summaryrefslogtreecommitdiffstats
path: root/cheatsheets/keyring
diff options
context:
space:
mode:
Diffstat (limited to 'cheatsheets/keyring')
-rw-r--r--cheatsheets/keyring/adding_dd.txt2
-rw-r--r--cheatsheets/keyring/adding_dm.txt95
-rw-r--r--cheatsheets/keyring/pulling_hkp_changes.txt82
-rw-r--r--cheatsheets/keyring/removing_dd_key.txt36
-rw-r--r--cheatsheets/keyring/updating_dd_key.txt109
5 files changed, 324 insertions, 0 deletions
diff --git a/cheatsheets/keyring/adding_dd.txt b/cheatsheets/keyring/adding_dd.txt
new file mode 100644
index 0000000..830c61b
--- /dev/null
+++ b/cheatsheets/keyring/adding_dd.txt
@@ -0,0 +1,2 @@
+Adding a DD key
+===============
diff --git a/cheatsheets/keyring/adding_dm.txt b/cheatsheets/keyring/adding_dm.txt
new file mode 100644
index 0000000..5a03ca3
--- /dev/null
+++ b/cheatsheets/keyring/adding_dm.txt
@@ -0,0 +1,95 @@
+Adding a DM key
+===============
+
+- Request must be signed by somebody in the DM team (currently:
+ anibal, enrico, xoswald). Always check it has been signed by them
+ using their currently registered Debian key!
+
+- Request must include:
+ - Full DM key fingerprint
+ - Agreement URL (message sent by prospective DM where he agrees with
+ DFSG, SC, DMUP, and giving an overview of his current work in
+ Debian)
+ - One or more DD advocates (messages signed by DDs confirming
+ applicant has done Debian work and requesting him to be accepted)
+ - It _may_ also include a bug number (in the regular Debian BTS)
+ that should be closed when the request is dealt with. If so, close
+ it in debian/changelog.
+
+- Procedure:
+
+ I am following the request for Javier Merino (RT #2466). Of course,
+ replace keys with adequate values.
+
+ $ gpg --verify < (copy of RT message)
+ (...)
+ gpg: Signature made Thu 26 Aug 2010 01:14:41 PM CDT using RSA key ID 464B8DE3
+ gpg: Good signature from "Xavier Oswald <xoswald@debian.org>"
+ gpg: aka "Xavier Oswald <x.oswald@free.fr>"
+ gpg: aka "Xavier Oswald <xoswald@gmail.com>"
+ gpg: WARNING: This key is not certified with a trusted signature!
+ gpg: There is no indication that the signature belongs to the owner.
+ Primary key fingerprint: DE46 8D1D 2744 CF28 5431 1CD7 85B9 0D23 464B 8DE3
+ # I have never met xoswald, but «grep 464B8DE3 keyids» gives me
+ # «0x85B90D23464B8DE3 Xavier Oswald <xoswald>» and verifying
+ # the fingerprint matches
+
+ $ gpg --keyserver $KEYSERVER --recv-key 6B1BAEC2CA5D4EA7439803612DCE3F2836D4E4F5
+ gpg: requesting key 36D4E4F5 from hkp server nisamox.fciencias.unam.mx
+ gpg: key 36D4E4F5: public key "Javier Merino Cacho <javier.merino@alumnos.unican.es>" imported
+ gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
+ gpg: depth: 0 valid: 3 signed: 163 trust: 0-, 0q, 0n, 0m, 0f, 3u
+ gpg: depth: 1 valid: 163 signed: 405 trust: 154-, 0q, 0n, 5m, 4f, 0u
+ gpg: depth: 2 valid: 12 signed: 99 trust: 12-, 0q, 0n, 0m, 0f, 0u
+ gpg: next trustdb check due at 2010-09-10
+ gpg: Total number processed: 1
+ gpg: imported: 1
+
+ $ gpg --export 6B1BAEC2CA5D4EA7439803612DCE3F2836D4E4F5 > /tmp/key
+
+ $ ./scripts/add-key /tmp/key debian-maintainers-gpg/
+ (...)
+ # A screen listing all of the applicant's signatures which are
+ # in the Debian keyring appears. At very least, one DD should
+ # have signed his key, unless specific reasons
+ # (i.e. geographical) have been already discussed. Take note of
+ # the respective key IDs. If they are too many, just note the
+ # first four or five, in this case: 5D8CDA7B 74974824 95930EDE
+ # E1C21845
+ Are you sure you want to update this key? (y/n)
+ y
+ adding debian-maintainers-gpg/0x2DCE3F2836D4E4F5
+
+ # Note this addition in debian/changelog - Just make sure before
+ # doing this you are not modifying an already uploaded changelog
+ # entry!
