github.com/craicoverflow/tyk@v2.9.6-rc3+incompatible/README.signatures (about) 1 tl;dr 2 ===== 3 4 RHEL does not support signing RPMs with subkeys. This is supposedly 5 fixed in RHEL 8. Thus, we use the same key to sign rpms and debs. 6 7 It is best to have a key with _no_ subkeys as RPM seems to process 8 these type of keyrings incorrectly. 9 10 These keys DO NOT expire. 11 12 Keygrip: 13 Main key : 12B5D62C28F57592D1575BD51ED14C59E37DAC20 14 15 This fingerprints above should match between this document and your 16 keyring. The other numbers in the gpg output below will probably not 17 match. 18 19 This keygrip corresponds to the cache_id for the gpg passphrase 20 seeding. 21 22 Verification 23 ============ 24 % gpg --armor --export team@tyk.io > t.pub 25 26 You might have to fetch the pubkey from the keyserver or other trusted 27 source if you are outside Tyk. 28 29 RPM 30 --- 31 32 Assuming the rpm you want to test is r.rpm: 33 % rpm --import t.pub 34 % rpm -K r.rpm 35 r.rpm: digests signatures OK 36 37 Debian 38 ------ 39 40 Assuming the deb you want to test is d.deb, import the pubkey. 41 42 % gpg --import t.pub 43 44 You will have to trust the pubkey ultimately. The other option is to 45 sign the pubkey with your ultimately trusted key. If you do not have 46 the secret key, the display might look different but the inputs are 47 the same. 48 49 % gpg --edit-key team@tyk.io 50 gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc. 51 This is free software: you are free to change and redistribute it. 52 There is NO WARRANTY, to the extent permitted by law. 53 54 Secret key is available. 55 56 sec rsa4096/802F97F6391AC324 57 created: 2020-03-03 expires: never usage: SCEA 58 trust: full validity: unknown 59 ssb rsa4096/A892D0365525F5D0 60 created: 2020-03-03 expires: never usage: S 61 ssb rsa4096/CA041CD1466FA2F8 62 created: 2020-03-03 expires: never usage: S 63 [ unknown] (1). Team Tyk (package signing) <team@tyk.io> 64 65 gpg> trust 66 sec rsa4096/802F97F6391AC324 67 created: 2020-03-03 expires: never usage: SCEA 68 trust: full validity: unknown 69 ssb rsa4096/A892D0365525F5D0 70 created: 2020-03-03 expires: never usage: S 71 ssb rsa4096/CA041CD1466FA2F8 72 created: 2020-03-03 expires: never usage: S 73 [ unknown] (1). Team Tyk (package signing) <team@tyk.io> 74 75 Please decide how far you trust this user to correctly verify other users' keys 76 (by looking at passports, checking fingerprints from different sources, etc.) 77 78 1 = I don't know or won't say 79 2 = I do NOT trust 80 3 = I trust marginally 81 4 = I trust fully 82 5 = I trust ultimately 83 m = back to the main menu 84 85 Your decision? 5 86 Do you really want to set this key to ultimate trust? (y/N) y 87 88 sec rsa4096/802F97F6391AC324 89 created: 2020-03-03 expires: never usage: SCEA 90 trust: ultimate validity: unknown 91 ssb rsa4096/A892D0365525F5D0 92 created: 2020-03-03 expires: never usage: S 93 ssb rsa4096/CA041CD1466FA2F8 94 created: 2020-03-03 expires: never usage: S 95 [ unknown] (1). Team Tyk (package signing) <team@tyk.io> 96 Please note that the shown key validity is not necessarily correct 97 unless you restart the program. 98 99 100 % gpg --verify d.deb 101 gpg: Signature made Wed 04 Mar 2020 03:05:00 IST 102 gpg: using RSA key F3781522A858A2C43D3BC997CA041CD1466FA2F8 103 gpg: Good signature from "Team Tyk (package signing) <team@tyk.io>" [ultimate] 104 105 If you do not trust the key ultimately, you will see the following warning. 106 107 % gpg --verify d.deb 108 gpg: Signature made Wed 04 Mar 2020 03:05:00 IST 109 gpg: using RSA key F3781522A858A2C43D3BC997CA041CD1466FA2F8 110 gpg: Good signature from "Team Tyk (package signing) <team@tyk.io>" [unknown] 111 gpg: WARNING: This key is not certified with a trusted signature! 112 gpg: There is no indication that the signature belongs to the owner. 