From e8395102e87d1c889c0278d43efc6e3f57b7ef13 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elan=20Ruusam=C3=A4e?= Date: Mon, 25 Jan 2021 00:15:20 +0200 Subject: [PATCH 1/6] Add `gpg --list-keys` tip for finding existing GPG keys to `README.md` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Elan Ruusamäe Signed-off-by: Marco Pivetta --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 52b277b0..b0bcafde 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ in the GitHub Docs. #### Using a subkey from an existing GPG key -First open your master key for editing: +First open your master key for editing (use `--list-keys` to find it): ```bash gpg --edit-key "" From f6878aafdfebfe50a129f30b23788322b1a04a7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elan=20Ruusam=C3=A4e?= Date: Mon, 25 Jan 2021 00:28:42 +0200 Subject: [PATCH 2/6] Write out clearly what is the current gpg key recommendation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Elan Ruusamäe --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b0bcafde..80ceb7b5 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,9 @@ First open your master key for editing (use `--list-keys` to find it): gpg --edit-key "" ``` -Type `addkey` and select signing or s for capabilities. RSA key type is recommended for greatest compatibility. +A signing key type RSA with 3072 bits is recommended for greatest compatibility. + +Type `addkey` and select a type that is for signing, you might be asked about bit size depending on your choice. Type `save` to persist the new subkey to your master key. Make a note of the Key ID as you will need it in the next step. Next export the new sub key: From 7923cd67a6b22072d8940c3e13cf186b0dc2b4ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elan=20Ruusam=C3=A4e?= Date: Mon, 25 Jan 2021 00:32:59 +0200 Subject: [PATCH 3/6] Add a note about key expiry setup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Elan Ruusamäe --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 80ceb7b5..647a22ec 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,7 @@ gpg --edit-key "" A signing key type RSA with 3072 bits is recommended for greatest compatibility. Type `addkey` and select a type that is for signing, you might be asked about bit size depending on your choice. +When deciding over key expire, avoid setting to never expire, as recommendation of key bits will change over time. Type `save` to persist the new subkey to your master key. Make a note of the Key ID as you will need it in the next step. Next export the new sub key: From 1a372482544850ddf3684b48fc12bb59db92b9a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elan=20Ruusam=C3=A4e?= Date: Mon, 25 Jan 2021 00:49:12 +0200 Subject: [PATCH 4/6] Use relative path for gpg ephemeral homedir for security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This may be paranoid, but also avoids unwanted surprises of multi-user systems. Signed-off-by: Elan Ruusamäe --- README.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 647a22ec..9dd81aef 100644 --- a/README.md +++ b/README.md @@ -68,27 +68,25 @@ You can skip this if your master key is not password protected. To remove the password from the subkey, create an ephemeral gpg home directory: ```bash -mkdir /tmp/gpg +install -d -m 700 gpg-tmp ``` Ensure that it works with gpg: ```bash -gpg --homedir /tmp/gpg --list-keys +gpg --homedir gpg-tmp --list-keys ``` -You can ignore the warning about unsafe directory permissions. - Import your subkey: ```bash -gpg --homedir /tmp/gpg --import private.key +gpg --homedir gpg-tmp --import private.key ``` Enter edit mode: ```bash -gpg --homedir /tmp/gpg --edit-key +gpg --homedir gpg-tmp --edit-key ``` Type `passwd`, entering your current password and then set the password to "" to remove it. @@ -96,13 +94,13 @@ Type `passwd`, entering your current password and then set the password to "" to Type `save` to exit edit mode and re-export your subkey: ```bash -gpg --homedir /tmp/gpg --output private.key --armor --export-secret-subkeys "!" +gpg --homedir gpg-tmp --output private.key --armor --export-secret-subkeys "!" ``` Finally, remove the ephemeral directory: ```bash -rm --rf /tmp/gpg +rm --rf gpg-tmp ``` You will now need to export your master public key with the new subkey public key to the file `public.key`: From 4ad8fa2bed7635c0cb22909a8f2b6e475e1119d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elan=20Ruusam=C3=A4e?= Date: Mon, 25 Jan 2021 01:20:41 +0200 Subject: [PATCH 5/6] Add note about password remove giving error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Elan Ruusamäe --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 9dd81aef..271936f2 100644 --- a/README.md +++ b/README.md @@ -91,6 +91,9 @@ gpg --homedir gpg-tmp --edit-key Type `passwd`, entering your current password and then set the password to "" to remove it. +The command may give error `error changing passphrase: No secret key` when setting empty password. +You should ignore it as the password was really removed. + Type `save` to exit edit mode and re-export your subkey: ```bash From ebe3af4e0d47b43c90546ea93029cee27872adb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elan=20Ruusam=C3=A4e?= Date: Mon, 25 Jan 2021 19:36:02 +0200 Subject: [PATCH 6/6] Remove any type and bits recommendation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Elan Ruusamäe --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 271936f2..d89eb48a 100644 --- a/README.md +++ b/README.md @@ -46,8 +46,6 @@ First open your master key for editing (use `--list-keys` to find it): gpg --edit-key "" ``` -A signing key type RSA with 3072 bits is recommended for greatest compatibility. - Type `addkey` and select a type that is for signing, you might be asked about bit size depending on your choice. When deciding over key expire, avoid setting to never expire, as recommendation of key bits will change over time. Type `save` to persist the new subkey to your master key. Make a note of the Key ID as you will need it in the next step.