6 == Generate GPG signing key pair
8 The guide will explain how to generate a new key pair, how to create a
9 signing sub key and how to strip the secret master key to avoid leaking
10 your primary secret key identity in case your signing key (or the entire
11 +~/.gnupg/+) ever gets lost.
14 === 1) Generate new, fresh key pair on a secure machine
18 $ chmod 0700 /tmp/signing
19 $ gpg --homedir /tmp/signing --gen-key
20 gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
21 This is free software: you are free to change and redistribute it.
22 There is NO WARRANTY, to the extent permitted by law.
24 gpg: keyring `/tmp/signing/secring.gpg' created
25 gpg: keyring `/tmp/signing/pubring.gpg' created
28 TIP: Pick 4 to generate an RSA-only key and choose a key size of 4096 bits.
29 For this how-to I choose to set no expiry at all.
32 Please select what kind of key you want:
33 (1) RSA and RSA (default)
38 RSA keys may be between 1024 and 4096 bits long.
39 What keysize do you want? (2048) 4096
40 Requested keysize is 4096 bits
41 Please specify how long the key should be valid.
42 0 = key does not expire
43 <n> = key expires in n days
44 <n>w = key expires in n weeks
45 <n>m = key expires in n months
46 <n>y = key expires in n years
48 Key does not expire at all
49 Is this correct? (y/N) y
52 TIP: GPG will ask about your user identity now, provide your real name and
53 the mail address you intend to use for your project communication.
54 I also suggest to provide a meaningful comment, eg. "LEDE Signing Key"
58 You need a user ID to identify your key; the software constructs the user ID
59 from the Real Name, Comment and Email Address in this form:
60 "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
62 Real name: Jo-Philipp Wich
63 Email address: jo@mein.io
64 Comment: LEDE Signing Key
65 You selected this USER-ID:
66 "Jo-Philipp Wich (LEDE Signing Key) <jo@mein.io>"
68 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
69 You need a Passphrase to protect your secret key.
72 TIP: At this point enter a good pass phrase twice to protect your secret
73 key, the command will take a while to gather entropy and complete key
74 until it'll eventually print the key summary:
77 gpg: /tmp/signing/trustdb.gpg: trustdb created
78 gpg: key 612A0E98 marked as ultimately trusted
79 public and secret key created and signed.
81 gpg: checking the trustdb
82 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
83 gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
84 pub 4096R/612A0E98 2016-04-05
85 Key fingerprint = 69B2 6A27 62D0 65E6 6F59 6755 C76F DE50 612A 0E98
86 uid Jo-Philipp Wich (LEDE Signing Key) <jo@mein.io>
88 Note that this key cannot be used for encryption. You may want to use
89 the command "--edit-key" to generate a subkey for this purpose.
92 === 2) Generate a sub key
95 $ gpg --homedir /tmp/signing --edit-key jo@mein.io
96 gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
97 This is free software: you are free to change and redistribute it.
98 There is NO WARRANTY, to the extent permitted by law.
100 Secret key is available.
102 pub 4096R/612A0E98 created: 2016-04-05 expires: never usage: SC
103 trust: ultimate validity: ultimate
104 [ultimate] (1). Jo-Philipp Wich (LEDE Signing Key) <jo@mein.io>
107 TIP: In the now appearing interactive gpg prompt enter "addkey" to create
108 a new signing subkey. GnuPG will ask your to unlock the master key using
109 the passphrase you've given in the previous step.
115 You need a passphrase to unlock the secret key for
116 user: "Jo-Philipp Wich (LEDE Signing Key) <jo@mein.io>"
117 4096-bit RSA key, ID 612A0E98, created 2016-04-05
119 Please select what kind of key you want:
122 (5) Elgamal (encrypt only)
123 (6) RSA (encrypt only)
126 TIP: We'll use a signing-only 4096bit RSA key with an validity of two years
130 RSA keys may be between 1024 and 4096 bits long.
131 What keysize do you want? (2048) 4096
132 Requested keysize is 4096 bits
133 Please specify how long the key should be valid.
134 0 = key does not expire
135 <n> = key expires in n days
136 <n>w = key expires in n weeks
137 <n>m = key expires in n months
138 <n>y = key expires in n years
139 Key is valid for? (0) 730
140 Key expires at Thu Apr 5 18:19:42 2018 CEST
141 Is this correct? (y/N) y
142 Really create? (y/N) y
145 TIP: At this point, GnuPG will start gathering entropy again, running an
146 "find /" in the background is a good way to speed it up. When done it
147 will print the sub key summary and return to the prompt. Note the ID
148 "1584F206" of the subkey, we'll need that in step 4.
