Google Git
Sign in
apache / infrastructure-website / refs/heads/create-pull-request/patch / . / output / openpgp.html
blob: 0d2576dcce250aff12fa0da58aaf10bc3d15abb1 [file] [log] [blame]
<!doctype html>
<html class="no-js" lang="en" dir="ltr">
<head>
<meta charset="utf-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Cryptography with OpenPGP - Apache Infrastructure Website</title>
<link href="/css/bootstrap.min.css" rel="stylesheet">
<link href="/css/fontawesome.all.min.css" rel="stylesheet">
<link href="/css/headerlink.css" rel="stylesheet">
<script src="/highlight/highlight.min.js"></script> </head>
<body class="d-flex flex-column h-100">
<main class="flex-shrink-0">
<div>
<!-- nav bar -->
<nav class="navbar navbar-expand-lg navbar-dark bg-dark" aria-label="Fifth navbar example">
<div class="container-fluid">
<a class="navbar-brand" href="/"><img src="/images/feather.png" style="height: 32px;"/> Apache Infrastructure</a>
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarADP" aria-controls="navbarADP" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarADP">
<ul class="navbar-nav me-auto mb-2 mb-lg-0">
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">About</a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/team.html">About the team</a></li>
<li><a class="dropdown-item" href="/roundtable.html">The Infrastructure Roundtable</a></li>
<li><a class="dropdown-item" href="/blog/">The Infrastructure Blog</a></li>
</ul>
</li>
<li class="nav-item">
<a class="nav-link" href="/policies.html">Policies</a>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Services and Tools</a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/services.html">Services and Tools</a></li>
<li><a class="dropdown-item" href="/machines.html">Machines and Fingerprints</a></li>
<li><a class="dropdown-item" href="https://blocky.apache.org/">Blocky</a></li>
<li><a class="dropdown-item" href="https://app.datadoghq.com/account/login?next=%2Finfrastructure">DataDog</a></li>
<li><a class="dropdown-item" href="https://whimsy.apache.org/roster/committer/" target="_blank">Committer Search</a></li>
</ul>
</li>
<li class="nav-item dropdown">
<a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown" aria-expanded="false">Documentation</a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/doc.html">Contribute</a></li>
<li><a class="dropdown-item" href="/infra-volunteer.html">Volunteer with Infra</a></li>
<li><a class="dropdown-item" href="/how-to-mirror.html">Become an ASF download mirror</a></li>
<li><a class="dropdown-item" href="/hosting-external-agent.html">Host a Jenkins or Buildbot agent</a></li>
</ul>
</li>
<li class="nav-item">
<a class="nav-link" href="/stats.html">Status</a>
</li>
<li class="nav-item">
<a class="nav-link" href="/contact.html">Contact Us</a>
</li>
</ul>
</div>
</div>
</nav>
<!-- page contents -->
<div id="contents">
<div class="bg-white p-5 rounded">
<div class="col-sm-8 mx-auto">
<h1>
Cryptography with OpenPGP
</h1>
<h3>Contents</h3>
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#gnupg">Gnu Privacy Guard</a></li>
<li><a href="#generate-key">How to generate a strong key</a></li>
<li><a href="#private-keyring-management">Private keyring management</a></li>
</ul>
<p>How to...</p>
<ul>
<li><a href="#find-key-id">find a key ID</a></li>
<li><a href="#backup">back up keys</a></li>
<li><a href="#export-key">export a key</a></li>
<li><a href="#secret-key-transfer">transfer a secret key</a></li>
<li><a href="#transition">transition from an old to a new key</a></li>
<li><a href="#revocation-certs">use revocation certificates</a></li>
<li><a href="#symmetric">use symmetric encryption</a></li>
<li><a href="#update">update Apache documents with details of a new key</a></li>
<li><a href="#wot">use the Web of Trust</a></li>
</ul>
<h2 id="introduction">Introduction<a class="headerlink" href="#introduction" title="Permanent link">&para;</a></h2>
<p><a href="https://keys.openpgp.org/" target="_blank">OpenPGP</a> is encryption software. The program provides cryptographic privacy and authentication for data communication, covering signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and increasing the security of e-mail communications.</p>
<p>Reliable cryptography applications follow OpenPGP, an open standard of Pretty Good Privacy (PGP) encryption software, standard (RFC 4880), for encrypting and decrypting data.</p>
<h2 id="gnupg">Gnu Privacy Guard (GPG)<a class="headerlink" href="#gnupg" title="Permanent link">&para;</a></h2>
<p>The Apaches Software Foundation recommends using <a href="https://www.gnupg.org" target="_blank">Gnu Privacy Guard (GPG)</a>, a well-known open source cryptography tool with OpenPGP support. Always use the latest version.</p>
<p>GnuPG has a good set of <a href="https://www.gnupg.org/documentation" target="_blank">documentation</a>. This guide covers only some important points.</p>
<h3 id="home">GnuPG Home<a class="headerlink" href="#home" title="Permanent link">&para;</a></h3>
<p>GnuPG stores important files, including keyrings and configuration files, in a home directory. You can specify your project's home directory in an environmental variable or on the command line. This allows different configurations and keys to be used.</p>
<p>For example:</p>
<div class="highlight"><pre><span></span><code> ::console
$ gpg --homedir /home/alice/keys --list-keys
</code></pre></div>
<p>Projects generally rely on the default. For <code>\*nux</code> (linux, BSD, MacOSX, Solaris, AIX) this is:</p>
<div class="highlight"><pre><span></span><code> :::shell
