From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-sysadm/2011-January/002159.html | 122 +++++++++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 zarb-ml/mageia-sysadm/2011-January/002159.html (limited to 'zarb-ml/mageia-sysadm/2011-January/002159.html') diff --git a/zarb-ml/mageia-sysadm/2011-January/002159.html b/zarb-ml/mageia-sysadm/2011-January/002159.html new file mode 100644 index 000000000..e88c4dc36 --- /dev/null +++ b/zarb-ml/mageia-sysadm/2011-January/002159.html @@ -0,0 +1,122 @@ + + + + [Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl + + + + + + + + + +

[Mageia-sysadm] [814] - add a module to generate gnupg key ( similar to the one for openssl

+ nicolas vigier + boklm at mars-attacks.org +
+ Mon Jan 17 18:09:27 CET 2011 +

+
+ +
On Mon, 17 Jan 2011, Pascal Terjan wrote:
+
+> > 1 key for all is the simplest solution, as this is easiest, and do not
+> > requires a lot of work to update keys. There is also a simpler BS.
+> > However, this mean we cannot expire the keys. But this also mean that we
+> > can more easily have it signed, if we make it signed once, and do not
+> > need to redo it every time. ( see the gpg web of trust ).
+> 
+> Another solution is to have one key, signed by everyone and stored
+> safely (like, on a usb key in a bank), and use this key to sign the
+> keys that will sign packages (and that will be stored safely too but
+> have to be accessible on valstar). If we want to use a new key at some
+> point for signing packages, we just need to access that master key.
+
+It looks like a good idea.
+
+> >
+> > How do we sign
+> > ==============
+> >
+> > Again, point 3 have a impact here. Either we sign when uploaded, using
+> > youri, or using a custom action ( as current one do not permit to change
+> > uid ), or we use some custom cronjob to sign.
+
+I vote too for using a custom action, to store the key on a separate
+account, and use it with a script run with sudo.
+
+It can be done with a cron job too, but it will slower I think. Is there
+any advantage doing it with a cron job ?
+
+> >
+> > Or we sign when the release is made.
+
+That would mean having unsigned cauldron packages ?
+
+> >
+> > I would recommend using a custom action, as privilege separation sound
+> > like a good idea. I would prefer to avoid signing again the day of
+> > release, for reasons that were already given.
+> >
+> >
+> > Bonus, usage of the module :
+> > ============================
+> >
+> >    gnupg::keys { "cauldron":
+> >        email => "root@$domain",
+> >        key_name => "John the plop",
+> >        key_length => "4096"
+> >    }
+> >
+> > create a key cauldron.sec and cauldron.pub in /etc/gnupg/keys/. I am not
+> > sure of the format ( maybe have it exported would be good ), and I am
+> > not sure that putting everything in this directory is the good location.
+
+What are the permissions and owner on this directory ?
+
+
+ + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-sysadm +mailing list
+ -- cgit v1.2.1