Versions Compared

Old Version 1

changes.mady.by.user Mike Beckerle

Saved on

compared with

New Version Current

changes.mady.by.user Mike Beckerle

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Update since mbeckerle signing key details have changed

...

This scary looking warning can be eliminated if the signing keys for our releases are part of the web-of-trust.

Despite "key signing parties", I believe one should only ask for your keys to be signed by people you know and interact with routinely. (Some reasoning about this here: https://baturin.org/notes/signing-parties/Key signing parties considered useless)

Assuming you are preparing, and therefore signing, a release of Daffodil, here is how to get your keys signed. 

...

Here are the steps. 4 linux command lines are involved

...

Warning

...

: I am not sure how this differs for MS-Windows or Apple users.

Our release process requires those signing releases to put their GPG keys into the KEYS file in Daffodil. 

...


You will see output for several people, each like this one, which is mine.

pub   rsa4096/274B8F1413A680AF 2018D87AD4BD985035CD 2022-0809-16 09 [SC]
          Key fingerprint = 4B6A 956D 3ED3 6502 6880  2E37 274B 8F14 13A6 80AFDB59 C93B 3D71 BEBB 537F  325D D87A D4BD 9850 35CD
uid                            Michael J. Beckerle (Code Signing Key) <mbeckerle@apache<mbeckerle@apache.org>
sub   rsa4096/F2811F881B8A5203 2022-09-09 [E]

If you trust that this is my identity you can sign my public key via these steps.

Load my public key into your gpg "keyring", using the "long id" from the "pub" line above for me, which is 274B8F1413A680AFis D87AD4BD985035CD. (Long ID seems to be needed at least by this keyserver)

gpg --keyserver keys.openpgp.org  --recv-keys 274B8F1413A680AFkeys D87AD4BD985035CD

Verify the pub key for me is same as the one you see above :from the KEYS file, and then....

 gpg --list-keys --fingerprint 274B8F1413A680AFD87AD4BD985035CD

You should see the same fingerprint as above from the KEYS file. 

Sign my key with yours. (Someone else signs yours the same way.) Note this is going to prompt you for your private key "pass phrase" allowing it to use your private key. 
Hopefully you still have this pass phrase somewhere protected. Copy the pass phrase (e.g., to the clip-board) before you issue this command:

gpg --sign-key 274B8F1413A680AFkey D87AD4BD985035CD

Paste in your pass-phrase when requested.

...

gpg --keyserver keys.openpgp.org --send-keys 274B8F1413A680AFkeys D87AD4BD985035CD

Voila. That's it

Note that this last step is somewhat controvercial. Some people say you should not send these directly back to the keyserver, but instead send back to the email on the public key you just signed. 

The details are here: https://gist.github.com/F21/b0e8c62c49dfab267ff1d0c6af39ab84. This seems prudent for signing keys of people who you are not absolutely sure you have the proper email/key for, but an unnecessary additional few steps if you are signing well known keys for people you know well and interact with frequently, and whom you know use the email addresses in the public keys you are signing