Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

keys/employees-keys/README.md: major redesign of the procedure #101

Merged
merged 36 commits into from
Nov 9, 2023
Merged

keys/employees-keys/README.md: major redesign of the procedure #101

merged 36 commits into from
Nov 9, 2023

Conversation

pietrushnic
Copy link
Member

This commit consiste following changes:

  • added table of contents
  • added procedure of revocation certificate delivery to 3mdeb leader or manager
  • added procedure for uploading keys to keys.opengpg.org
  • simplified procedure of generating new keys through scripts/gen-new-employee-key.sh
  • improved procedure of key generation using RSA4096, not expiring Certify key and 1 year valid Signing and Encrypting subkeys
  • added procedure how to recover in case of key lost, compromised or employee no longer working in 3mdeb

@pietrushnic
keys/employees-keys/README.md: major redesign of the procedure
5b47704 
This commit consiste following changes:
- added table of contents
- added procedure of revocation certificate delivery to 3mdeb leader or
  manager
- added procedure for uploading keys to keys.opengpg.org
- simplified procedure of generating new keys through
  scripts/gen-new-employee-key.sh
- improved procedure of key generation using RSA4096, not expiring
  Certify key and 1 year valid Signing and Encrypting subkeys
- added procedure how to recover in case of key lost, compromised or
  employee no longer working in 3mdeb

Signed-off-by: Piotr Król <[email protected]>
@pietrushnic pietrushnic self-assigned this Oct 11, 2023
krystian-hebel
krystian-hebel reviewed Oct 12, 2023
View reviewed changes
keys/employees-keys/README.md Show resolved Hide resolved
keys/employees-keys/README.md Outdated Show resolved Hide resolved
keys/employees-keys/README.md Outdated Show resolved Hide resolved
keys/employees-keys/README.md Outdated Show resolved Hide resolved
keys/employees-keys/README.md Show resolved Hide resolved
keys/employees-keys/README.md Outdated Show resolved Hide resolved
keys/employees-keys/README.md Outdated Show resolved Hide resolved
@pietrushnic
scripts/gen-new-employee-key.sh: remove unused variable
4bc96d0 
Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
keys/employees-keys/README.md: fix link rendering
cca3480 
Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
scripts/gen-new-employee-key.sh: fix KEY_ID extraction
bbc5c62 
Tested on GnuPG 2.2.40.
Following is sample debug run for future reference of this script:

-----BEGIN
./scripts/gen-new-employee-key.sh "Your Name" "[email protected]"
+ '[' 2 -ne 2 ']'
+ KEY_NAME='Your Name'
+ [email protected]
+ KEY_COMMENT='Employee Cert Key'
+ [email protected]
++ cat
+ BATCH_FILE_CONTENT='%echo Generating a primary certification key and subkeys for signing and encryption
Key-Type: RSA
Key-Length: 4096
Key-Usage: cert
Expire-Date: 0
Subkey-Type: RSA
Subkey-Length: 4096
Subkey-Usage: sign
Name-Real: Your Name
Name-Comment: Employee Cert Key
Name-Email: [email protected]
%no-protection
%commit
%echo Key generation complete'
+ echo '%echo Generating a primary certification key and subkeys for signing and encryption
Key-Type: RSA
Key-Length: 4096
Key-Usage: cert
Expire-Date: 0
Subkey-Type: RSA
Subkey-Length: 4096
Subkey-Usage: sign
Name-Real: Your Name
Name-Comment: Employee Cert Key
Name-Email: [email protected]
%no-protection
%commit
%echo Key generation complete'
+ gpg --list-keys --keyid-format LONG
+ awk '{print $2}'
+ grep pub
+ cut -d/ -f2
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:  24  signed:  10  trust: 0-, 0q, 0n, 0m, 0f, 24u
gpg: depth: 1  valid:  10  signed:   1  trust: 10-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2023-10-28
+ gpg --batch --generate-key temp_batch_file.txt
gpg: Generating a primary certification key and subkeys for signing and encryption
gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/8A55685F330C97073856914BAA41746B115C35E3.rev'
gpg: Key generation complete
+ gpg --list-keys --keyid-format LONG
+ cut -d/ -f2
+ awk '{print $2}'
gpg: checking the trustdb
+ grep pub
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:  25  signed:  10  trust: 0-, 0q, 0n, 0m, 0f, 25u
gpg: depth: 1  valid:  10  signed:   1  trust: 10-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2023-10-28
++ comm -13 keys_before.txt keys_after.txt
+ KEY_ID=AA41746B115C35E3
+ rm keys_before.txt keys_after.txt
+ gpg --fingerprint AA41746B115C35E3
+ echo 'Key with ID AA41746B115C35E3 generated successfully.'
Key with ID AA41746B115C35E3 generated successfully.
+ gpg --command-fd 0 --edit-key AA41746B115C35E3
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/AA41746B115C35E3
     created: 2023-10-13  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/B642FA3402DD7BFA
     created: 2023-10-13  expires: never       usage: S
[ultimate] (1). Your Name (Employee Cert Key) <[email protected]>

