On Fri, Mar 22, 2013 at 4:47 AM, wrote:
> On Fri, 22 Mar 2013, Panagiotis Christopoulos wrote:
>>
>> I'm not sure if it's related, but have you set PORTAGE_GPG_DIR and/or
>> PORTAGE_GPG_KEY in your make.conf?
>
> Sure:
>
> PORTAGE_GPG_DIR="/home/grozin/.gnupg"
> PORTAGE_GPG_KEY="00C6DAB1!"
>
> Ev
On Fri, 22 Mar 2013, Panagiotis Christopoulos wrote:
I'm not sure if it's related, but have you set PORTAGE_GPG_DIR and/or
PORTAGE_GPG_KEY in your make.conf?
Sure:
PORTAGE_GPG_DIR="/home/grozin/.gnupg"
PORTAGE_GPG_KEY="00C6DAB1!"
Even if I'll be able to configer gpg-agent properly, this will s
On 13:37 Fri 22 Mar , gro...@gentoo.org wrote:
> Sorry to bother you again, but I still cannot do signed commits. I don't
> know what else to try.
> ...
> >>> Creating Manifest for /home/gentoo-x86/media-gfx/fotoxx
> gpg: no default secret key: No secret key
> gpg: /home/gentoo-x86/media-gfx/f
Sorry to bother you again, but I still cannot do signed commits. I don't
know what else to try.
On Thu, 14 Mar 2013, Robin H. Johnson wrote:
On Thu, Mar 14, 2013 at 10:50:00AM +0700, gro...@gentoo.org wrote:
But my first attempt to do a signed commit has failed:
Your GPG agent is broken/missi
On Thu, Mar 14, 2013 at 11:33:36PM -0400, Michael Mol wrote:
> > So Debian has a test-gpg function already? Do you know where in their
> > codebase it is?
> No idea; a build system I'd cobbled together at the time prodded
> gpg-agent to get an interactive auth. The build-and-package step took
> too
On Fri, Mar 15, 2013 at 05:44:20AM +0100, Michał Górny wrote:
> On Fri, 15 Mar 2013 03:18:18 +
> "Robin H. Johnson" wrote:
>
> > if one-phase commit:
> > - gpg test
> > - gpg sign
> > - commit1
> Why do we need additional 'gpg test' here?
In the case of git commit signing, repoman is not dire
On Fri, 15 Mar 2013 03:18:18 +
"Robin H. Johnson" wrote:
> if one-phase commit:
> - gpg test
> - gpg sign
> - commit1
Why do we need additional 'gpg test' here?
--
Best regards,
Michał Górny
signature.asc
Description: PGP signature
On 03/14/2013 11:18 PM, Robin H. Johnson wrote:
> On Thu, Mar 14, 2013 at 10:32:30PM -0400, Michael Mol wrote:
>>> As to how to accomplish this, it's either a throwaway sig, or poking the
>>> agent protocol directly.
>> The only trouble with that is if the agent is configured to only unlock
>> keys
On Thu, Mar 14, 2013 at 10:32:30PM -0400, Michael Mol wrote:
> > As to how to accomplish this, it's either a throwaway sig, or poking the
> > agent protocol directly.
> The only trouble with that is if the agent is configured to only unlock
> keys for limited periods of time, then your initial chec
On 03/14/2013 09:01 PM, Robin H. Johnson wrote:
> On Thu, Mar 14, 2013 at 05:14:15PM +0100, Michał Górny wrote:
>> If that means doing an additional signature every time something is
>> going to be committed, that sounds like an overkill. If we were to do
>> something radical, I'd rather be in favo
On Thu, Mar 14, 2013 at 05:14:15PM +0100, Michał Górny wrote:
> If that means doing an additional signature every time something is
> going to be committed, that sounds like an overkill. If we were to do
> something radical, I'd rather be in favor of disabling keyword
> expansion completely and fin
On Thu, Mar 14, 2013 at 09:30:19AM -0700, Zac Medico wrote:
> We could do that if we simply add all files using the cvs -kb option.
> However, Fabian has requested that we keep the keywords for the purposes
> of his prefix tree merging script:
> http://www.mail-archive.com/gentoo-dev@lists.gentoo.o
On 03/14/2013 09:14 AM, Michał Górny wrote:
> On Thu, 14 Mar 2013 08:26:04 -0700
> Zac Medico wrote:
>
>> On 03/14/2013 02:12 AM, Robin H. Johnson wrote:
But my first attempt to do a signed commit has failed:
>>> Your GPG agent is broken/missing.
>>>
>>> zmedico/portage-dev:
>>> Maybe a goo
On Thu, 14 Mar 2013 08:26:04 -0700
Zac Medico wrote:
> On 03/14/2013 02:12 AM, Robin H. Johnson wrote:
> >> But my first attempt to do a signed commit has failed:
> > Your GPG agent is broken/missing.
