Legacy/PGPHowTo

= The Fedora Legacy GnuPG HOWTO Page =

This is a start of a Fedora Legacy GnuPG (GNU Privacy Guard) HOWTO page. It is a work in progress. For additional information, you may want to consult the GnuPG FAQ. Note that we use the terms "GnuPG" and "GPG" interchangeably.

When to use GPG signing?
Generally you should clear sign your messages or postings when the reader needs to trust that the message really came from you. Below is an incomplete list of things that should always be clear signed:

1. sha1sums of packages, tarballs, sources, patches etc. 2. QA result postings in Bugzilla

Preliminary Steps
First, you must have GnuPG (or equivalent) installed and properly setup on your machine. Complete instructions on doing this are beyond the scope of this document (at this time). However, if you run yum on Fedora Core or Red Hat Linux, you can probably just do:

yum install gnupg

Similarly for apt on Fedora Core and Red Hat Linux, you can do: apt-get install gnupg

Second, you must create a GPG key for yourself. Complete instructions on doing this are beyond the scope of this document (at this time). However, the basic idea is to issue the command: gpg --gen-key and then answer all the prompts that follow. For most fields, the defaults should all be fine. Just be sure to put in your name and your email address and pick a good passphrase! At the end of the process, gpg will output some lines that look similar to the following:

pub 1024D/86182970 2004-02-06 Just A. Test  Key fingerprint = E467 045D 0180 8726 F917 74A7 CA78 2901 8618 2970 sub 1024g/76AC068B 2004-02-06

Take note of the string of letters and numbers after the string "pub" above. The second string of numbers and/or letters, after the slash, is your keyid. In this case above, the keyid is "86182970" and this is used to refer to your key.

Next, you should publish your public key to a public keyserver such as pgp.mit.edu. You can do this via the command: gpg --keyserver pgp.mit.edu --send-key 

Where  is the key id name for your key you wish to publish. Using the example key above, the command would be gpg --keyserver pgp.mit.edu --send-key 86182970

Last, you may optionally take steps to join the GPG web of trust. This is beyond the scope of this document (at this time). If you need help doing this, ask for help on the IRC or mailing list.

Clear Signing a Short Message Interactively
If you have a short message, you can sign it interactively with the gpg --clearsign command. An example is: % gpg --clearsign gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information

You need a passphrase to unlock the secret key for user: "Eric Jon Rostetter " 1024-bit DSA key, ID 49C7A0F2, created 2004-02-06 Enter passphrase:   This is a trusted message. 

When prompted, enter your gpg passphrase and then press the Enter key. Then, when prompted, enter the message you want to sign. When done with you message, press the Control-D key combination to sign the message. The signed message will be output to your screen as follows:

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1

This is a trusted message. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBQK9m4jZRbknHoPIRAhP0AJ4yKi3o08KDeqjPm0jHX77lrZ2KWwCghcvg 8PL+o67MFGlkQMLIOtAfx+M= =E61A -END PGP SIGNATURE-

The signed message is everything between and including the lines -BEGIN PGP SIGNED MESSAGE- and -END PGP SIGNATURE- as shown above.

Clear Signing a Message in a File
The above is example is useful for short messages, but for longer messages it is best to sign the contents of a file instead. Create a file containing the contents you want to sign, then use the following command format to sign the file (in this example, the file is called  ).

% gpg --clearsign message.txt gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information

You need a passphrase to unlock the secret key for user: "Eric Jon Rostetter " 1024-bit DSA key, ID 49C7A0F2, created 2004-02-06

Enter passphrase:

Enter your passphrase and press the Enter key. The command should finish and exit without any output to the screen. You should now find a new file called   (the original file name with the suffix ".asc" appended to it) which will contain the pgp clearsigned message.

Why does Bugzilla break my signatures?
Bugzilla's text entry box will wrap text if your lines are too long. If it does this, your gpg signature will be broken. Since any change to a message, no matter how slight, will invalidate the signature, this line wrapping will invalidate your posting. So be sure to wrap the text you plan to clearsign before you post it to bugzilla. Keeping all lines under 72 characters should be sufficient.

How do I protect my pgp keys?
The two main method's of protecting your key are your file system security and the passphrase. You want to keep anyone from stealing a copy of your secret key. If someone does manage such a thing, they still have to guess your passhphrase in order to use the key to do anything nasty. So keep your system secure and choose a strong passphrase.

Also, it's best to generate a revocation certificate. This is something that can be used in case you ever lose your key, forget your passphrase, or find that someone has compromised your system and stolen your key. That's done by running: gpg --gen-revoke 

replacing  with the keyid from when you generated your key.

Follow the prompts, enter your passphrase, and save the output someplace safe (like on a CD-ROM).

How do I post my key in my SelfIntroduction?
When people post a self introduction to the mailing list, it should include some information about their gpg key. The way to generate this information is with the following command: gpg --fingerprint 

replacing  with the keyid from when you generated your key. The output, which you include in your SelfIntroduction, would look something like the following: % gpg --fingerprint 86182970 pub 1024D/86182970 2004-02-06 Just A. Test  Key fingerprint = E467 045D 0180 8726 F917 74A7 CA78 2901 8618 2970 sub 1024g/76AC068B 2004-02-06