+ $ dch -a 'Add new DM key 0x2DCE3F2836D4E4F5 (Javier Merino) (RT #2466) (Closes: #593475)'
+
+ $ git commit
+ # And that's it. For the VCS log, we use the following format:
+------------------------------------------------------------
+Add new DM key $DM_KEY ($DM_NAME) (RT #$RT_NUM)
+
+Add new DM key $DM_KEY as requested by DM team ($PERSON)
+ Signed by existing DD keys: $SIGN1 $SIGN2 $SIGN3 $SIGNN
+Agreement:
+ $AGREE_URL
+Advocates:
+ $DD1_ACCOUNT - $ADVOCATE1_URL
+ $DD2_ACCOUNT - $ADVOCATE2_URL
+ $DD3_ACCOUNT - $ADVOCATE3_URL
+------------------------------------------------------------
+
+i.e.
+
+------------------------------------------------------------
+Add new DM key 0x2DCE3F2836D4E4F5 (Javier Merino) (RT #2466)
+
+Add new DM key 0x2DCE3F2836D4E4F5 as requested by DM team (xoswald)
+ Signed by existing DD keys: 5D8CDA7B 74974824 95930EDE E1C21845
+Agreement:
+ http://lists.debian.org/debian-newmaint/2010/08/msg00020.html
+Advocates:
+ vdanjean - http://lists.debian.org/debian-newmaint/2010/08/msg00021.html
+------------------------------------------------------------
+
diff --git a/cheatsheets/keyring/pulling_hkp_changes.txt b/cheatsheets/keyring/pulling_hkp_changes.txt
new file mode 100644
index 0000000..67969c6
--- /dev/null
+++ b/cheatsheets/keyring/pulling_hkp_changes.txt
@@ -0,0 +1,82 @@
+Pulling changes from the HKP server
+===================================
+
+We run a HKP (HTTP Keyserver Protocol) keyserver to allow for public
+querying on Debian keys and to allow DDs and DMs to update their keys,
+i.e., sending more signatures. Updating the keyrings from this HKP
+server is "pulling" HKP changes.
+
+There's a script call pull-updates that takes a keyring and a keyring
+dir, explodes the keyring and looks for keys that have changed, then
+calls update-key for each of them. This is a bit of a labour intensive
+task, but it does mean we don't automatically allow things like adding
+a new UID that's complete nonsense. I have some local patches to make
+it a bit easier in terms of automatically generating an update.log
+which is the same format as in the changelog of what was altered; I'll
+commit them at some point soon.
+
+So, to import the HKP updates, we pull the keyrings first from:
+
+ kaufmann.debian.org:/srv/keyring.debian.org/keyrings-new/debian-{keyring,nonupload,maintainers}.gpg
+
+and second, from:
+
+ kaufmann.debian.org:/srv/keyring.debian.org/pending-updates/debian-{keyring,nonupload,maintainers}.gpg
+
+$ scp kaufmann.debian.org:/srv/keyring.debian.org/keyrings-new/debian-{keyring,nonupload,maintainers}.gpg .
+debian-keyring.gpg 100% 30MB 2.5MB/s 00:12
+debian-maintainers.gpg 100% 1058KB 529.1KB/s 00:02
+debian-maintainers.gpg 100% 48KB 59.6KB/s 00:00
+$ for i in keyring nonupload maintainers; do ./scripts/pull-updates debian-${i}.gpg debian-${i}-gpg/
+(...a long list of keys later...)
+Updated keys are:
+0x8351C3C268AC5746 0xE5273D986BE3C423 0xED1A3933B2CFCDD8
+gpg: keyring `/tmp/jetring.qGSB7NPt/secring.gpg' created
+gpg: keyring `/tmp/jetring.qGSB7NPt/pubring.gpg' created
+gpg: /tmp/jetring.qGSB7NPt/trustdb.gpg: trustdb created
+Running gpg-diff:
+0x8351C3C268AC5746 Robert Alan Larson <blarson>
+Are you sure you want to update this key? (y/n)
+y
+Updated key.
+gpg: keyring `/tmp/jetring.mHhg5onR/secring.gpg' created
+gpg: keyring `/tmp/jetring.mHhg5onR/pubring.gpg' created
+gpg: /tmp/jetring.mHhg5onR/trustdb.gpg: trustdb created
+Running gpg-diff:
+0xE5273D986BE3C423 Paul Wise <pabs>
+Are you sure you want to update this key? (y/n)
+y
+Updated key.
