys-v1.d`` directory, then your
357 ``secring.gpg`` format to use ``private-keys-v1.d`` instead.
379 --------------------------
387 backup purposes -- while that USB device is plugged in and mounted, the
391 smartcard-capable device.
394 ---------------------------
400 - `Nitrokey Start`_: Open hardware and Free Software, based on FSI
403 resistance to tampering or some side-channel attacks).
404 - `Nitrokey Pro 2`_: Similar to the Nitrokey Start, but more
405 tamper-resistant and offers more security features. Pro 2 supports ECC
407 - `Yubikey 5`_: proprietary hardware and software, but cheaper than
408 Nitrokey Pro and comes available in the USB-C form that is more useful
422 .. _`Nitrokey Start`: https://shop.nitrokey.com/shop/product/nitrokey-start-6
423 .. _`Nitrokey Pro 2`: https://shop.nitrokey.com/shop/product/nkpr2-nitrokey-pro-2-3
424 .. _`Yubikey 5`: https://www.yubico.com/products/yubikey-5-overview/
425 .. _Gnuk: https://www.fsij.org/doc-gnuk/
426 .. _`qualify for a free Nitrokey Start`: https://www.kernel.org/nitrokey-digital-tokens-for-kernel-…
429 -------------------------------
434 $ gpg --card-status
443 there are no convenient command-line switches::
445 $ gpg --card-edit
451 You should set the user PIN (1), Admin PIN (3), and the Reset Code (4).
452 Please make sure to record and store these in a safe place -- especially
473 ----------------------------------
479 $ gpg --edit-key [fpr]
484 created: 2022-12-20 expires: 2024-12-19 usage: SC
487 created: 2022-12-20 expires: never usage: E
489 created: 2017-12-07 expires: never usage: S
494 Using ``--edit-key`` puts us into the menu mode again, and you will
498 First, let's select the key we'll be putting onto the card -- you do
529 (3) Authentication key
547 If you perform ``--list-secret-keys`` now, you will see a subtle
550 $ gpg --list-secret-keys
551 sec# ed25519 2022-12-20 [SC] [expires: 2024-12-19]
554 ssb> cv25519 2022-12-20 [E] [expires: 2024-12-19]
555 ssb> ed25519 2022-12-20 [S]
562 $ cd ~/.gnupg/private-keys-v1.d
563 $ strings *.key | grep 'private-key'
565 The output should contain ``shadowed-private-key`` to indicate that
574 $ echo "Hello world" | gpg --clearsign > /tmp/test.asc
575 $ gpg --verify /tmp/test.asc
578 show "Good signature" after you run ``gpg --verify``.
584 -----------------------------
596 $ export GNUPGHOME=/media/disk/foo/gnupg-backup
597 $ gpg --list-secret-keys
613 $ gpg --quick-set-expire [fpr] 1y
618 $ gpg --quick-set-expire [fpr] 2025-07-01
622 $ gpg --send-key [fpr]
630 $ gpg --export | gpg --homedir ~/.gnupg --import
633 Using gpg-agent over ssh
636 You can forward your gpg-agent over ssh if you need to sign tags or
640 - `Agent Forwarding over SSH`_
652 One of the core features of Git is its decentralized nature -- once a
669 .. _`nothing to do with it`: https://github.com/jayphelps/git-blame-someone-else
672 ---------------------------------
679 $ git config --global user.signingKey [fpr]
682 ----------------------------
684 To create a signed tag, simply pass the ``-s`` switch to the tag
687 $ git tag -s [tagname]
696 To verify a signed tag, simply use the ``verify-tag`` command::
698 $ git verify-tag [tagname]
726 $ git config --global tag.forceSignAnnotated true
729 -------------------------------
750 2. If you ever need to re-clone your local repository (for example,
753 3. If someone needs to cherry-pick your commits, this allows them to
759 To create a signed commit, you just need to pass the ``-S`` flag to the
760 ``git commit`` command (it's capital ``-S`` due to collision with
763 $ git commit -S
770 git config --global commit.gpgSign true
774 Make sure you configure ``gpg-agent`` before you turn this on.
780 -------------------------------
784 (PGP-Mime or PGP-inline) tend to cause problems with regular code
787 headers (a-la DKIM):
789 - `Patatt Patch Attestation`_
802 the git-send-email hook in the repository you want::
804 patatt install-hook
806 Now any patches you send with ``git send-email`` will be automatically
816 $ b4 am 20220720205013.890942-1-broonie@kernel.org
819 ---
820 ✓ [PATCH v1 1/3] kselftest/arm64: Correct buffer allocation for SVE Z registers
821 ✓ [PATCH v1 2/3] arm64/sve: Document our actual ABI for clearing registers on syscall
822 ✓ [PATCH v1 3/3] kselftest/arm64: Enforce actual ABI for SVE syscalls
823 ---
842 Configure auto-key-retrieval using WKD and DANE
843 -----------------------------------------------
847 on key auto-discovery and auto-retrieval. GnuPG can piggyback on other
854 auto-key-locate wkd,dane,local
855 auto-key-retrieve
857 DNS-Based Authentication of Named Entities ("DANE") is a method for
862 respectively, before adding auto-retrieved public keys to your local
867 auto-retrieve the keys for Linus Torvalds and Greg Kroah-Hartman (if you
870 $ gpg --locate-keys torvalds@kernel.org gregkh@kernel.org
878 ------------------------------------------------
890 "the SSH-like approach to trust." With SSH, the first time you connect
902 ``trust-model`` setting in ``~/.gnupg/gpg.conf``::
904 trust-model tofu+pgp
907 --------------------------------------------
914 - `Kernel developer PGP Keyring`_