> >
> > zmedico/portage-dev:
> > Maybe a good idea to check for agent sanity before trying to
On 03/14/2013 02:12 AM, Robin H. Johnson wrote:
>> But my first attempt to do a signed commit has failed:
> Your GPG agent is broken/missing.
>
> zmedico/portage-dev:
> Maybe a good idea to check for agent sanity before trying to use it?
Yeah, we could have it do a test signature to verify that
Please don't CC me directly, you explicitly ignored the Reply-To header
that this list has.
On Thu, Mar 14, 2013 at 10:50:00AM +0700, gro...@gentoo.org wrote:
> I've followed all the instructions successfully (I think). By the way, the
> following lines need a small correction:
>
> perl_ldap -b
On 14/03/13 04:50, gro...@gentoo.org wrote:
> Hello *,
>
> I've followed all the instructions successfully (I think). By the way, the
> following lines need a small correction:
>
> perl_ldap -b user -M gpgkey
> perl_ldap -b user -M gpgfingerprint
>
> perl_ldap says that attributes of type m
Hello *,
I've followed all the instructions successfully (I think). By the way, the
following lines need a small correction:
perl_ldap -b user -M gpgkey
perl_ldap -b user -M gpgfingerprint
perl_ldap says that attributes of type multiple cannot be modified. I had
to delete these attribute
On Wed, Feb 27, 2013 at 11:04 AM, Robin H. Johnson wrote:
> Thanks for the partial response Luis.
>
> On Wed, Feb 27, 2013 at 04:12:14PM +0100, Luis Ressel wrote:
>> On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT)
>> gro...@gentoo.org wrote:
>>
>> > Hello *,
>> > I am stuck and have many questions.
>
>
Thanks for the partial response Luis.
On Wed, Feb 27, 2013 at 04:12:14PM +0100, Luis Ressel wrote:
> On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT)
> gro...@gentoo.org wrote:
>
> > Hello *,
> > I am stuck and have many questions.
New addition to the instructions:
0. Copy /usr/share/gnupg/gpg-conf.ske
On Tue, 26 Feb 2013 17:10:56 +0700 (NOVT)
gro...@gentoo.org wrote:
> Hello *,
> I am stuck and have many questions.
> [In the process of becoming a dev, I've generated a gpg key, of course. It
> vwas on an old notebook. When I switched to a newer notebook, I forgot to
> copy it, because I don't
Hello *,
I am stuck and have many questions.
[In the process of becoming a dev, I've generated a gpg key, of course. It
vwas on an old notebook. When I switched to a newer notebook, I forgot to
copy it, because I don't use gpg regularly. No risk that it became known -
the disk was re-partitio
On 21 February 2013 09:09, Michał Górny wrote:
> On Mon, 18 Feb 2013 23:27:46 +
> "Robin H. Johnson" wrote:
>
>> Recommendations:
>>
>> 3. Dedicated Gentoo signing subkey of EITHER:
>> 3.1. DSA 2048 bits
>> 3.2. RSA 4096 bits
>
> As a note for those who didn't know this; to m
On Mon, 18 Feb 2013 23:27:46 +
"Robin H. Johnson" wrote:
> Recommendations:
>
> 3. Dedicated Gentoo signing subkey of EITHER:
> 3.1. DSA 2048 bits
> 3.2. RSA 4096 bits
As a note for those who didn't know this; to make gpg use the dedicated
subkey, you need to append an excla
On Wed, 20 Feb 2013 21:37:38 +
"Robin H. Johnson" wrote:
> Ideally keeping your primary key offline to increase security.
>
> However, the original theory was that if there was some attack that
> required a large amount of ciphertext or a targeted plaintext input,
> you would be limiting the
On Wed, Feb 20, 2013 at 09:38:38PM +0100, Luis Ressel wrote:
> On Mon, 18 Feb 2013 23:27:46 +
> "Robin H. Johnson" wrote:
> > 3. Dedicated Gentoo signing subkey
> What's the point of this, btw?
Ideally keeping your primary key offline to increase security.
However, the original theory was tha
On Wed, Feb 20, 2013 at 09:22:05PM +0100, Andreas K. Huettel wrote:
> Which of course brings up the question, why the hardcoded 4096 limit in
> GnuPG... but I guess that's not our problem yet.
> https://www.google.de/search?q=gnupg+rsa+8192
Standards interoperability. >RSA4096 will not work on leg
On Mon, 18 Feb 2013 23:27:46 +
"Robin H. Johnson" wrote:
> 3. Dedicated Gentoo signing subkey
What's the point of this, btw?