151 pub 4096R/612A0E98 created: 2016-04-05 expires: never usage: SC
152 trust: ultimate validity: ultimate
153 sub 4096R/1584F206 created: 2016-04-05 expires: 2018-04-05 usage: S
154 [ultimate] (1). Jo-Philipp Wich (LEDE Signing Key) <jo@mein.io>
157 TIP: Enter "save" to commit the new key pair and its sub key to disk, the
158 GnuPG will automatically exit to the shell.
164 === 3) Put the key into a vault
166 At this point it is a good idea to make a *reliable and secure* backup
167 of the +/tmp/signing/+ directory, I suggest burning it onto a CDROM or
168 copying it onto a thumb drive which you can safely lock away or hide in
171 === 4) Export the private sub key only
173 We'll now export just the secret sub key since that is all we'll ever
174 need to sign files. Use the sub key ID from step 2 followed by an
175 exclamation mark to select the sub key to export:
178 $ gpg --homedir /tmp/signing --export-secret-subkeys 1584F206! \
179 > /tmp/secret-signing-key.pgp
180 $ file /tmp/secret-signing-key.pgp
181 secret-signing-key.pgp: PGP\011Secret Key - 1024b created on Tue Apr 5
182 16:08:15 2016 - RSA (Encrypt or Sign)
185 === 5) Import the secret signing sub key into your actual key store
187 You can now import the secret signing sub key on any machine you'll use
188 for signing files in the future. To import the sub key file, pass it to
189 +gpg --import+ and leave out the alternative homedir argument:
192 $ gpg --import /tmp/secret-signing-key.pgp
193 gpg: key 612A0E98: secret key imported
194 gpg: key 612A0E98: public key "Jo-Philipp Wich (LEDE Signing Key)
195 <jo@mein.io>" imported
196 gpg: Total number processed: 1
197 gpg: imported: 1 (RSA: 1)
198 gpg: secret keys read: 1
199 gpg: secret keys imported: 1
202 TIP: You can now issue a "gpg -K" to list all secret keys in your key store,
203 you should see the key you've imported with a leading "sec#". The hash
204 mark here indicates that the secret master key is missing, which is what
209 /home/jow/.gnupg/secring.gpg
210 ---------------------------
212 sec# 4096R/612A0E98 2016-04-05
213 uid Jo-Philipp Wich (LEDE Signing Key) <jo@mein.io>
214 ssb 4096R/1584F206 2016-04-05
217 TIP: It is time to upload your public key part to a key server now so that
218 others can easily fetch it by its fingerprint or your chosen mail
219 address later on. For uploading use the primary key ID printed after
220 the "sec#" word in the previous command.
223 $ gpg --keyserver hkp://pool.sks-keyservers.net --send-keys 612A0E98
224 gpg: sending key 612A0E98 to hkp server pool.sks-keyservers.net
227 === 6) Delete original
229 Make sure once again that your backup of the +/tmp/signing+ directory is
230 complete and readable, then remove the secret sub key file and the
231 entire temporary signing directory:
234 $ rm -r /tmp/signing/
235 $ rm /tmp/secret-signing-key.pgp
238 TIP: You're now done setting up a suitable signing key pair.
242 To export your public key in ASCII format use the following command,
243 again with the primary ID you've already used for uploading the pubkey.
245 Make sure to provide a meaningful comment so that people looking at the
246 key file know who it belongs to without having to inspect it using GPG
250 $ gpg --armor --export --no-version \
251 --comment="Public key of Jo-Philipp Wich" 612A0E98
254 In order to sign a file with your signing sub key, use the command below:
257 $ gpg --no-version -a -b -u 612A0E98 \
258 --comment="My signature for something" -o output.sig input.file
261 TIP: Use your key ID as filename when adding your public signing key to the
266 $ gpg --armor --export --no-version \
267 --comment="Public key of Me Myself" 612A0E98 > 612A0E98.asc
268 $ git add 612A0E98.asc
269 $ git commit -sm "Add my public key"
270 $ git push origin master
273 == Generate _usign_ key pair
275 In order to generate an _usign_ key pair for use in LEDE release and package
276 repositories, follow the steps below.
278 === 1) Obtain _usign_
280 Clone the _usign_ repository and compile it. Note that the compilation requires
281 an installed +cmake+ to succeed.
284 $ git clone https://git.openwrt.org/project/usign.git
290 TIP: Run +./usign+ to check that the binary works.
294 Usage: ./usign <command> <options>
296 -V: verify (needs at least -m and -p|-P)
297 -S: sign (needs at least -m and -s)
298 -F: print key fingerprint of public/secret key or signature
299 -G: generate a new keypair
301 -c <comment>: add comment to keys
302 -m <file>: message file
303 -p <file>: public key file (verify/fingerprint only)
304 -P <path>: public key directory (verify only)
305 -q: quiet (do not print verification result, use return code only)
306 -s <file>: secret key file (sign/fingerprint only)
307 -x <file>: signature file (defaults to <message file>.sig)
310 === 2) Generate key pair
312 Instruct the +usign+ executable to generate a new key pair and provide a
313 suitable comment to be able to identify the key file later on.
316 ./usign -G -c "LEDE usign key of Jo-Philipp Wich" \
317 -s secret.key -p public.key
320 TIP: Store the +secret.key+ file in a *secure and reliable* location, you'll
321 need it to sign package repositories in the future.
323 === 3) Add public key to the repository
325 Obtain the fingerprint of your public key with the +usign -F+ command and use
326 it as filename for storing the pubkey in the +keyring.git+ repository:
329 $ ./usign -F -p public.key
333 TIP: Add the key to Git, using the fingerprint as filename:
337 $ cp /some/where/public.key 72a57f2191b211e0
338 $ git add 72a57f2191b211e0
339 $ git commit -sm "Add my public usign key"
340 $ git push origin master