+gpg: keyring `/tmp/jetring.ZJnN1JpE/secring.gpg' created
+gpg: keyring `/tmp/jetring.ZJnN1JpE/pubring.gpg' created
+gpg: /tmp/jetring.ZJnN1JpE/trustdb.gpg: trustdb created
+Running gpg-diff:
+0xED1A3933B2CFCDD8 Philipp Kern <pkern>
+Are you sure you want to update this key? (y/n)
+y
+Updated key.
+
+In this process, we must check the changes we pull in "make sense" —
+keys should not add unrelated UIDs, weaker subkeys, or excessive
+amounts of signatures.
+
+A log of the changes is stored in updates.log:
+
+$ cat update.log
+0x8351C3C268AC5746 Robert Alan Larson <blarson>
+0xE5273D986BE3C423 Paul Wise <pabs>
+0xED1A3933B2CFCDD8 Philipp Kern <pkern>
+
+So, add the following to the changelog:
+
+ * Updates from keyring.debian.org HKP interface:
+ 0x8351C3C268AC5746 Robert Alan Larson <blarson>
+ 0xE5273D986BE3C423 Paul Wise <pabs>
+ 0xED1A3933B2CFCDD8 Philipp Kern <pkern>
+
+Repeat the process for the other downloaded keyrings.
+
+After processing the second set of keys (at kaufmann's
+/srv/keyring.debian.org/pending-updates), the three keyrings should be
+removed (as they are checked to be empty when updating the keyrings at
+kaufmann -- see infrastructure/kaufmann.txt)
diff --git a/cheatsheets/keyring/removing_dd_key.txt b/cheatsheets/keyring/removing_dd_key.txt
new file mode 100644
index 0000000..a416e7d
--- /dev/null
+++ b/cheatsheets/keyring/removing_dd_key.txt
@@ -0,0 +1,36 @@
+Removing a DD key
+=================
+
+Some more verbosity would not hurt... Anyway, little is better than none.
+
+- Emeritus
+
+| # Deal with RT #142
+| # Straightforward resignation, debian-private mail confirmed,
+| # move key to emeritus
+| ./script/move-key 0xFCF6DD4539CCF0C7 emeritus-keyring-gpg/
+
+The move-key script will move the key from any of the active keyrings
+it is currently located on.
+
+If the key is not moved due to the maintainer explicitly resigning
+(i.e. expelled, deceased, MIA), the key should be removed entirely.
+
+Changelog entry:
+------------------------------------------------------------
+ * Move 0xFCF6DD4539CCF0C7 (Akira TAGOH) to emeritus (RT #142)
+------------------------------------------------------------
+
+Commit message:
+------------------------------------------------------------
+Move 0xFCF6DD4539CCF0C7 (Akira TAGOH) to emeritus (RT #142)
+
+ Akira has retired from Debian.
+ Message-Id: <20070731.194218.174801666.tagoh@debian.org>
+------------------------------------------------------------
+
+- MIA
+
+Eventually, the MIA team comes up with a list of people not answering
+to the WAT ping (Where Are They?). The main difference for us is that,
+instead of moving the key to emeritus-keyring-gpg, it is removed entirely.
diff --git a/cheatsheets/keyring/updating_dd_key.txt b/cheatsheets/keyring/updating_dd_key.txt
new file mode 100644
index 0000000..46f4456
--- /dev/null
+++ b/cheatsheets/keyring/updating_dd_key.txt
@@ -0,0 +1,109 @@
+Updating a DD key
+=================
+
+- Key updates should be for a reason (i.e. lost control of earlier
+ key, or moving to stronger key).
+
+- Request must include:
+ - Old key (full fingerprint)
+ - New key (full fingerprint)
+ - Inline signature with OLD key
+
+- New key must be signed by at least two DDs (and more if possible);
+ if the old key is particularly well connected, we have requested the
+ person to get more signatures in order to avoid weakening the
+ overall web of trust. The new key must also be signed with the old
+ one (except in cases, say, where the old one was lost).
+
+- Procedure
+
+ I am following the request for Giovanni Mascellani (RT #2473). Of
+ course, replace keys with adequate values. As you can see, this
+ request mentioned only the key IDs, so full fingerprint was
+ requested.