sec  rsa4096/AA41746B115C35E3
     created: 2023-10-13  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb* rsa4096/B642FA3402DD7BFA
     created: 2023-10-13  expires: never       usage: S
[ultimate] (1). Your Name (Employee Cert Key) <[email protected]>

Changing expiration time for a subkey.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key expires at Sat 12 Oct 2024 01:00:35 PM CEST

sec  rsa4096/AA41746B115C35E3
     created: 2023-10-13  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb* rsa4096/B642FA3402DD7BFA
     created: 2023-10-13  expires: 2024-10-12  usage: S
[ultimate] (1). Your Name (Employee Cert Key) <[email protected]>

+ '[' 0 -ne 0 ']'
+ gpg --command-fd 0 --edit-key AA41746B115C35E3
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:  25  signed:  10  trust: 0-, 0q, 0n, 0m, 0f, 25u
gpg: depth: 1  valid:  10  signed:   1  trust: 10-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2023-10-28
sec  rsa4096/AA41746B115C35E3
     created: 2023-10-13  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/B642FA3402DD7BFA
     created: 2023-10-13  expires: 2024-10-12  usage: S
[ultimate] (1). Your Name (Employee Cert Key) <[email protected]>

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
  (14) Existing key from card
RSA keys may be between 1024 and 4096 bits long.
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key expires at Sat 12 Oct 2024 01:00:35 PM CEST
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/AA41746B115C35E3
     created: 2023-10-13  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/B642FA3402DD7BFA
     created: 2023-10-13  expires: 2024-10-12  usage: S
ssb  rsa4096/00F397DEEBCC7649
     created: 2023-10-13  expires: 2024-10-12  usage: E
[ultimate] (1). Your Name (Employee Cert Key) <[email protected]>

+ '[' 0 -ne 0 ']'
+ gpg --armor --export 'Your Name (Employee Cert Key) <[email protected]>'
+ '[' 0 -ne 0 ']'
+ rm temp_batch_file.txt
+ echo 'Your KEY_ID: AA41746B115C35E3'
Your KEY_ID: AA41746B115C35E3
-----END

Signed-off-by: Piotr Król <[email protected]>
pietrushnic and others added 3 commits October 13, 2023 13:28
pietrushnic and others added 27 commits October 13, 2023 13:38
@pietrushnic @krystian-hebel
Update keys/employees-keys/README.md
e7b13e2 
Co-authored-by: Krystian Hebel <[email protected]>
@pietrushnic @krystian-hebel
Update keys/employees-keys/README.md
4ad2d42 
Co-authored-by: Krystian Hebel <[email protected]>
@pietrushnic @krystian-hebel
Update keys/employees-keys/README.md
535a564 
Co-authored-by: Krystian Hebel <[email protected]>
@pietrushnic
keys/employees-keys/README.md: extend docs regarding key expiration
da0880b 
Signed-off-by: Piotr Król <[email protected]>
@pietrushnic @macpijan
Update keys/employees-keys/README.md
8690c72 
Co-authored-by: Maciej Pijanowski <[email protected]>
@pietrushnic @macpijan
Update keys/employees-keys/README.md
5a24e63 
Co-authored-by: Maciej Pijanowski <[email protected]>
@pietrushnic @macpijan
Update keys/employees-keys/README.md
46d9d98 
Co-authored-by: Maciej Pijanowski <[email protected]>
@pietrushnic @macpijan
Update keys/employees-keys/README.md
f79fb2b 
Co-authored-by: Maciej Pijanowski <[email protected]>
@pietrushnic
keys/employees-keys/README.md: use search-keys instead import
4a060c9 
--search-keys is better than --import because it show preview key before
making decision, so we can confirm that it is key that we need by
comparing fingerprint as well as we can confirm if key is not expired.

Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
keys/employees-keys/README.md: explain key hierarchy
321fcad 
Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
keys/employees-keys/README.md: improve revocation procedure
fbb2fa6 
This commit implements experimentally proved suggestion from review,
which consist of using last known safe date as expiration date for
revoked key. This lead that portals like Github show that key is both
revoked and expired despite keeping green label of verified signature
for git commits.

Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
keys/employees-keys/README.md: improve date input format
354deb5 
Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
keys/employees-keys/README.md: explain date choice
ff69cb7 
Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
keys/employees-keys/README.md: explain that time change is temporary
c9b2346 
Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
keys/employees-keys/README.md: add systemd-timesyncd info
c9e43c9 
Signed-off-by: Piotr Król <[email protected]>
@pietrushnic
keys/employees-keys/README.md: remove claims about 1d gpg granularity
180bb39 
As it was pointed during review gpg has hidden command, which give
ability to set arbitrary date up to seconds:
https://stackoverflow.com/a/55061328

So it is incorrect to claim 1d is minimal gpg granularity.

Signed-off-by: Piotr Król <[email protected]>
@macpijan
pre-commit: add configs
d34877a 
Signed-off-by: Maciej Pijanowski <[email protected]>
@macpijan
pre-commit fixes: markdownlint
1823c68 
Signed-off-by: Maciej Pijanowski <[email protected]>
@macpijan
scripts/gen-new-employee-key.sh: disable shellcheck for one line
f1c5959 
Not sure right know if fixing shellcheck error would not break this.

Signed-off-by: Maciej Pijanowski <[email protected]>
@macpijan
.markdownlint.yaml: enable MD014
86b8d24 
Signed-off-by: Maciej Pijanowski <[email protected]>
@macpijan
.pre-commit-config.yaml: exclude README.md from detect-private-key
eedd2ca 
Signed-off-by: Maciej Pijanowski <[email protected]>
@macpijan
pre-commit fixes
e6c2574 
Signed-off-by: Maciej Pijanowski <[email protected]>
@macpijan
README.md: drop git-secret setup
2ec93c7 
This is already included in the pre-commit checks

Signed-off-by: Maciej Pijanowski <[email protected]>
@macpijan
keys/employees-keys/README.md: pre-commit fixes
5c09864 
Signed-off-by: Maciej Pijanowski <[email protected]>
@pietrushnic
Merge pull request #102 from 3mdeb/pre-commit
0f2285e 
Pre commit
@macpijan
.pre-commit-config.yaml: disable shellcheck in pre-commit.ci
713e179 
Signed-off-by: Maciej Pijanowski <[email protected]>
@pietrushnic
Merge pull request #111 from 3mdeb/pre-commit
1d1a31c 
.pre-commit-config.yaml: disable shellcheck in pre-commit.ci
@pietrushnic pietrushnic merged commit 036e909 into master Nov 9, 2023
1 check passed
@pietrushnic pietrushnic deleted the add_proce_for_revocation branch November 9, 2023 22:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krystian-hebel krystian-hebel krystian-hebel left review comments

@bukowa bukowa bukowa left review comments

@marmarek marmarek marmarek left review comments

@macpijan macpijan macpijan approved these changes

@miczyg1 miczyg1 Awaiting requested review from miczyg1

@TomaszAIR TomaszAIR Awaiting requested review from TomaszAIR

Assignees

@pietrushnic pietrushnic

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@pietrushnic @marmarek @macpijan @miczyg1 @bukowa @krystian-hebel