Commit f5b4bbab authored by amnesia's avatar amnesia
Browse files

Document our new OpenPGP keys and management policy.

parent fe261689
......@@ -167,7 +167,7 @@ AMNESIA_FULL_VERSION="${AMNESIA_VERSION} - ${AMNESIA_TODAY}"
# Developpers' data used by git-dch, debcommit and friends in the release script
AMNESIA_DEV_FULLNAME="amnesia"
AMNESIA_DEV_EMAIL="amnesia@boum.org"
AMNESIA_DEV_KEYID="F93E735F"
AMNESIA_DEV_KEYID="BE2CD9C1"
# Supported languages (displayed in this order by the syslinux menu)
AMNESIA_SUPPORTED_LANGUAGES="ar zh de en fr it pt es"
T(A)ILS developers maintain several OpenPGP key pairs.
[[!toc levels=2]]
Mailing-list key
================
Purpose
-------
### Encryption
This key has an encryption subkey. Please use it to encrypt email sent
to the core developers encrypted mailing-list: <amnesia@boum.org>.
### Signature
This key also has the capability to sign and certify. Until T(A)ILS
0.5 and 0.6~rc3, released images were signed by this key. This purpose
is now deprecated: further releases will be signed by a dedicated,
safer signing key. As of 2010 October 7th, our mailing-list key
signature only means our mailing-list software checked the signed
content was originally OpenPGP-signed by a T(A)ILS core developer.
Policy
------
The secret key material and its passphrase are stored on the server
that runs our encrypted mailing-list software and on systems managed
by core T(A)ILS developers.
This means people other than T(A)ILS developers are in a position to
use this secret key. T(A)ILS developers trust these people enough to
rely on them for running our encrypted mailing-list, but still: this
key pair is managed in a less safe way than our signing key.
Key details
-----------
pub 4096R/F93E735F 2009-08-14 [expires: 2014-08-13]
Key fingerprint = 09F6 BC8F EEC9 D8EE 005D BAA4 1D29 75ED F93E 735F
uid Amnesia <amnesia@boum.org>
uid T(A)ILS developers (Schleuder mailing-list) <amnesia@boum.org>
sub 4096R/E89382EB 2009-08-14 [expires: 2014-08-13]
To receive our GnuPG public key, you can either
[download it from this website](https://amnesia.boum.org/amnesia.asc),
fetch it from your favourite keyserver, or send an email to
<amnesia@boum.org> with "send key!" as the subject:
How to get the public key?
--------------------------
There are multiple ways to get this OpenPGP public key:
- [download it from this website](https://amnesia.boum.org/amnesia.asc)
- fetch it from your favourite keyserver
- send an email to <amnesia-sendkey@boum.org>.
Signing key
===========
Purpose
-------
This key only has the capability to sign and certify: it has no
encryption subkey.
Its only purpose is:
- to sign T(A)ILS released images (starting with 0.6)
- to certify other cryptographic public keys needed for T(A)ILS
development.
Policy
------
The secret key material will never be stored on an online server or on
systems managed by anyone else than T(A)ILS core developers.
Key details
-----------
pub 4096R/BE2CD9C1 2010-10-07 [expires: 2012-10-06]
Key fingerprint = 0D24 B36A A9A2 A651 7878 7645 1202 821C BE2C D9C1
uid T(A)ILS developers (signing key) <amnesia@boum.org>
How to get the public key?
--------------------------
Subject: send key!
There are multiple ways to get this OpenPGP public key:
The body of that email must be left blank.
- [download it from this website](https://amnesia.boum.org/amnesia.asc)
- fetch it from your favourite keyserver.
......@@ -71,7 +71,7 @@ Second, copy the built images to these brand new directories.
Third, generate detached GnuPG signatures for every published image,
in the same directory as the image; e.g.
gpg --armor --default-key F93E735F --detach-sign *.iso
gpg --armor --default-key BE2CD9C1 --detach-sign *.iso
Fourth, create a `.torrent` file for every directory to be published:
......@@ -91,7 +91,7 @@ Sixth, generate the SHA-256 hash of every generated `.torrent` file:
Seventh, generate detached GnuPG signatures for every published
`.torrent` file:
gpg --armor --default-key F93E735F --detach-sign \
gpg --armor --default-key BE2CD9C1 --detach-sign \
amnesia-i386-gnome-0.3-20091126.torrent
Eight, generate the SHA-256 hash of every image to be released:
......@@ -138,7 +138,7 @@ record the last commit before tagging happens:
Tag the release in Git
======================
git tag -u F93E735F -m "tagging version ${NEW_VERSION}" "${NEW_VERSION}"
git tag -u BE2CD9C1 -m "tagging version ${NEW_VERSION}" "${NEW_VERSION}"
Go wild!
========
......
......@@ -24,3 +24,8 @@ in every of your local clones' directories:
git config user.name amnesia
git config user.email amnesia@boum.org
If you might need to prepare T(A)ILS releases, you'll also need to
make the development team signing key the default one for Git tags:
git config user.signingkey BE2CD9C1
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment