Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Basic contributing developer PGP infrastructure. #51

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Basic contributing developer PGP infrastructure. #51

wants to merge 1 commit into from
+66 −0

Conversation

da2ce7
Copy link
Contributor

@da2ce7 da2ce7 commented Oct 7, 2021
edited
Loading

Relates To #50

Adapted from: https://github.com/bitcoin/bitcoin/tree/master/contrib/builder-keys

This commit has:

https://github.com/da2ce7/chinese-ideographs/blob/issue-50-contrib-dev_keys/contrib/dev-keys/README.md
Instruction how to refresh the local PGP keys for the active developers of the project.

https://github.com/da2ce7/chinese-ideographs/blob/issue-50-contrib-dev_keys/contrib/dev-keys/pgp_key_review_protocol.md
Instruction how to review additions and updates to the keys.txt file.

https://github.com/da2ce7/chinese-ideographs/blob/issue-50-contrib-dev_keys/contrib/dev-keys/keys.txt
Blank keys.txt file, where developers may add their commit-signing keys.

The PGP Key pull-request for da2ce7 is: #52

@da2ce7 da2ce7 added the security Improve Project Security and Related Aspects label Oct 7, 2021
@da2ce7 da2ce7 requested review from josecelano and MCM-Mike October 7, 2021 19:09
@da2ce7 da2ce7 self-assigned this Oct 7, 2021
@da2ce7 da2ce7 mentioned this pull request Oct 7, 2021
Draft
@da2ce7 da2ce7 force-pushed the issue-50-contrib-dev_keys branch from da910e9 to bd4f086 Compare October 7, 2021 20:02
@da2ce7 da2ce7 force-pushed the issue-50-contrib-dev_keys branch from bd4f086 to 8334a89 Compare October 8, 2021 09:31
@da2ce7 da2ce7 force-pushed the issue-50-contrib-dev_keys branch 5 times, most recently from 291bb81 to 635b5f0 Compare October 8, 2021 11:13
@da2ce7
Basic contributing developer PGP infrastructure.
d767d04 
Adapted from: https://github.com/bitcoin/bitcoin/tree/master/contrib/builder-keys

This commit has:

contrib/dev-keys/README.md
Instruction how to refresh the local PGP keys for the active developers of the project.

contrib/dev-keys/pgp_key_review_protocol.md
Instruction how to review additions and updates to the `keys.txt` file.

contrib/dev-keys/keys.txt
Blank `keys.txt` file, where developers may add their commit-signing keys.
@da2ce7 da2ce7 force-pushed the issue-50-contrib-dev_keys branch from 635b5f0 to d767d04 Compare October 8, 2021 11:16
@da2ce7 da2ce7 requested a review from josecelano October 8, 2021 11:57
@josecelano
Copy link
Member

Hi @da2ce7 I've seen you are using your master pub key 2835ADF6240F6032A72BA1775096293864DA5C9E instead of your automatically generated subkey 6789C8A30C4A7A400378E434EFBC6FE31B0B95FD. I've read this article "Signing Git commits with GPG keys that use modern encryption" by @benjaminblack, and he says using the master key is not a good practice, although it's the way both Git and GitHub are promoting on their documentation:

This article from Debian: Using OpenPGP subkeys in Debian development also promotes using master/subkeys.

Some more links I've been collecting about signing git commits: https://github.com/josecelano/pygithub/blob/issue-2-sign-sing-gitpython/docs/how_to_sign_commits_using_the_gitpython_package.md#links

@da2ce7
Copy link
Contributor Author

da2ce7 commented Nov 24, 2021
edited
Loading

Hello @josecelano

I do not believe I am. In fact, I would need to edit my master key to allow GPG to sign with it:

cameron@Camerons-MacBook-Pro chinese-ideographs % git show --summary --oneline --show-signature d767d04806520ddddd169b7af6159fa6eac308ab 
d767d04 (origin/issue-50-contrib-dev_keys, issue-50-contrib-dev_keys) gpg: Signature made Fr  8 Okt 13:16:10 2021 CEST
gpg:                using EDDSA key 6789C8A30C4A7A400378E434EFBC6FE31B0B95FD
gpg: Good signature from "Cameron Garnham [Private Email] (Online Key) <[email protected]>" [ultimate]
gpg:                 aka "Cameron Garnham [Nautilus Cyberneering GmbH] (Online Key) <[email protected]>" [ultimate]
gpg:                 aka "Cameron Garnham [Ethical Software Limited] (Online Key) <[email protected]>" [ultimate]
Basic contributing developer PGP infrastructure.

