Puppet

Luke I don’t have any desire to mess with the reductivelabs-build library.

So a few things need to be done to do this, the hard part is getting setup, once you get through this process, then there will just be one command that will have to be run during a release to the build process to sign the release and the publish that signature file.

So, to get things setup:

1. Create, once, a reductive labs release gpg key, this should probably be done by Luke or James. This key will be the release signing key, you could also use your personal gpg keys, if you wish, but its probably better to have a “role” key that has been signed by your individual keys:

$ mkdir release_key
$ chmod 700 release_key
$ gpg --homedir release_key --gen-key
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keyring `release_key/secring.gpg' created
gpg: keyring `release_key/pubring.gpg' created
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 5
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 2y
Key expires at Thu 09 Dec 2010 05:52:59 PM EST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "

Real name: Reductive Labs Release Key
Real name: Reductive Labs Release Key
Email address: info@reductivelabs.com
Comment: 
You selected this USER-ID:
    "Reductive Labs Release Key "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

Enter passphrase:
Repeat passphrase:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..+++++++

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 290 more bytes)
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++.+++++++++++++++.+++++++++++++++++++++++++..++++++++++++++++++++.++++++++++
public and secret key created and signed.
gpg: release_key/trustdb.gpg: trustdb created
gpg: key  marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2010-12-09
pub   4096R/ 2008-12-09 [expires: 2010-12-09]
      Key fingerprint = 160A AE84 83D7 BC63 0BE6  49D2 B3E7 3CDF  
uid                  Reductive Labs Release Key 

Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.

1. Create a revocation certificate, and put it somewhere that you wont forget, so you can revoke this key. Make sure you substitute the below with the one that you got from the above step!

$ gpg --homedir release_key --gen-revoke  > release_key/revoke.gpg.asc 
sec  4096R/ 2008-12-09 Reductive Labs Release Key 

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
> Pre-generated revocation certificate, to be used to revoke the Reductive Labs
> Release signing key when necessary
> 
Reason for revocation: Key has been compromised
Pre-generated revocation certificate, to be used to revoke the Reductive Labs
Release signing key when necessary
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Reductive Labs Release Key "
4096-bit RSA key, ID , created 2008-12-09

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!
$ chmod 400 release_key/revoke.gpg.asc

1. Export the public key to a file that can be put up on the wiki:

$ gpg --homedir release_key --export --armor info@reductivelabs.org > release_key/reductivelabs_releasekey.gpg.asc

1. Import this key into your personal gpg keyring, note you are not specifying the homedir option in the following! Also note that you must already have a personal GPG key on this system!

$ gpg --import release_key/reductivelabs_releasekey.gpg.asc
gpg: key : public key "Reductive Labs Release Key " imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

1. Sign this key with your personal gpg key, NOTE you are not specifying the homedir directory here:

$ gpg --sign-key info@reductivelabs.com
pub  4096R/  created: 2008-12-09  expires: 2010-12-09  usage: SC  
                     trust: unknown       validity: unknown
[ unknown] (1). Reductive Labs Release Key 


pub  4096R/  created: 2008-12-09  expires: 2010-12-09  usage: SC  
                     trust: unknown       validity: unknown
 Primary key fingerprint: 160A AE84 83D7 BC63 0BE6  49D2 B3E7 3CDF  

     Reductive Labs Release Key 

This key is due to expire on 2010-12-09.
Are you sure that you want to sign this key with your
key "James " ()

Really sign? (y/N) y

You need a passphrase to unlock the secret key for
user: "James "
1024-bit DSA key, ID , created 2000-05-07

gpg: gpg-agent is not available in this session

1. Send this key to the keyservers, this will send the public key and your signature to the public keyservers, NOTE you are not specifying the homedir option here:

$ gpg --keyserver pool.sks-keyservers.net --send-key 

1. Get Luke to also sign the release key, you can send him the secret key material (encrypt this!!) and the passphrase, he can then import the public key, sign it with his key and send it to the keyservers.

