docs: maintainer-pgp-guide: update for latest gnupg defaults

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

It is finally becoming increasingly rare to find a distribution that
still ships with gnupg-1.x, so remove the last vestiges of "gpg" vs
"gpg2" from documentation.

Similarly, starting with GnuPG 2.2 and above, the default --gen-key
operation creates ed25519/cv25519 keypairs, so update all example
command outputs to use that combination instead of rsa2048.

Lastly, add a few wording tweaks and remove links that lead to stale
information (e.g. hardware tokens overview from 2017).

Signed-off-by: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
Link: https://lore.kernel.org/r/20221220-docs-pgp-guide-v1-1-9b0c0bf974fb@linuxfoundation.org
Signed-off-by: Jonathan Corbet <corbet@lwn.net>

authored by

Konstantin Ryabitsev and committed by

Jonathan Corbet 3 years ago 041d4329 71240f94

+30 -72

1 changed file

expand all

Documentation

process

maintainer-pgp-guide.rst

+30 -72

Documentation/process/maintainer-pgp-guide.rst

··· 60 60 PGP tools 61 61 ========= 62 62 63 - Use GnuPG v2 64 - ------------ 63 + Use GnuPG 2.2 or later 64 + ---------------------- 65 65 66 66 Your distro should already have GnuPG installed by default, you just 67 - need to verify that you are using version 2.x and not the legacy 1.4 68 - release -- many distributions still package both, with the default 69 - ``gpg`` command invoking GnuPG v.1. To check, run:: 67 + need to verify that you are using a reasonably recent version of it. 68 + To check, run:: 70 69 71 70 $ gpg --version | head -n1 72 71 73 - If you see ``gpg (GnuPG) 1.4.x``, then you are using GnuPG v.1. Try the 74 - ``gpg2`` command (if you don't have it, you may need to install the 75 - gnupg2 package):: 76 - 77 - $ gpg2 --version | head -n1 78 - 79 - If you see ``gpg (GnuPG) 2.x.x``, then you are good to go. This guide 80 - will assume you have the version 2.2 of GnuPG (or later). If you are 81 - using version 2.0 of GnuPG, then some of the commands in this guide will 82 - not work, and you should consider installing the latest 2.2 version of 83 - GnuPG. Versions of gnupg-2.1.11 and later should be compatible for the 84 - purposes of this guide as well. 85 - 86 - If you have both ``gpg`` and ``gpg2`` commands, you should make sure you 87 - are always using GnuPG v2, not the legacy version. You can enforce this 88 - by setting the appropriate alias:: 89 - 90 - $ alias gpg=gpg2 91 - 92 - You can put that in your ``.bashrc`` to make sure it's always the case. 72 + If you have version 2.2 or above, then you are good to go. If you have a 73 + version that is prior than 2.2, then some commands from this guide may 74 + not work. 93 75 94 76 Configure gpg-agent options 95 77 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ··· 132 150 The key with the **[C]** capability is often called the "master" key, 133 151 but this terminology is misleading because it implies that the Certify 134 152 key can be used in place of any of other subkey on the same chain (like 135 - a physical "master key" can be used to open the locks made for other 136 - keys). Since this is not the case, this guide will refer to it as "the 137 - Certify key" to avoid any ambiguity. 153 + a physical "master key" can be used to open locks made for other keys). 154 + Since this is not the case, this guide will refer to it as "the Certify 155 + key" to avoid any ambiguity. 138 156 139 157 It is critical to fully understand the following: 140 158 ··· 168 186 is what you will have. You can verify by running ``gpg --list-secret-keys``, 169 187 for example:: 170 188 171 - sec rsa2048 2018-01-23 [SC] [expires: 2020-01-23] 189 + sec ed25519 2022-12-20 [SC] [expires: 2024-12-19] 172 190 000000000000000000000000AAAABBBBCCCCDDDD 173 191 uid [ultimate] Alice Dev <adev@kernel.org> 174 - ssb rsa2048 2018-01-23 [E] [expires: 2020-01-23] 192 + ssb cv25519 2022-12-20 [E] [expires: 2024-12-19] 175 193 176 194 The long line under the ``sec`` entry is your key fingerprint -- 177 195 whenever you see ``[fpr]`` in the examples below, that 40-character ··· 201 219 202 220 .. note:: ECC support in GnuPG 203 221 204 - GnuPG 2.1 and later has full support for Elliptic Curve 205 - Cryptography, with ability to combine ECC subkeys with traditional 206 - RSA keys. The main upside of ECC cryptography is that it is much 207 - faster computationally and creates much smaller signatures when 208 - compared byte for byte with 2048+ bit RSA keys. Unless you plan on 209 - using a smartcard device that does not support ECC operations, we 210 - recommend that you create an ECC signing subkey for your kernel 211 - work. 212 - 213 - Note, that if you plan to use a hardware device that does not 222 + Note, that if you intend to use a hardware token that does not 214 223 support ED25519 ECC keys, you should choose "nistp256" instead or 215 - "ed25519." 224 + "ed25519." See the section below on recommended hardware devices. 