[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl

nicolas vigier boklm at mars-attacks.org
Mon Jan 17 18:09:27 CET 2011


On Mon, 17 Jan 2011, Pascal Terjan wrote:

> > 1 key for all is the simplest solution, as this is easiest, and do not
> > requires a lot of work to update keys. There is also a simpler BS.
> > However, this mean we cannot expire the keys. But this also mean that we
> > can more easily have it signed, if we make it signed once, and do not
> > need to redo it every time. ( see the gpg web of trust ).
> 
> Another solution is to have one key, signed by everyone and stored
> safely (like, on a usb key in a bank), and use this key to sign the
> keys that will sign packages (and that will be stored safely too but
> have to be accessible on valstar). If we want to use a new key at some
> point for signing packages, we just need to access that master key.

It looks like a good idea.

> >
> > How do we sign
> > ==============
> >
> > Again, point 3 have a impact here. Either we sign when uploaded, using
> > youri, or using a custom action ( as current one do not permit to change
> > uid ), or we use some custom cronjob to sign.

I vote too for using a custom action, to store the key on a separate
account, and use it with a script run with sudo.

It can be done with a cron job too, but it will slower I think. Is there
any advantage doing it with a cron job ?

> >
> > Or we sign when the release is made.

That would mean having unsigned cauldron packages ?

> >
> > I would recommend using a custom action, as privilege separation sound
> > like a good idea. I would prefer to avoid signing again the day of
> > release, for reasons that were already given.
> >
> >
> > Bonus, usage of the module :
> > ============================
> >
> >    gnupg::keys { "cauldron":
> >        email => "root@$domain",
> >        key_name => "John the plop",
> >        key_length => "4096"
> >    }
> >
> > create a key cauldron.sec and cauldron.pub in /etc/gnupg/keys/. I am not
> > sure of the format ( maybe have it exported would be good ), and I am
> > not sure that putting everything in this directory is the good location.

What are the permissions and owner on this directory ?



More information about the Mageia-sysadm mailing list