Luis
signature.asc
Description: PGP signature
Am Mittwoch, 20. Februar 2013, 20:36:22 schrieb Robin H. Johnson:
>
> Speed for i7-2600K CPU:
> DSA1024 0.007980s
> DSA2048 0.011940s
> DSA3072 0.013530s
> RSA1024 0.007000s
> RSA2048 0.012290s
> RSA3072 0.018420s
> RSA4096 0.030800s
>
Which of course brings up the question, why the hardcoded 40
On Wed, Feb 20, 2013 at 01:41:03PM -0500, James Cloos wrote:
> > "RHJ" == Robin H Johnson writes:
>
> RHJ> 2. Root key type of RSA, 4096 bits
> rsa 4k provides no real benefits over rsa 3k here; it is just slower
> for everyone, signing or verifying.
You can shorten the subkeys, but the root
> "RHJ" == Robin H Johnson writes:
RHJ> 2. Root key type of RSA, 4096 bits
rsa 4k provides no real benefits over rsa 3k here; it is just slower
for everyone, signing or verifying.
Cf, eg, http://www.nsa.gov/business/programs/elliptic_curve.shtml which
recommends rsa 3k for use with aes128/s
On Tue, Feb 19, 2013 at 10:32:13PM -0800, Alec Warner wrote:
> I agree that a smartcard is much better security vs a longer key. I
> don't think attackers targetting Gentoo are going to brute force the
> key. They are going to steal the key, trivially, by exploiting a 0-day
> in a crappy browser, o
On Tue, Feb 19, 2013 at 7:12 PM, Robin H. Johnson wrote:
> On Wed, Feb 20, 2013 at 01:34:57AM +0100, Stefan Behte wrote:
>> > 2. root key & signing subkey of EITHER: 2.1. DSA, 1024 or 2048 bits
>> > 2.2. RSA, >=2048 bits
> ...
>> 1024 DSA keys seem pretty short to me. Surely it might be inconvenie
On Wed, Feb 20, 2013 at 01:34:57AM +0100, Stefan Behte wrote:
> > 2. root key & signing subkey of EITHER: 2.1. DSA, 1024 or 2048 bits
> > 2.2. RSA, >=2048 bits
...
> 1024 DSA keys seem pretty short to me. Surely it might be inconvenient
> for some (2-3? please write a mail here!) people with smart
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Just some quick thoughts on this:
> 2. root key & signing subkey of EITHER: 2.1. DSA, 1024 or 2048 bits
> 2.2. RSA, >=2048 bits
I don't really agree. From your own link
(https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#dont-use-pgp-mit-ed
On Mon, Feb 18, 2013 at 11:38 PM, Kent Fredric wrote:
>> The key rotation as described in RiseUp best practices should be a very
>> rare occurrence. Each dev is going to run it at most once.
>>
>
> Some material I read recommended doing a key rotation every 6 months,
> which I did for a while unti
> The key rotation as described in RiseUp best practices should be a very
> rare occurrence. Each dev is going to run it at most once.
>
Some material I read recommended doing a key rotation every 6 months,
which I did for a while until it got tiresome to perform the rotation.
I believe the ratio
On Mon, Feb 18, 2013 at 11:27:46PM +, Robin H. Johnson wrote:
> Bare minimum requirements:
> --
[...]
> 3. Key expiry: 5 years.
I am assuming we are requiring a maximum of 5 years for key expiry. We
might want to make it explicit. On first reading, it sounded like key
On Tue, 2013-02-19 at 04:09 +, Robin H. Johnson wrote:
> On Tue, Feb 19, 2013 at 04:36:08PM +1300, Kent Fredric wrote:
> > It may be advantageous to have a gentoo wrapper script that calls GPG
> > with recommended settings to make some tasks easier,
> > > gentoo-gpg-create --recommended
> > >
On Tue, Feb 19, 2013 at 04:36:08PM +1300, Kent Fredric wrote:
> It may be advantageous to have a gentoo wrapper script that calls GPG
> with recommended settings to make some tasks easier,
> > gentoo-gpg-create --recommended
> > EDITOR=vim gentoo-gpg-rotation --recommended --old=DEADBEEF
> and g
It may be advantageous to have a gentoo wrapper script that calls GPG
with recommended settings to make some tasks easier,
> gentoo-gpg-create --recommended
> EDITOR=vim gentoo-gpg-rotation --recommended --old=DEADBEEF
and gentoo-gpg-rotation would make a templated key-expiry document ,
edited
On Mon, Feb 18, 2013 at 11:27:46PM +, Robin H. Johnson wrote:
> 2. root key & signing subkey of EITHER:
> 2.1. DSA, 1024 or 2048 bits
> 2.2. RSA, >=2048 bits
> 3. Key expiry: 5 years.
Clarification on reason:
These key sizes are the largest supported by many smartcards.
--
Robin Hugh Johnson
Hi all,
I've been asked a couple of times in IRC and other mediums, about what
GPG key settings etc to use. I would not not call these final yet, but should
be fairly close to final.
This was originally intended to be part of the tree-signing GLEP series, but
was in one of the unpublished ones (G
43 matches
Mail list logo