$HOME/.gnupg
</code></pre></div>
<h4 id="switch-home">How to switch Home<a class="headerlink" href="#switch-home" title="Permanent link">&para;</a></h4>
<p>You can set Home using an environmental variable. This lets you select a specific configuration and keyring for the duration of a
command line session. This is useful when <a href="release-signing.html#safe-practice">practicing</a> and when using multiple keyrings.</p>
<p>For example, to set home directory to <code>alice</code> when using Linux:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="p">:::</span><span class="n">console</span>
<span class="w"> </span><span class="o">$</span><span class="w"> </span><span class="k">export</span><span class="w"> </span><span class="n">GNUPGHOME</span><span class="o">=</span><span class="n">alice</span>
</code></pre></div>
<p>When switching key rings, check that the required keyring has been selected by examining the secret keys. For example:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="o">::</span><span class="err">:</span><span class="n">console</span>
<span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="n">list</span><span class="o">-</span><span class="n">secret</span><span class="o">-</span><span class="n">keys</span>
<span class="w"> </span><span class="n">alice</span><span class="o">/</span><span class="n">secring</span><span class="p">.</span><span class="n">gpg</span>
<span class="w"> </span><span class="o">-----------------</span>
<span class="w"> </span><span class="n">sec</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="n">E2B054B8</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
<span class="w"> </span><span class="n">uid</span><span class="w"> </span><span class="n">Alice</span><span class="w"> </span><span class="n">Example</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">NEW</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">alice</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">ssb</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="mi">4</span><span class="n">A6D5217</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
</code></pre></div>
<h3 id="configuration">Configuration<a class="headerlink" href="#configuration" title="Permanent link">&para;</a></h3>
<p>GnuPG supports a wide range of configuration options. You can specify them on the command line, but it is usually more convenient to set them in the <code>gpg.conf</code> file. By default, this is located in the <a href="#home">GnuPG Home</a> directory.</p>
<h3 id="sha1">Avoid SHA-1<a class="headerlink" href="#sha1" title="Permanent link">&para;</a></h3>
<p><a href="release-signing.html#sha1">Avoid</a> using <code>SHA-1</code>. Use <code>SHA512</code> or <code>SHA256</code> instead. <code>SHA512</code> is stronger than <code>SHA256</code>. Though some old
clients lack <code>SHA512</code> support, we recommend switching to <code>SHA512</code> if possible.</p>
<h3 id="sha-defaults">Setting defaults<a class="headerlink" href="#sha-defaults" title="Permanent link">&para;</a></h3>
<p>To configure <code>gpg</code> to avoid SHA-1, edit the options in <a href="#configuration"><code>gpg.conf</code></a>. Options need to be added or given the correct values for:</p>
<ul>
<li><code>cert-digest-algo</code> - the certificate digest used when linking into the <a href="release-signing.html#link-into-wot">web of trust</a> </li>
<li><code>personal-digest-preferences</code> - the digest used for <a href="release-signing.html#detach-sig">signing messages</a> </li>
<li><code>default-preference-list</code> - the default algorithm preferences for <a href="release-signing.html#generate">new keys</a> (this does not affect existing keys: see next paragraph)</li>
</ul>
<p>To use <code>SHA512</code> (recommended):</p>
<div class="highlight"><pre><span></span><code> :::text
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
</code></pre></div>
<p>To use SHA256:</p>
<div class="highlight"><pre><span></span><code> :::text
personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
</code></pre></div>
<h3 id="key-prefs">Setting preferences for keys<a class="headerlink" href="#key-prefs" title="Permanent link">&para;</a></h3>
<p>The digest preferences for each key (from the <a href="#sha-defaults">configuration defaults</a> ) are set when the key is generated. Once the
configuration has been updated to avoid SHA-1, all new keys generated will use these defaults, but keys generated before the configuration won't be affected.</p>
<p>All existing private keys in the ring need to be updated to indicate that stronger hashes are preferred. For each public-private key pair (generated with the previous defaults):</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="o">::</span><span class="err">:</span><span class="n">console</span>
<span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="n">edit</span><span class="o">-</span><span class="k">key</span><span class="w"> </span><span class="n">F8B7B4FD</span>
<span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="p">(</span><span class="n">GnuPG</span><span class="p">)</span><span class="w"> </span><span class="mf">1.4.9</span><span class="p">;</span><span class="w"> </span><span class="n">Copyright</span><span class="w"> </span><span class="p">(</span><span class="n">C</span><span class="p">)</span><span class="w"> </span><span class="mi">2008</span><span class="w"> </span><span class="k">Free</span><span class="w"> </span><span class="n">Software</span><span class="w"> </span><span class="n">Foundation</span><span class="p">,</span><span class="w"> </span><span class="n">Inc</span><span class="p">.</span>
