Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve documentation for gpg subkey creation #102

Merged
merged 6 commits into from
Feb 25, 2021
Merged

Improve documentation for gpg subkey creation #102

merged 6 commits into from
Feb 25, 2021

Conversation

glensc
Copy link
Contributor

@glensc glensc commented Jan 24, 2021
edited
Loading

Q A
Documentation yes
Bugfix yes/no
BC Break yes/no
New Feature yes/no
RFC yes/no
QA yes/no

Description

This updates GPG section to match my system (gpg (GnuPG) 2.2.25 from brew).

@Ocramius Ocramius changed the title README: gpg update Add gpg --list-keys tip for finding existing GPG keys to README.md Jan 24, 2021
@glensc
Copy link
Contributor Author

glensc commented Jan 24, 2021

Type addkey and select signing or s for capabilities. RSA key type is recommended for greatest compatibility. Type save to persist the new subkey to your master key. Make a note of the Key ID as you will need it in the next step.

I'm confused here, "s" is supposed to be key to type? i have only numeric answers:

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
  (14) Existing key from card
Your selection? s
Invalid selection.

@glensc
Copy link
Contributor Author

glensc commented Jan 24, 2021

Next, I also get asked about bits:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)

So what's the recommendation here for git signing in github?

From https://en.wikipedia.org/wiki/Key_size I read:

Since 2015, NIST recommends a minimum of 2048-bit keys for RSA, an update to the widely-accepted recommendation of a 1024-bit minimum since at least 2002.

@glensc
Add gpg --list-keys tip for finding existing GPG keys to README.md
e839510 
Signed-off-by: Elan Ruusamäe <glen@pld-linux.org>
Signed-off-by: Marco Pivetta <ocramius@gmail.com>
@glensc glensc changed the title Add gpg --list-keys tip for finding existing GPG keys to README.md Improve documentation for gpg key creation Jan 24, 2021
@Ocramius
Copy link
Member 

Your selection? s
Invalid selection.

Looks like something that has changed on newer releases: certainly want a key with signing capabilities (used to be s for sign, e for encrypt and something else for certification/authentication)

So what's the recommendation here for git signing in github?

The default of 3072 works: bigger values lead to some overhead, but overall not noticeable. My old key is still 2048, for example.

@glensc
Copy link
Contributor Author

glensc commented Jan 24, 2021

I've added an example commit with 2048, change to 3072?

@Ocramius
Copy link
Member

Probably better to keep it the default suggested one: that's really up to GnuPG to endorse, while we're mostly only asking for a key, rather than endorsing values to configure one (security-sensitive stuff that we shouldn't touch)

@glensc
Copy link
Contributor Author

glensc commented Jan 24, 2021

If I attempt to remove password, I end up with a confusing error:

gpg> passwd
gpg: key XXXX/XXXX: error changing passphrase: No secret key

gpg> save
Key not changed so no update needed.

but in reality password was removed after passwd command, and yes, the save is unneeded.

@glensc
Write out clearly what is the current gpg key recommendation
f6878aa 
Signed-off-by: Elan Ruusamäe <glen@pld-linux.org>
@glensc
Add a note about key expiry setup
7923cd6 
Signed-off-by: Elan Ruusamäe <glen@pld-linux.org>
@glensc
Use relative path for gpg ephemeral homedir for security
1a37248 
This may be paranoid, but also avoids unwanted surprises of multi-user systems.

Signed-off-by: Elan Ruusamäe <glen@pld-linux.org>
@glensc
Add note about password remove giving error
4ad8fa2 
Signed-off-by: Elan Ruusamäe <glen@pld-linux.org>
@glensc glensc mentioned this pull request Jan 24, 2021
Merged
@glensc glensc changed the title Improve documentation for gpg key creation Improve documentation for gpg subkey creation Jan 24, 2021
Ocramius
Ocramius reviewed Jan 25, 2021
View reviewed changes
README.md Outdated Show resolved Hide resolved
@glensc
Remove any type and bits recommendation
ebe3af4 
Signed-off-by: Elan Ruusamäe <glen@pld-linux.org>
@glensc glensc marked this pull request as ready for review January 25, 2021 17:36
@glensc glensc mentioned this pull request Jan 25, 2021
Merged
@glensc
Copy link
Contributor Author

glensc commented Feb 5, 2021

@Ocramius I have nothing more to add here at this point.

@glensc
Copy link
Contributor Author

glensc commented Feb 12, 2021

Another ping!

Ocramius
Ocramius approved these changes Feb 25, 2021
View reviewed changes
Copy link
Member

@Ocramius Ocramius left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@glensc thanks for improving the docs here - sorry for the massive delay!

@Ocramius Ocramius added this to the 1.9.2 milestone Feb 25, 2021
@Ocramius Ocramius self-assigned this Feb 25, 2021
@Ocramius Ocramius merged commit 9e757aa into laminas:1.9.x Feb 25, 2021
@glensc glensc deleted the patch-3 branch February 26, 2021 08:16
@glensc
Copy link
Contributor Author

glensc commented Feb 26, 2021

@Ocramius sure, we have our own distraction demons. I planned to check out the "new key" section too but never got there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@heiglandreas heiglandreas heiglandreas left review comments

@Ocramius Ocramius Ocramius approved these changes

Assignees

@Ocramius Ocramius

Labels
Documentation Enhancement
Projects
None yet
Milestone
1.9.2
Development

Successfully merging this pull request may close these issues.
3 participants
@glensc @Ocramius @heiglandreas