113 Primary key fingerprint: A924 CCFF B430 E620 F35D 743D 802F 97F6 391A C324 114 Subkey fingerprint: F378 1522 A858 A2C4 3D3B C997 CA04 1CD1 466F A2F8 115 116 How the keys were generated 117 =========================== 118 119 GPG 2.1 and above will not allow you to export private keyrings to 120 arbitrary locations. To use batch mode, a temporary directory is 121 needed. 122 123 % mkdir tyk && chmod 700 tyk; export GNUPGHOME=./tyk 124 125 Create the key with one subkey. 126 127 % gpg --batch --gen-key pkg-keys.conf 128 gpg: keybox '/home/alok/work/tyk/src/rpmsign/./tyk/pubring.kbx' created 129 gpg: Generating a Tyk Signing Keys 130 gpg: This creates only one subkey due to a limitation in gpg batch processing. 131 gpg: Add the other signing key by hand using --edit-keys 132 gpg: /home/alok/work/tyk/src/rpmsign/./tyk/trustdb.gpg: trustdb created 133 gpg: key 802F97F6391AC324 marked as ultimately trusted 134 gpg: directory '/home/alok/work/tyk/src/rpmsign/./tyk/openpgp-revocs.d' created 135 gpg: revocation certificate stored as '/home/alok/work/tyk/src/rpmsign/./tyk/openpgp-revocs.d/A924CCFFB430E620F35D743D802F97F6391AC324.rev' 136 gpg: Done creating one subkey 137 138 Save the fingerprint. 139 140 % fpr=$(gpg --list-options show-only-fpr-mbox --list-secret-keys | awk '{print $1}') 141 gpg: checking the trustdb 142 gpg: marginals needed: 3 completes needed: 1 trust model: pgp 143 gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u 144 145 Add the second key by hand. Note the fingerprints for usage in signing 146 scripts. Attempting to script this by using --quick-key-add will 147 result in a 3072 bit key. 148 149 % gpg --edit-key $fpr 150 gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc. 151 This is free software: you are free to change and redistribute it. 152 There is NO WARRANTY, to the extent permitted by law. 153 154 Secret key is available. 155 156 sec rsa4096/802F97F6391AC324 157 created: 2020-03-03 expires: never usage: SCEA 158 trust: ultimate validity: ultimate 159 ssb rsa4096/A892D0365525F5D0 160 created: 2020-03-03 expires: never usage: S 161 [ultimate] (1). Team Tyk (package signing) <team@tyk.io> 162 163 gpg> addkey 164 Please select what kind of key you want: 165 (3) DSA (sign only) 166 (4) RSA (sign only) 167 (5) Elgamal (encrypt only) 168 (6) RSA (encrypt only) 169 Your selection? 4 170 RSA keys may be between 1024 and 4096 bits long. 171 What keysize do you want? (3072) 4096 172 Requested keysize is 4096 bits 173 Please specify how long the key should be valid. 174 0 = key does not expire 175 <n> = key expires in n days 176 <n>w = key expires in n weeks 177 <n>m = key expires in n months 178 <n>y = key expires in n years 179 Key is valid for? (0) 180 Key does not expire at all 181 Is this correct? (y/N) y 182 Really create? (y/N) y 183 We need to generate a lot of random bytes. It is a good idea to perform 184 some other action (type on the keyboard, move the mouse, utilise the 185 disks) during the prime generation; this gives the random number 186 generator a better chance to gain enough entropy. 187 188 sec rsa4096/802F97F6391AC324 189 created: 2020-03-03 expires: never usage: SCEA 190 trust: ultimate validity: ultimate 191 ssb rsa4096/A892D0365525F5D0 192 created: 2020-03-03 expires: never usage: S 193 ssb rsa4096/CA041CD1466FA2F8 194 created: 2020-03-03 expires: never usage: S 195 [ultimate] (1). Team Tyk (package signing) <team@tyk.io> 196 197 Export the key in ascii form, this file needs to be available to unlock-agent.sh for usage. 198 199 % gpg --export-secret-keys --output tyk.io.signing.key 200 201 Tar up the temp dir for safekeeping. 202 203 References: 204 https://tools.ietf.org/html/rfc4880#section-9.1 205 https://serverfault.com/a/962553 206 https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html#Unattended-GPG-key-generation 207 https://www.gnupg.org/gph/en/manual/x334.html