<span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="n">program</span><span class="w"> </span><span class="n">comes</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">ABSOLUTELY</span><span class="w"> </span><span class="k">NO</span><span class="w"> </span><span class="n">WARRANTY</span><span class="p">.</span>
<span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">free</span><span class="w"> </span><span class="n">software</span><span class="p">,</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="k">are</span><span class="w"> </span><span class="n">welcome</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">redistribute</span><span class="w"> </span><span class="n">it</span>
<span class="w"> </span><span class="k">under</span><span class="w"> </span><span class="n">certain</span><span class="w"> </span><span class="n">conditions</span><span class="p">.</span><span class="w"> </span><span class="n">See</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">file</span><span class="w"> </span><span class="n">COPYING</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">details</span><span class="p">.</span>
<span class="w"> </span><span class="n">Secret</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">available</span><span class="p">.</span>
<span class="w"> </span><span class="n">pub</span><span class="w"> </span><span class="mi">1024</span><span class="n">D</span><span class="o">/</span><span class="n">F8B7B4FD</span><span class="w"> </span><span class="nl">created</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">12</span><span class="w"> </span><span class="nl">expires</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">09</span><span class="o">-</span><span class="mi">11</span><span class="w"> </span><span class="k">usage</span><span class="err">:</span><span class="w"> </span><span class="n">SC</span><span class="w"> </span>
<span class="w"> </span><span class="nl">trust</span><span class="p">:</span><span class="w"> </span><span class="n">ultimate</span><span class="w"> </span><span class="nl">validity</span><span class="p">:</span><span class="w"> </span><span class="n">ultimate</span>
<span class="w"> </span><span class="n">sub</span><span class="w"> </span><span class="mi">1024</span><span class="n">g</span><span class="o">/</span><span class="n">D55BD150</span><span class="w"> </span><span class="nl">created</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">12</span><span class="w"> </span><span class="nl">expires</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">09</span><span class="o">-</span><span class="mi">11</span><span class="w"> </span><span class="k">usage</span><span class="err">:</span><span class="w"> </span><span class="n">E</span><span class="w"> </span>
<span class="w"> </span><span class="o">[</span><span class="n">ultimate</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="w"> </span><span class="n">Example</span><span class="w"> </span><span class="k">Key</span><span class="w"> </span><span class="p">(</span><span class="ow">NOT</span><span class="w"> </span><span class="k">FOR</span><span class="w"> </span><span class="n">DISTRIBUTION</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">bogus</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">Command</span><span class="o">&gt;</span><span class="w"> </span><span class="n">showpref</span>
<span class="w"> </span><span class="o">[</span><span class="n">ultimate</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="w"> </span><span class="n">Example</span><span class="w"> </span><span class="k">Key</span><span class="w"> </span><span class="p">(</span><span class="ow">NOT</span><span class="w"> </span><span class="k">FOR</span><span class="w"> </span><span class="n">DISTRIBUTION</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">bogus</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="nl">Cipher</span><span class="p">:</span><span class="w"> </span><span class="n">AES256</span><span class="p">,</span><span class="w"> </span><span class="n">AES192</span><span class="p">,</span><span class="w"> </span><span class="n">AES</span><span class="p">,</span><span class="w"> </span><span class="n">CAST5</span><span class="p">,</span><span class="w"> </span><span class="mi">3</span><span class="n">DES</span>
<span class="w"> </span><span class="nl">Digest</span><span class="p">:</span><span class="w"> </span><span class="n">SHA1</span><span class="p">,</span><span class="w"> </span><span class="n">SHA256</span><span class="p">,</span><span class="w"> </span><span class="n">RIPEMD160</span>
<span class="w"> </span><span class="nl">Compression</span><span class="p">:</span><span class="w"> </span><span class="n">ZLIB</span><span class="p">,</span><span class="w"> </span><span class="n">BZIP2</span><span class="p">,</span><span class="w"> </span><span class="n">ZIP</span><span class="p">,</span><span class="w"> </span><span class="n">Uncompressed</span>
<span class="w"> </span><span class="nl">Features</span><span class="p">:</span><span class="w"> </span><span class="n">MDC</span><span class="p">,</span><span class="w"> </span><span class="n">Keyserver</span><span class="w"> </span><span class="k">no</span><span class="o">-</span><span class="k">modify</span>