216 225 217 226 218 227 Back up your Certify key for disaster recovery ··· 309 336 310 337 The output will be something like this:: 311 338 312 - pub rsa2048 2018-01-24 [SC] [expires: 2020-01-24] 339 + pub ed25519 2022-12-20 [SC] [expires: 2022-12-19] 313 340 000000000000000000000000AAAABBBBCCCCDDDD 314 341 Keygrip = 1111000000000000000000000000000000000000 315 342 uid [ultimate] Alice Dev <adev@kernel.org> 316 - sub rsa2048 2018-01-24 [E] [expires: 2020-01-24] 343 + sub cv25519 2022-12-20 [E] [expires: 2022-12-19] 317 344 Keygrip = 2222000000000000000000000000000000000000 318 - sub ed25519 2018-01-24 [S] 345 + sub ed25519 2022-12-20 [S] 319 346 Keygrip = 3333000000000000000000000000000000000000 320 347 321 348 Find the keygrip entry that is beneath the ``pub`` line (right under the ··· 338 365 the Certify key is missing (the ``#`` indicates it is not available):: 339 366 340 367 $ gpg --list-secret-keys 341 - sec# rsa2048 2018-01-24 [SC] [expires: 2020-01-24] 368 + sec# ed25519 2022-12-20 [SC] [expires: 2024-12-19] 342 369 000000000000000000000000AAAABBBBCCCCDDDD 343 370 uid [ultimate] Alice Dev <adev@kernel.org> 344 - ssb rsa2048 2018-01-24 [E] [expires: 2020-01-24] 345 - ssb ed25519 2018-01-24 [S] 371 + ssb cv25519 2022-12-20 [E] [expires: 2024-12-19] 372 + ssb ed25519 2022-12-20 [S] 346 373 347 374 You should also remove any ``secring.gpg`` files in the ``~/.gnupg`` 348 - directory, which are left over from earlier versions of GnuPG. 375 + directory, which may be left over from previous versions of GnuPG. 349 376 350 377 If you don't have the "private-keys-v1.d" directory 351 378 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ··· 410 437 U2F, among others, and now finally supports NISTP and ED25519 ECC 411 438 keys. 412 439 413 - `LWN has a good review`_ of some of the above models, as well as several 414 - others. Your choice will depend on cost, shipping availability in your 440 + Your choice will depend on cost, shipping availability in your 415 441 geographical region, and open/proprietary hardware considerations. 416 442 417 443 .. note:: ··· 423 451 .. _`Nitrokey Pro 2`: https://shop.nitrokey.com/shop/product/nkpr2-nitrokey-pro-2-3 424 452 .. _`Yubikey 5`: https://www.yubico.com/products/yubikey-5-overview/ 425 453 .. _Gnuk: https://www.fsij.org/doc-gnuk/ 426 - .. _`LWN has a good review`: https://lwn.net/Articles/736231/ 427 454 .. _`qualify for a free Nitrokey Start`: https://www.kernel.org/nitrokey-digital-tokens-for-kernel-developers.html 428 455 429 456 Configure your smartcard device ··· 480 509 481 510 Secret subkeys are available. 482 511 483 - pub rsa2048/AAAABBBBCCCCDDDD 484 - created: 2018-01-23 expires: 2020-01-23 usage: SC 512 + pub ed25519/AAAABBBBCCCCDDDD 513 + created: 2022-12-20 expires: 2024-12-19 usage: SC 485 514 trust: ultimate validity: ultimate 486 - ssb rsa2048/1111222233334444 487 - created: 2018-01-23 expires: never usage: E 515 + ssb cv25519/1111222233334444 516 + created: 2022-12-20 expires: never usage: E 488 517 ssb ed25519/5555666677778888 489 518 created: 2017-12-07 expires: never usage: S 490 519 [ultimate] (1). Alice Dev <adev@kernel.org> ··· 548 577 difference in the output:: 549 578 550 579 $ gpg --list-secret-keys 551 - sec# rsa2048 2018-01-24 [SC] [expires: 2020-01-24] 580 + sec# ed25519 2022-12-20 [SC] [expires: 2024-12-19] 552 581 000000000000000000000000AAAABBBBCCCCDDDD 553 582 uid [ultimate] Alice Dev <adev@kernel.org> 554 - ssb> rsa2048 2018-01-24 [E] [expires: 2020-01-24] 555 - ssb> ed25519 2018-01-24 [S] 583 + ssb> cv25519 2022-12-20 [E] [expires: 2024-12-19] 584 + ssb> ed25519 2022-12-20 [S] 556 585 557 586 The ``>`` in the ``ssb>`` output indicates that the subkey is only 558 587 available on the smartcard. If you go back into your secret keys ··· 615 644 You can also use a specific date if that is easier to remember (e.g. 616 645 your birthday, January 1st, or Canada Day):: 617 646 618 - $ gpg --quick-set-expire [fpr] 2020-07-01 647 + $ gpg --quick-set-expire [fpr] 2025-07-01 619 648 620 649 Remember to send the updated key back to keyservers:: 621 650 ··· 678 707 679 708 $ git config --global user.signingKey [fpr] 680 709 681 - **IMPORTANT**: If you have a distinct ``gpg2`` command, then you should 682 - tell git to always use it instead of the legacy ``gpg`` from version 1:: 683 - 684 - $ git config --global gpg.program gpg2 685 - $ git config --global gpgv.program gpgv2 686 - 687 710 How to work with signed tags 688 711 ---------------------------- 689 712 ··· 715 750 If you are verifying someone else's git tag, then you will need to 716 751 import their PGP key. Please refer to the 717 752 ":ref:`verify_identities`" section below. 718 - 719 - .. note:: 720 - 721 - If you get "``gpg: Can't check signature: unknown pubkey 722 - algorithm``" error, you need to tell git to use gpgv2 for 723 - verification, so it properly processes signatures made by ECC keys. 724 - See instructions at the start of this section. 725 753 726 754 Configure git to always sign annotated tags 727 755 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~