head 1.3; access; symbols; locks; strict; comment @# @; 1.3 date 2003.03.30.11.23.33; author rse; state Exp; branches; next 1.2; 1.2 date 2003.03.30.10.15.07; author rse; state Exp; branches; next 1.1; 1.1 date 2003.03.29.19.53.37; author rse; state Exp; branches; next ; desc @@ 1.3 log @polish GnuPG step-by-steps @ text @ #use wml::template page=gnupg \

%body

\ The OpenPKG project uses OpenPGP (RFC 2440) public key cryptography for digitally signing RPM release packages and Security Advisories for released packages. To check the integrity of those RPM packages and security advisories, you require GNU Privacy Guard (GnuPG). The following is a short step-by-step summary on how to setup and use GnuPG for OpenPKG.

Installing GnuPG
Make sure you have the GnuPG command line tool "gpg" in your $PATH. The easiest way, obviously is to install the OpenPKG gnupg package, of course.
\# install OpenPKG GnuPG package $ prefix/bin/rpm --rebuild ftp://ftp.openpkg.org/release/1.2/SRC/gnupg-1.2.1-1.2.0.src.rpm [...] $ su - root# prefix/bin/rpm -Uvh prefix/RPM/PKG/gnupg-1.2.1-1.2.0.*.rpm Preparing... ########################################### [100%] 1:gnupg ########################################### [100%] root# exit $ PATH=prefix/bin:$PATH
Importing OpenPKG key into GnuPG
Now you have to import the OpenPKG public key into GnuPG. You can either fetch it directly from this key server pgp.openpkg.org, from the website, or if you already have an OpenPKG instance under prefix, you can import the copy from there.
\# alternative 1: import from key server $ gpg --recv-keys --keyserver hkp://pgp.openpkg.org 63C4CB9F gpg: key 63C4CB9F: public key "OpenPKG " imported gpg: Total number processed: 1 gpg: imported: 1
\# alternative 2: import from website $ lynx -source http://www.openpkg.org/openpkg.pgp | gpg --import gpg: key 63C4CB9F: public key "OpenPKG " imported gpg: Total number processed: 1 gpg: imported: 1
\# alternative 3: import from local copy $ gpg --import prefix/etc/openpkg/openpkg.pgp gpg: key 63C4CB9F: public key "OpenPKG " imported gpg: Total number processed: 1 gpg: imported: 1
Verify Integrity of Public Key
Then you have to verify the integrity of the OpenPKG public key by checking its fingerprint to be "6D96 EFCF CF75 3288 10DB 40C2 8075 93E0 63C4 CB9F".
$ gpg --fingerprint 63C4CB9F \ pub 1024D/63C4CB9F 2002-01-31 OpenPKG Key fingerprint = 6D96 EFCF CF75 3288 10DB 40C2 8075 93E0 63C4 CB9F sub 2048g/DCC7EF11 2002-01-31\
Sign the Public Key
If the fingerprint is ok, you usually want to either sign the key with your own private key (assuming you already have it created once with "gpg --gen-key") or at least mark it explicitly as trusted in the GnuPG trust database.
\# alternative 1: sign the OpenPKG public key with own private secret key $ gpg --sign-key 63C4CB9F \ gpg: checking the trustdb gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1 pub 1024D/63C4CB9F created: 2002-01-31 expires: never trust: -/- sub 2048g/DCC7EF11 created: 2002-01-31 expires: never (1). OpenPKG <openpkg@@openpkg.org> pub 1024D/63C4CB9F created: 2002-01-31 expires: never trust: -/- Primary key fingerprint: 6D96 EFCF CF75 3288 10DB 40C2 8075 93E0 63C4 CB9F OpenPKG <openpkg@@openpkg.org> How carefully have you verified the key you are about to sign actually belongs to the person named above? If you don't know what to answer, enter "0". (0) I will not answer. (default) (1) I have not checked at all. (2) I have done casual checking. (3) I have done very careful checking.\ Your selection? 2 \ Are you really sure that you want to sign this key with your key: "Your Name " I have checked this key casually.\ Really sign? y \ You need a passphrase to unlock the secret key for user: "Your name <your.name@@example.com>" 1024-bit DSA key, ID XXXXXXXX, created 200X-XX-XX\
\# alternative 2: mark the OpenPKG public key as trusted gpg --update-trustdb --trusted-key 807593E063C4CB9F \ gpg: key 63C4CB9F marked as ultimately trusted gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
Verify OpenPKG Security Advisories or RPM Packages
After these preparations, you now can easily verify the digital signature of OpenPKG security advisories and OpenPKG RPM packages:
\# verify digital signature on a security advisory $ w3m -dump http://www.openpkg.org/security/OpenPKG-SA-2003.026-openssl.txt | gpg --verify \ gpg: Signature made Thu Mar 20 21:20:49 2003 CET using DSA key ID 63C4CB9F gpg: Good signature from "OpenPKG "\ \# verify digital signature on an RPM (release) package $ rpm --checksig ftp://ftp.openpkg.org/release/1.2/SRC/gnupg-1.2.1-1.2.0.src.rpm \ MD5 sum OK: 572ae1ff2a18b789b13ada544db40fad gpg: Signature made Tue Jan 21 15:54:41 2003 CET using DSA key ID 63C4CB9F gpg: Good signature from "OpenPKG "\

@ 1.2 log @more content for the pgp.openpkg.org website @ text @d10 2 a11 2 The OpenPKG project uses OpenPGP d16 4 a19 1 released packages. d24 3 a26 3 To check the integrity of OpenPKG RPM packages and security advisories you first should install GnuPG (http://www.gnupg.org/). Usually you will do this by installing the OpenPKG GnuPG package, of course. d32 1 a32 1 [...] d35 2 a36 2 Preparing... ########################################### [100%] 1:gnupg ########################################### [100%] d45 3 a47 3 fetch it directly from pgp.openpkg.org or (if you already have an OpenPKG instance under prefix) you can import the copy from there. d53 1 a53 1 gpg: key 63C4CB9F: public key "OpenPKG " imported d55 1 a55 1 gpg: imported: 1 d62 1 a62 1 gpg: key 63C4CB9F: public key "OpenPKG " imported d64 1 a64 1 gpg: imported: 1 d71 1 a71 1 gpg: key 63C4CB9F: public key "OpenPKG " imported d73 1 a73 1 gpg: imported: 1 d86 1 d89 2 a90 1 sub 2048g/DCC7EF11 2002-01-31 d105 1 d120 3 a122 1 (3) I have done very careful checking. d124 1 d128 2 a129 1 I have checked this key casually. d131 1 d135 2 a136 1 1024-bit DSA key, ID XXXXXXXX, created 200X-XX-XX d143 1 d146 1 d159 1 d161 2 a162 1 gpg: Good signature from "OpenPKG " d166 1 d169 2 a170 1 gpg: Good signature from "OpenPKG " @ 1.1 log @add pgp.openpkg.org (sub-)website @ text @d4 6 d18 28 d47 108 @