<span class="w"> </span><span class="n">Command</span><span class="o">&gt;</span><span class="w"> </span><span class="n">setpref</span><span class="w"> </span><span class="n">SHA512</span><span class="w"> </span><span class="n">SHA384</span><span class="w"> </span><span class="n">SHA256</span><span class="w"> </span><span class="n">SHA224</span><span class="w"> </span><span class="n">AES256</span><span class="w"> </span><span class="n">AES192</span><span class="w"> </span><span class="n">AES</span><span class="w"> </span><span class="n">CAST5</span><span class="w"> </span><span class="n">ZLIB</span><span class="w"> </span><span class="n">BZIP2</span><span class="w"> </span><span class="n">ZIP</span><span class="w"> </span><span class="n">Uncompressed</span>
<span class="w"> </span><span class="k">Set</span><span class="w"> </span><span class="n">preference</span><span class="w"> </span><span class="n">list</span><span class="w"> </span><span class="k">to</span><span class="err">:</span>
<span class="w"> </span><span class="nl">Cipher</span><span class="p">:</span><span class="w"> </span><span class="n">AES256</span><span class="p">,</span><span class="w"> </span><span class="n">AES192</span><span class="p">,</span><span class="w"> </span><span class="n">AES</span><span class="p">,</span><span class="w"> </span><span class="n">CAST5</span><span class="p">,</span><span class="w"> </span><span class="mi">3</span><span class="n">DES</span>
<span class="w"> </span><span class="nl">Digest</span><span class="p">:</span><span class="w"> </span><span class="n">SHA512</span><span class="p">,</span><span class="w"> </span><span class="n">SHA384</span><span class="p">,</span><span class="w"> </span><span class="n">SHA256</span><span class="p">,</span><span class="w"> </span><span class="n">SHA224</span><span class="p">,</span><span class="w"> </span><span class="n">SHA1</span>
<span class="w"> </span><span class="nl">Compression</span><span class="p">:</span><span class="w"> </span><span class="n">ZLIB</span><span class="p">,</span><span class="w"> </span><span class="n">BZIP2</span><span class="p">,</span><span class="w"> </span><span class="n">ZIP</span><span class="p">,</span><span class="w"> </span><span class="n">Uncompressed</span>
<span class="w"> </span><span class="nl">Features</span><span class="p">:</span><span class="w"> </span><span class="n">MDC</span><span class="p">,</span><span class="w"> </span><span class="n">Keyserver</span><span class="w"> </span><span class="k">no</span><span class="o">-</span><span class="k">modify</span>
<span class="w"> </span><span class="n">Really</span><span class="w"> </span><span class="k">update</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">preferences</span><span class="vm">?</span><span class="w"> </span><span class="p">(</span><span class="n">y</span><span class="o">/</span><span class="n">N</span><span class="p">)</span><span class="w"> </span><span class="n">y</span>
<span class="w"> </span><span class="n">You</span><span class="w"> </span><span class="n">need</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">passphrase</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">unlock</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">secret</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="k">for</span>
<span class="w"> </span><span class="k">user</span><span class="err">:</span><span class="w"> </span><span class="ss">&quot;Example Key (NOT FOR DISTRIBUTION) &lt;bogus@example.org&gt;&quot;</span>
<span class="w"> </span><span class="mi">1024</span><span class="o">-</span><span class="nc">bit</span><span class="w"> </span><span class="n">DSA</span><span class="w"> </span><span class="k">key</span><span class="p">,</span><span class="w"> </span><span class="n">ID</span><span class="w"> </span><span class="n">F8B7B4FD</span><span class="p">,</span><span class="w"> </span><span class="n">created</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">12</span>
<span class="w"> </span><span class="n">pub</span><span class="w"> </span><span class="mi">1024</span><span class="n">D</span><span class="o">/</span><span class="n">F8B7B4FD</span><span class="w"> </span><span class="nl">created</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">12</span><span class="w"> </span><span class="nl">expires</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">09</span><span class="o">-</span><span class="mi">11</span><span class="w"> </span><span class="k">usage</span><span class="err">:</span><span class="w"> </span><span class="n">SC</span><span class="w"> </span>
<span class="w"> </span><span class="nl">trust</span><span class="p">:</span><span class="w"> </span><span class="n">ultimate</span><span class="w"> </span><span class="nl">validity</span><span class="p">:</span><span class="w"> </span><span class="n">ultimate</span>
<span class="w"> </span><span class="n">sub</span><span class="w"> </span><span class="mi">1024</span><span class="n">g</span><span class="o">/</span><span class="n">D55BD150</span><span class="w"> </span><span class="nl">created</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">12</span><span class="w"> </span><span class="nl">expires</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">09</span><span class="o">-</span><span class="mi">11</span><span class="w"> </span><span class="k">usage</span><span class="err">:</span><span class="w"> </span><span class="n">E</span><span class="w"> </span>