2. Now use this key to sign releases! To do that you will want to create the tarball, and then do:

$ gpg --homedir $HOME/release_key --detach-sign --output puppet-0.24.7.tar.gz.sign --armor puppet-0.24.7.tar.gz
You need a passphrase to unlock the secret key for
user: "Reductive Labs Release Key "
4096-bit RSA key, ID , created 2008-12-09

Enter passphrase:
$ cat puppet-0.24.7.tar.gz.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAABAgAGBQJJPv1KAAoJELPnPN/KG+CIbBQQAI1HreE9pbhKcyCtE9y3O2a6
mUHNYq2MSGdQBZsiOFLb+BST+ISdDYaD0XzYKqGavjgvQQzfXCVXsCYxcaJ6Mf6m
vqKD1cjxRIlLYdkNcY1LNkjKNYQelxvg2g7LgfZrwUgfu60SDJ2VWUKEyyi+PUN+
pG6fMUGBBWuq+f9KGhJvNjgt9RwQe93FYlWux4L4gbZhpXCT7Myy+gCOE+DpowDr
Z/SP58jbw9akm/4edAbG5wSW8nZea0TI49Sz+wsY+zSLAKi2DyKPhRLDkCfU6nbP
8DcGbSJkEaav12t+9THkCLIkHVIlVkAZbU1ancRUYh/Ap1S9KOtg6QqxzG6rzl4a
lAziE/n9k28hXTokKKH4XOv2cuqZsK2OY8u/QwNgenwqqz0+b40Q3rpPZvFiU+On
z6hPPW+jC8L++AmwZYB7TfCK5zGUaac9Z1acwvZq64Is/ThA7ghmlmLL9+zaSHhK
3q/jHSDt2/noGvI6Dx55HvUFUuHLMct6T4NRps8toEiqE7i9ElMqCLOKZwGLdmQQ
7ns+mWG9cuC0Z7A2N+O4mQQuuka7VtaB7tde06QRxOXPBidH/S2bJe86gTMUZL0T
X4RN3f+C1Dbrx1EeAScIulkuGvrlgELOioFRme0BRye5pOl4EVOoupy9z4Pudc2a
Sf7P3R/o0AwP9O+1Fz4E
=4lTR
-----END PGP SIGNATURE-----

1. Now this .sign file can be included on the webpage, along-side the release, and people can download it, along with the release tarball and then verify it.

2. Create a page on the wiki detailing how people can verify the release, I’ve “done this”:http://reductivelabs.com/trac/puppet/wiki/VerifyingDownloads

3. When meeting up with puppet users, exchange fingerprints and sign each other’s keys. This will strengthen the web of trust, and give people a trust path to your keys which will help in the release verification. There is plenty of documentation online about the right way to exchange keys, but the basic process is to make sure you have your key fingerprint printed out (on a business card is nice, or use gpg-key2ps to create a PS output of your fingerprint nicely formatted for paper slips. The only thing left for you to do is to cut the paper.), give that to the other person, show them your ID, and they do the same to you. When you get home, you can use the program ‘caff’ (its in the debian package called signing-party, or it can be checked out of svn here: http://pgp-tools.alioth.debian.org/) to sign the key and send the signature off to the user. Caff requires a local MTA to be installed.

You’ve provided very thorough directions, thank you.

I’ll get this key setup done in the next couple of days.

Bump.

Luke – can you now do (might also be worth getting anyone else whom we know and trust with keys to sign Teyo, others, etc).

1.  Download the public key

$ wget http://reductivelabs.com/trac/puppet/attachment/wiki/DownloadingPuppet/reductivelabs_releasekey.gpg.asc

2. Import this key into your personal gpg keyring. Also note that you must already have a personal GPG key on this system!

$ gpg --import release_key/reductivelabs_releasekey.gpg.asc
gpg: key 8347A27F: public key "Reductive Labs Release Key " imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

3. Sign this key with your personal gpg key, 

$ gpg --sign-key info@reductivelabs.com
pub  4096R/8347A27F  created: 2008-12-09  expires: 2010-12-09  usage: SC  
                     trust: unknown       validity: unknown
[ unknown] (1). Reductive Labs Release Key 

pub  4096R/8347A27F  created: 2008-12-09  expires: 2010-12-09  usage: SC  
                     trust: unknown       validity: unknown
 Primary key fingerprint: 9C6C 5452 4691 2EE7 00FB  5682 FFAC 8658 8347 A27F

     Reductive Labs Release Key 

This key is due to expire on 2010-12-09.
Are you sure that you want to sign this key with your
key "Luke " ()

Really sign? (y/N) y

You need a passphrase to unlock the secret key for
user: "Luke " 
1024-bit DSA key, ID , created 2000-05-07

gpg: gpg-agent is not available in this session

4. Send this key to the keyservers, this will send the public key and your signature to the public keyservers

$ gpg --keyserver pool.sks-keyservers.net --send-key 

I’ve added verification instructions to the wiki on the DownloadingPuppet page.

use http://reductivelabs.com/trac/puppet/attachment/wiki/DownloadingPuppet/reductivelabs_releasekey.gpg.asc?format=raw for the key

Closed – will be 100% when Luke signs the key.

Ok, I think I’ve done everything in this, including sending my public key to the listed keyserver.