On Thu, 25 Apr 2019 11:30:27 -0400 Alec Warner <anta...@gentoo.org> wrote:
> > Seeing as separating the primary and the signing key has been part of > > OpenPGP best practices for a long, long time, I have got highly mixed > > feelings about this statement. On the one hand, it is not reasonable to > > expect someone with no or minimal prior knowledge of OpenPGP to master > > it overnight. On the other, we are not just some random people from Teh > > Intarwebz and we *have* been using OpenPGP signatures on commits for > > quite a while now. > > > > This is untrue though; we *are* random people from teh interwebs. > > I store my primary key on my desktop. > I don't have copies of my primary key. > My primary key is protected by a passphrase. > Most of the time its cached in gpg-agent, so the passphrase is easily > stealable by local attackers. > I've been a dev for like > 10 years. > > I assume that every other dev does the same. Obviously some do not (and > I've spoken to many who have better practices) but I assume > people do the lazy / easy thing and I highly recommend this assumption. If > you assume that people have your security practices, you should prepare to > be disappointed. > > Many devs have *no idea* how GPG works. > GPG is quite possibly the worst program I've even been forced to use in > terms of doing any operation, particularly around setup (hmm maybe Imation > Ironkeys were worse?) > Many devs are just following the wiki instructions and get what they get. I can sort of echo this. I believe I'm close to the recommendations now but it took me several evenings to actually wrap my head around all this and even then, I still felt very nervous setting it up and I had to rehearse it beforehand. As a professional software engineer for many years, it really shouldn't be this hard. People talk about GPG best practices but it was really difficult to find a reliable update-to-date guide and it certainly doesn't feel like best practise when you have to manually delete ~/.gnupg/private-keys-v1.d/KEYGRIP.key, where KEYGRIP is returned by the obscure --with-keygrip option. -- James Le Cuirot (chewi) Gentoo Linux Developer
pgpsvBE3uLuyQ.pgp
Description: OpenPGP digital signature