<span class="w"> </span><span class="o">[</span><span class="n">ultimate</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="w"> </span><span class="n">Example</span><span class="w"> </span><span class="k">Key</span><span class="w"> </span><span class="p">(</span><span class="ow">NOT</span><span class="w"> </span><span class="k">FOR</span><span class="w"> </span><span class="n">DISTRIBUTION</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">bogus</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">Command</span><span class="o">&gt;</span><span class="w"> </span><span class="k">save</span>
</code></pre></div>
<p>Then upload the modified public key to a public keyserver. For example:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span>:::<span class="nv">console</span>
<span class="w"> </span>$<span class="w"> </span><span class="nv">gpg</span><span class="w"> </span><span class="o">--</span><span class="k">send</span><span class="o">-</span><span class="nv">keys</span><span class="w"> </span><span class="nv">F8B7B4FD</span>
</code></pre></div>
<h2 id="generate-key">How to generate a strong key<a class="headerlink" href="#generate-key" title="Permanent link">&para;</a></h2>
<p>The weaknesses found in <a href="release-signing.html#sha1">SHA-1</a> threaten all DSA keys and those RSA keys with length less than 2048 bits. Though no realistic attack against those keys have been made public and these keys continue to be useful (and do not need to be revoked), Projects should not generate new keys that are exposed to this weakness.</p>
<p>The next generation of <a href="release-signing.html#openpgp">OpenPGP</a> will use <a href="release-signing.html#sha3">SHA-3</a>. For now, the 2048 bit RSA keys with SHA256 hash should be strong enough. For those with 2048 bit RSA keys, the best advice is to <a href="#sha1">switch</a> to SHA256 or SHA512 as soon as possible. All new keys generated should be RSA with at least 4096 bits.</p>
<p>Though 8192 bit keys are stronger, they are slower and may be incompatible with some older clients. For the present, 4096 bit RSA should be strong enough for code signing at Apache. To generate RSA keys with length more
than 4096 bits, <a href="https://www.jroller.com/robertburrelldonkin/entry/gnupg_8192bit_rsa_keys" target="_blank">changes are needed</a>. Then you can follow the procedure for 4096 bits.</p>
<h3 id="key-gen-install-latest-gnupg">Install and configure GnuPG<a class="headerlink" href="#key-gen-install-latest-gnupg" title="Permanent link">&para;</a></h3>
<p><a href="https://www.gnupg.org" target="_blank">GnuPG</a> comes in two flavors. To easily generate a 4096 bit RSA signing and encryption key pair with strong digests, use either GnuPG version:</p>
<ul>
<li><code>2.0.12</code> or higher (well-known, portable version)</li>
<li><code>1.4.10</code> or higher (version with advanced features)</li>
</ul>
<p>Once you generate the key, you can use it with the widely available <code>1.4.9</code> and <code>2.x</code> releases. </p>
<p>If the right version of GnuPG is not currently distributed for your platform, you need to <a href="http://www.gnupg.org/download/index.en.html" target="_blank">install it</a>. You only need this version to generate keys, so you do not need to replace the version distributed with your platform. You can install the new version into a working directory.</p>
<p>Checking that the installation has worked and that the version is correct, using either</p>
<div class="highlight"><pre><span></span><code> :::console
$ gpg --version
gpg (GnuPG) 1.4.10
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
&lt;http://gnu.org/licenses/gpl.html&gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
</code></pre></div>
<p>or</p>
<div class="highlight"><pre><span></span><code> :::console
$ gpg2 --version
gpg (GnuPG) 2.0.12
libgcrypt 1.4.4
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
&lt;http://gnu.org/licenses/gpl.html&gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
</code></pre></div>
<p>Now confirm that the configuration file is <a href="#sha1">set up to avoid SHA-1</a>.</p>
<h3 id="key-gen-generate-key">Generate a new key<a class="headerlink" href="#key-gen-generate-key" title="Permanent link">&para;</a></h3>
<p>Versions <code>2.0.12</code>and <code>1.4.10</code> introduced a new default key generation option - <em>RSA and RSA</em>. <a href="release-signing.html#rsa">RSA</a>
keys are used for both encryption and signing. Longer key lengths are available. Select or accept this option when generating new keys.</p>
<p>Follow the recommendations about <a href="release-signing.html#user-id">user ID</a> and <a href="release-signing.html#key-comment">comment</a>. Use a strong
<a href="release-signing.html#passphrase">passphrase</a>.</p>
<p>Follow either</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="p">:::</span><span class="n">console</span>
<span class="w"> </span><span class="o">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="n">gen</span><span class="o">-</span><span class="n">key</span><span class="w"> </span>
<span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="p">(</span><span class="n">GnuPG</span><span class="p">)</span><span class="w"> </span><span class="mf">1.4</span><span class="o">.</span><span class="mi">10</span><span class="p">;</span><span class="w"> </span><span class="n">Copyright</span><span class="w"> </span><span class="p">(</span><span class="n">C</span><span class="p">)</span><span class="w"> </span><span class="mi">2008</span><span class="w"> </span><span class="n">Free</span><span class="w"> </span><span class="n">Software</span><span class="w"> </span><span class="n">Foundation</span><span class="p">,</span><span class="w"> </span><span class="n">Inc</span><span class="o">.</span>