+
+ # Before anything else, retrieve both keys, to be able to do the
+ # following checks
+ $ gpg --keyserver $KEYSERVER --recv-key \
+ 1EB63D43E2014DDF67BD003FFCB0BB5C5F1FBF70 \
+ 82D119A840C6EFCA6F5AF9459EDCC991D9AB457E
+ gpg: requesting key 5F1FBF70 from hkp server nisamox.fciencias.unam.mx
+ gpg: requesting key D9AB457E from hkp server nisamox.fciencias.unam.mx
+ gpg: key 5F1FBF70: public key "Giovanni Mascellani (Poisson)
+ # <mascellani@poisson.phc.unipi.it>" imported
+ gpg: key D9AB457E: public key "Giovanni Mascellani
+ # <mascellani@poisson.phc.unipi.it>" imported
+ gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
+ gpg: depth: 0 valid: 3 signed: 163 trust: 0-, 0q, 0n, 0m, 0f, 3u
+ gpg: depth: 1 valid: 163 signed: 409 trust: 154-, 0q, 0n, 5m, 4f,
+ # 0u
+ gpg: depth: 2 valid: 12 signed: 99 trust: 12-, 0q, 0n, 0m, 0f, 0u
+ gpg: next trustdb check due at 2010-09-10
+ gpg: Total number processed: 2
+ gpg: imported: 2 (RSA: 1)
+
+ $ gpg --verify < (copy of RT message)
+ (...)
+ gpg: Signature made Sun 29 Aug 2010 07:30:03 AM CDT using RSA key ID E1889B00
+ gpg: Good signature from "Giovanni Mascellani (Poisson) <mascellani@poisson.phc.unipi.it>"
+ gpg: aka "Giovanni Mascellani <gio@debian.org>"
+ gpg: aka "Giovanni Mascellani <g.mascellani@gmail.com>"
+ gpg: aka "Giovanni Mascellani <g.mascellani@tiscali.it>"
+ gpg: aka "Giovanni Mascellani (DM) <mascellani@mail.dm.unipi.it>"
+ gpg: aka "Giovanni Mascellani (SNS) <giovanni.mascellani@sns.it>"
+ gpg: aka "[jpeg image of size 8171]"
+ gpg: WARNING: This key is not certified with a trusted signature!
+ gpg: There is no indication that the signature belongs to the owner.
+ Primary key fingerprint: 1EB6 3D43 E201 4DDF 67BD 003F FCB0 BB5C 5F1F BF70
+ Subkey fingerprint: 409F 2383 802D B40C CA04 9AF9 810A 9F69 E188 9B00
+
+ - Helper script
+
+ We have a script called "replace-key". When called, it takes care to
+ do all of the steps described from here until the commit step.
+
+ You should call it using both keys' long (64 bit) keyids:
+
+ $ ./script/replace-key FCB0BB5C5F1FBF70 9EDCC991D9AB457E
+
+
+ $ gpg --export D9AB457E > /tmp/key
+ # DD keys (past and present), names and identities are kept in
+ # the plaintext file 'keyids' - Confirm and get the requester's
+ # Debian account name in case it's not listed as one of the
+ # identities
+
+ $ grep 5F1FBF70 keyids
+ 0xFCB0BB5C5F1FBF70 Giovanni Mascellani <gio>
+ # Old keys are removed from the repository.
+
+ $ git rm debian-keyring-gpg/0xFCB0BB5C5F1FBF70
+ rm 'debian-keyring-gpg/0xFCB0BB5C5F1FBF70'
+
+ $ ./scripts/add-key /tmp/key debian-keyring-gpg/
+ # A screen listing all of the requester's signatures which are
+ # in the Debian keyring appears. At very least, two DD should
+ # have signed his key, unless specific reasons
+ # (i.e. geographical) have been already discussed. Take note of
+ # the respective key IDs. If they are too many, just note the
+ # first four or five, in this case: F2C423BC 33FC40A4.
+ # Also take note that the old key (5F1FBF70) has also signed
+ # it.
+ Are you sure you want to update this key? (y/n)
+ y
+ adding debian-keyring-gpg/0x9EDCC991D9AB457E
+ Enter full name of new key: Giovanni Mascellani
+ Enter Debian login of new key: gio
+
+ # Note this addition in debian/changelog - Just make sure before
+ # doing this you are not modifying an already uploaded changelog
+ # entry!
+ $ dch -a 'Replace 0xFCB0BB5C5F1FBF70 with 0x9EDCC991D9AB457E (Giovanni Mascellani) (RT #2473)'
+
+- Git commit
+
+ In order for the parse-git-changelog script to work, we adhere to
+ machine-parsable information in the changelog. If you used the
+ replace-key script, you will find it creates a git-commit-template
+ file. It just needs you to fill in the Debian user IDs for the
+ New-key-certified-by field.