[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-cvs] [439] Update documentation on using GnuPG.
From: |
ineiev |
Subject: |
[Savannah-cvs] [439] Update documentation on using GnuPG. |
Date: |
Mon, 1 Mar 2021 13:53:52 -0500 (EST) |
Revision: 439
http://svn.savannah.gnu.org/viewvc/?view=rev&root=administration&revision=439
Author: ineiev
Date: 2021-03-01 13:53:51 -0500 (Mon, 01 Mar 2021)
Log Message:
-----------
Update documentation on using GnuPG.
Modified Paths:
--------------
trunk/sviki/DownloadArea.mdwn
trunk/sviki/UsingGpg.mdwn
Modified: trunk/sviki/DownloadArea.mdwn
===================================================================
--- trunk/sviki/DownloadArea.mdwn 2021-02-21 14:16:34 UTC (rev 438)
+++ trunk/sviki/DownloadArea.mdwn 2021-03-01 18:53:51 UTC (rev 439)
@@ -5,10 +5,8 @@
alpha.gnu.org, you currently need to follow the [maintainer
guide](http://www.gnu.org/prep/maintain/html_node/Automated-FTP-Uploads.html).
-On Savannah, you can use scp to upload your GPG
-signed files. To begin, please add your GPG key by logging in to
-Savannah using
-<https://savannah.gnu.org/my/admin/change.php?item=gpgkey>
+On Savannah, you can use scp to upload your GPG signed files. To begin,
+please add your GPG keys to the Public Information of your project.
For each upload destined for Savannah, two files need to be uploaded.
@@ -18,7 +16,7 @@
For example this will produce a file named `foo.tar.gz.sig`:
- gpg -b --use-agent foo.tar.gz
+ gpg -b foo.tar.gz
To verify it:
@@ -37,6 +35,10 @@
`rpm`)
- Gentoo GNU/Linux: `gpg-agent` (install with `emerge`)
+If you have signatures from more people, you can join them:
+
+ cat foo.tar.gz.sig1 foo.tar.gz.sig2 ... foo.tar.gz.sigN > foo.tar.gz.sig
+
Then you can use scp to upload your file:
# Give read permissions to your files!
@@ -43,8 +45,11 @@
chmod 644 *
# Upload the files
- scp release.tar.gz you@dl.sv.nongnu.org:/releases/project/
+ scp release.tar.gz.sig release.tar.gz
you@dl.sv.nongnu.org:/releases/project/
+Note that unlike ftp.gnu.org, Savannah doesn't enforce using GPG signatures
+for releases, and doesn't verify them when they are used.
+
If you upload subdirectories, be sure to chmod a+rx them.
As of 2019-06-11, rsync for upload and sftp don't work. Use scp.
Modified: trunk/sviki/UsingGpg.mdwn
===================================================================
--- trunk/sviki/UsingGpg.mdwn 2021-02-21 14:16:34 UTC (rev 438)
+++ trunk/sviki/UsingGpg.mdwn 2021-03-01 18:53:51 UTC (rev 439)
@@ -1,3 +1,75 @@
-Please see the tutorials on the [GnuPG](http://www.gnupg.org/) website.
+Using GnuPG on Savannah
+=======================
-See also [[DownloadArea]] for some basics.
+Savannah has two kinds of keys:
+
+* Personal keys.
+* Group release keys.
+
+Savannah provides a basic testing facility, you can use it when
+adding keys. The test button imports the entered keys to a temporary
+keyring, then lists them and (for personal keys) encrypts a sample
+text. Make sure that you only register the keys you intended,
+and that you can decrypt the generated message.
+
+Personal Keys
+-------------
+
+Personal GPG keys are used for encrypted communications
+with users and [[recovering their accounts|LostAccounts]].
+
+To begin, please add your GPG key by logging in to
+Savannah using
+<https://savannah.gnu.org/my/admin/change.php?item=gpgkey>
+
+Your GPG key should have at least one usable subkey with encryption
+capability.
+
+Now, you can enable encryption checking the "Encrypt emails when
+resetting password" in <https://savannah.gnu.org/my/admin/>.
+Please keep your key current: GnuPG won't encrypt messages to
+expired keys.
+
+Other people can get your key via the "Download GPG Key" link
+on https://savannah.gnu.org/users/_user_, where _user_ is your account name.
+
+Group Release Keys
+------------------
+
+Group release keys are used for verifying the integrity of files in the
Download
+Area. These keys are registered in the Public Information of each Savannah
+project; you need to be an admin of the group in order to edit it.
+
+The registered keys are available via
+https://savannah.gnu.org/project/release-gpgkeys.php?group=_project_, where
+_project_ is the "system name" of your group.
+
+[[How to upload a signed release|DownloadArea]].
+
+Group GPG Keyring
+-----------------
+
+Historically, the Main page of Savannah projects linked to concatenated
+GPG keys of all members as
+https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=_project_,
+and it was supposed to be used as the release keys for the group.
+This URL still works, but in March, 2021 the link on the Main page
+of the project was replaced with a link to Group Release Keys.
+
+The old approach had a number of shortcomings:
+
+* no way to register keys for personal contact separate
+ from the keys for releases;
+* no way to register separate keys for different groups;
+* GnuPG couldn't import keys when some members provided
+ ASCII-armored keys while other ones used the binary format;
+* for projects with many members, the visitors were offered
+ many more keys than needed; moreover, a mistake in the account
+ of any member (like exporting the whole local keyring) could
+ compromise the releases.
+
+More Info
+---------
+
+[GnuPG website](https://www.gnupg.org/) has more tutorials, manuals and other
+documentation.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-cvs] [439] Update documentation on using GnuPG.,
ineiev <=