<span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">free</span><span class="w"> </span><span class="n">software</span><span class="p">:</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">free</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">change</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">redistribute</span><span class="w"> </span><span class="n">it</span><span class="o">.</span>
<span class="w"> </span><span class="n">There</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">NO</span><span class="w"> </span><span class="n">WARRANTY</span><span class="p">,</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">extent</span><span class="w"> </span><span class="n">permitted</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">law</span><span class="o">.</span>
<span class="w"> </span><span class="n">Please</span><span class="w"> </span><span class="n">select</span><span class="w"> </span><span class="n">what</span><span class="w"> </span><span class="n">kind</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">want</span><span class="p">:</span>
<span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="n">RSA</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">RSA</span><span class="w"> </span><span class="p">(</span><span class="n">default</span><span class="p">)</span>
<span class="w"> </span><span class="p">(</span><span class="mi">2</span><span class="p">)</span><span class="w"> </span><span class="n">DSA</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">Elgamal</span>
<span class="w"> </span><span class="p">(</span><span class="mi">3</span><span class="p">)</span><span class="w"> </span><span class="n">DSA</span><span class="w"> </span><span class="p">(</span><span class="nb">sign</span><span class="w"> </span><span class="n">only</span><span class="p">)</span>
<span class="w"> </span><span class="p">(</span><span class="mi">4</span><span class="p">)</span><span class="w"> </span><span class="n">RSA</span><span class="w"> </span><span class="p">(</span><span class="nb">sign</span><span class="w"> </span><span class="n">only</span><span class="p">)</span>
<span class="w"> </span><span class="n">Your</span><span class="w"> </span><span class="n">selection</span><span class="err">?</span><span class="w"> </span><span class="mi">1</span>
<span class="w"> </span><span class="n">RSA</span><span class="w"> </span><span class="n">keys</span><span class="w"> </span><span class="n">may</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">between</span><span class="w"> </span><span class="mi">1024</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="mi">4096</span><span class="w"> </span><span class="n">bits</span><span class="w"> </span><span class="n">long</span><span class="o">.</span>
<span class="w"> </span><span class="n">What</span><span class="w"> </span><span class="n">keysize</span><span class="w"> </span><span class="n">do</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">want</span><span class="err">?</span><span class="w"> </span><span class="p">(</span><span class="mi">2048</span><span class="p">)</span><span class="w"> </span><span class="mi">4096</span>
<span class="w"> </span><span class="n">Requested</span><span class="w"> </span><span class="n">keysize</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="mi">4096</span><span class="w"> </span><span class="n">bits</span>
<span class="w"> </span><span class="n">Please</span><span class="w"> </span><span class="n">specify</span><span class="w"> </span><span class="n">how</span><span class="w"> </span><span class="n">long</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">should</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">valid</span><span class="o">.</span>
<span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">does</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">expire</span>
<span class="w"> </span><span class="o">&lt;</span><span class="n">n</span><span class="o">&gt;</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">expires</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="n">days</span>
<span class="w"> </span><span class="o">&lt;</span><span class="n">n</span><span class="o">&gt;</span><span class="n">w</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">expires</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="n">weeks</span>
<span class="w"> </span><span class="o">&lt;</span><span class="n">n</span><span class="o">&gt;</span><span class="n">m</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">expires</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="n">months</span>
<span class="w"> </span><span class="o">&lt;</span><span class="n">n</span><span class="o">&gt;</span><span class="n">y</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">expires</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="n">years</span>
<span class="w"> </span><span class="n">Key</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">valid</span><span class="w"> </span><span class="k">for</span><span class="err">?</span><span class="w"> </span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span>
<span class="w"> </span><span class="n">Key</span><span class="w"> </span><span class="n">does</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">expire</span><span class="w"> </span><span class="n">at</span><span class="w"> </span><span class="n">all</span>