and

cameron@Camerons-MacBook-Pro chinese-ideographs % gpg --with-subkey-fingerprint --list-key 6789C8A30C4A7A400378E434EFBC6FE31B0B95FD 
pub   ed25519 2021-10-07 [C] [expires: 2022-04-05]
      2835ADF6240F6032A72BA1775096293864DA5C9E
uid           [ultimate] Cameron Garnham [Private Email] (Online Key) <[email protected]>
uid           [ultimate] Cameron Garnham [Nautilus Cyberneering GmbH] (Online Key) <[email protected]>
uid           [ultimate] Cameron Garnham [Ethical Software Limited] (Online Key) <[email protected]>
sub   ed25519 2021-10-07 [S] [expires: 2022-02-04]
      6789C8A30C4A7A400378E434EFBC6FE31B0B95FD

You can see that 0x6789C8A30C4A7A400378E434EFBC6FE31B0B95FD is my signing key, while 0x2835ADF6240F6032A72BA1775096293864DA5C9E is my master key.

@josecelano
Copy link
Member

Hello @josecelano

I do not believe I am. In fact, I would need to edit my master key to allow GPG to sign with it:

cameron@Camerons-MacBook-Pro chinese-ideographs % git show --summary --oneline --show-signature d767d04806520ddddd169b7af6159fa6eac308ab 
d767d04 (origin/issue-50-contrib-dev_keys, issue-50-contrib-dev_keys) gpg: Signature made Fr  8 Okt 13:16:10 2021 CEST
gpg:                using EDDSA key 6789C8A30C4A7A400378E434EFBC6FE31B0B95FD
gpg: Good signature from "Cameron Garnham [Private Email] (Online Key) <[email protected]>" [ultimate]
gpg:                 aka "Cameron Garnham [Nautilus Cyberneering GmbH] (Online Key) <[email protected]>" [ultimate]
gpg:                 aka "Cameron Garnham [Ethical Software Limited] (Online Key) <[email protected]>" [ultimate]
Basic contributing developer PGP infrastructure.

and

cameron@Camerons-MacBook-Pro chinese-ideographs % gpg --with-subkey-fingerprint --list-key 6789C8A30C4A7A400378E434EFBC6FE31B0B95FD 
pub   ed25519 2021-10-07 [C] [expires: 2022-04-05]
      2835ADF6240F6032A72BA1775096293864DA5C9E
uid           [ultimate] Cameron Garnham [Private Email] (Online Key) <[email protected]>
uid           [ultimate] Cameron Garnham [Nautilus Cyberneering GmbH] (Online Key) <[email protected]>
uid           [ultimate] Cameron Garnham [Ethical Software Limited] (Online Key) <[email protected]>
sub   ed25519 2021-10-07 [S] [expires: 2022-02-04]
      6789C8A30C4A7A400378E434EFBC6FE31B0B95FD

You can see that 0x6789C8A30C4A7A400378E434EFBC6FE31B0B95FD is my signing key, while 0x2835ADF6240F6032A72BA1775096293864DA5C9E is my master key.

Sorry, I did not explain it well. I meant in the list of contributors keys file: https://github.com/Nautilus-Cyberneering/chinese-ideographs/pull/52/files#diff-3bc20022436593fee5298ebd4e44c4ee53b88ccaaa184854169e22436ea9f430R1

I suppose it makes sense to use the master key there otherwise you have to change it every time you revoke a subkey, right?

@da2ce7
Copy link
Contributor Author

da2ce7 commented Nov 24, 2021

@josecelano Yes, this is the main purpose of the Master Key, It allows you to rotate you sub-keys without everyone needing to re-trust a new key.

@josecelano
Copy link
Member

@josecelano Yes, this is the main purpose of the Master Key, It allows you to rotate your sub-keys without everyone needing to re-trust a new key.

OK, thanks! I still have one more question. You sign commits with your subkey (EFBC6FE31B0B95FD):

image

But you upload the public master key to GitHub, right? So your commits will always be shown as verified even if you revoke a subkey.

@da2ce7
Copy link
Contributor Author

da2ce7 commented Nov 25, 2021

@josecelano

Yes, I upload my full GPG key to GitHub, that Includes both my Master Key and Subkeys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@josecelano josecelano josecelano approved these changes

@MCM-Mike MCM-Mike Awaiting requested review from MCM-Mike

Assignees

@da2ce7 da2ce7

Labels
security Improve Project Security and Related Aspects
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@da2ce7 @josecelano