<span class="w"> </span><span class="n">Is</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">correct</span><span class="err">?</span><span class="w"> </span><span class="p">(</span><span class="n">y</span><span class="o">/</span><span class="n">N</span><span class="p">)</span><span class="w"> </span><span class="n">y</span>
<span class="w"> </span><span class="n">You</span><span class="w"> </span><span class="n">need</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="n">ID</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">identify</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">key</span><span class="p">;</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">software</span><span class="w"> </span><span class="n">constructs</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">user</span>
<span class="w"> </span><span class="n">ID</span>
<span class="w"> </span><span class="n">from</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">Real</span><span class="w"> </span><span class="n">Name</span><span class="p">,</span><span class="w"> </span><span class="n">Comment</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">Email</span><span class="w"> </span><span class="n">Address</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">form</span><span class="p">:</span>
<span class="w"> </span><span class="s2">&quot;Heinrich Heine (Der Dichter) &lt;heinrichh@duesseldorf.de&gt;&quot;</span>
<span class="w"> </span><span class="n">Real</span><span class="w"> </span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="n">Robert</span><span class="w"> </span><span class="n">Burrell</span><span class="w"> </span><span class="n">Donkin</span><span class="w"> </span>
<span class="w"> </span><span class="n">Email</span><span class="w"> </span><span class="n">address</span><span class="p">:</span><span class="w"> </span><span class="n">rdonkin</span><span class="err">@</span><span class="n">apache</span><span class="o">.</span><span class="n">org</span>
<span class="w"> </span><span class="n">Comment</span><span class="p">:</span><span class="w"> </span><span class="n">CODE</span><span class="w"> </span><span class="n">SIGNING</span><span class="w"> </span><span class="n">KEY</span>
<span class="w"> </span><span class="n">You</span><span class="w"> </span><span class="n">selected</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">USER</span><span class="o">-</span><span class="n">ID</span><span class="p">:</span>
<span class="w"> </span><span class="s2">&quot;Robert Burrell Donkin (CODE SIGNING KEY) &lt;rdonkin@apache.org&gt;&quot;</span>
<span class="w"> </span><span class="n">Change</span><span class="w"> </span><span class="p">(</span><span class="n">N</span><span class="p">)</span><span class="n">ame</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">C</span><span class="p">)</span><span class="n">omment</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">E</span><span class="p">)</span><span class="n">mail</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="p">(</span><span class="n">O</span><span class="p">)</span><span class="n">kay</span><span class="o">/</span><span class="p">(</span><span class="n">Q</span><span class="p">)</span><span class="n">uit</span><span class="err">?</span><span class="w"> </span><span class="n">O</span>
<span class="w"> </span><span class="n">You</span><span class="w"> </span><span class="n">need</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">Passphrase</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">protect</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">secret</span><span class="w"> </span><span class="n">key</span><span class="o">.</span>
</code></pre></div>
<p>or</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="p">:::</span><span class="n">console</span>
<span class="w"> </span><span class="o">$</span><span class="w"> </span><span class="n">gpg2</span><span class="w"> </span><span class="o">--</span><span class="n">full</span><span class="o">-</span><span class="n">gen</span><span class="o">-</span><span class="n">key</span>
<span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="p">(</span><span class="n">GnuPG</span><span class="p">)</span><span class="w"> </span><span class="mf">2.0</span><span class="o">.</span><span class="mi">12</span><span class="p">;</span><span class="w"> </span><span class="n">Copyright</span><span class="w"> </span><span class="p">(</span><span class="n">C</span><span class="p">)</span><span class="w"> </span><span class="mi">2009</span><span class="w"> </span><span class="n">Free</span><span class="w"> </span><span class="n">Software</span><span class="w"> </span><span class="n">Foundation</span><span class="p">,</span><span class="w"> </span><span class="n">Inc</span><span class="o">.</span>
<span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">free</span><span class="w"> </span><span class="n">software</span><span class="p">:</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">are</span><span class="w"> </span><span class="n">free</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">change</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">redistribute</span><span class="w"> </span><span class="n">it</span><span class="o">.</span>
<span class="w"> </span><span class="n">There</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">NO</span><span class="w"> </span><span class="n">WARRANTY</span><span class="p">,</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">extent</span><span class="w"> </span><span class="n">permitted</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">law</span><span class="o">.</span>
<span class="w"> </span><span class="n">Please</span><span class="w"> </span><span class="n">select</span><span class="w"> </span><span class="n">what</span><span class="w"> </span><span class="n">kind</span><span class="w"> </span><span class="n">of</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">want</span><span class="p">:</span>
<span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">)</span><span class="w"> </span><span class="n">RSA</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">RSA</span><span class="w"> </span><span class="p">(</span><span class="n">default</span><span class="p">)</span>
<span class="w"> </span><span class="p">(</span><span class="mi">2</span><span class="p">)</span><span class="w"> </span><span class="n">DSA</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">Elgamal</span>
<span class="w"> </span><span class="p">(</span><span class="mi">3</span><span class="p">)</span><span class="w"> </span><span class="n">DSA</span><span class="w"> </span><span class="p">(</span><span class="nb">sign</span><span class="w"> </span><span class="n">only</span><span class="p">)</span>
<span class="w"> </span><span class="p">(</span><span class="mi">4</span><span class="p">)</span><span class="w"> </span><span class="n">RSA</span><span class="w"> </span><span class="p">(</span><span class="nb">sign</span><span class="w"> </span><span class="n">only</span><span class="p">)</span>
<span class="w"> </span><span class="n">Your</span><span class="w"> </span><span class="n">selection</span><span class="err">?</span><span class="w"> </span><span class="mi">1</span>
<span class="w"> </span><span class="n">RSA</span><span class="w"> </span><span class="n">keys</span><span class="w"> </span><span class="n">may</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">between</span><span class="w"> </span><span class="mi">1024</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="mi">4096</span><span class="w"> </span><span class="n">bits</span><span class="w"> </span><span class="n">long</span><span class="o">.</span>
<span class="w"> </span><span class="n">What</span><span class="w"> </span><span class="n">keysize</span><span class="w"> </span><span class="n">do</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">want</span><span class="err">?</span><span class="w"> </span><span class="p">(</span><span class="mi">2048</span><span class="p">)</span><span class="w"> </span><span class="mi">4096</span>
<span class="w"> </span><span class="n">Requested</span><span class="w"> </span><span class="n">keysize</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="mi">4096</span><span class="w"> </span><span class="n">bits</span>
<span class="w"> </span><span class="n">Please</span><span class="w"> </span><span class="n">specify</span><span class="w"> </span><span class="n">how</span><span class="w"> </span><span class="n">long</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">should</span><span class="w"> </span><span class="n">be</span><span class="w"> </span><span class="n">valid</span><span class="o">.</span>
<span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">does</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">expire</span>
<span class="w"> </span><span class="o">&lt;</span><span class="n">n</span><span class="o">&gt;</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">expires</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="n">days</span>
<span class="w"> </span><span class="o">&lt;</span><span class="n">n</span><span class="o">&gt;</span><span class="n">w</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">expires</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="n">weeks</span>
<span class="w"> </span><span class="o">&lt;</span><span class="n">n</span><span class="o">&gt;</span><span class="n">m</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">expires</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="n">months</span>
<span class="w"> </span><span class="o">&lt;</span><span class="n">n</span><span class="o">&gt;</span><span class="n">y</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">expires</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">n</span><span class="w"> </span><span class="n">years</span>
<span class="w"> </span><span class="n">Key</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">valid</span><span class="w"> </span><span class="k">for</span><span class="err">?</span><span class="w"> </span><span class="p">(</span><span class="mi">0</span><span class="p">)</span><span class="w"> </span>
<span class="w"> </span><span class="n">Key</span><span class="w"> </span><span class="n">does</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">expire</span><span class="w"> </span><span class="n">at</span><span class="w"> </span><span class="n">all</span>
<span class="w"> </span><span class="n">Is</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">correct</span><span class="err">?</span><span class="w"> </span><span class="p">(</span><span class="n">y</span><span class="o">/</span><span class="n">N</span><span class="p">)</span><span class="w"> </span><span class="n">y</span>
<span class="w"> </span><span class="n">GnuPG</span><span class="w"> </span><span class="n">needs</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">construct</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">user</span><span class="w"> </span><span class="n">ID</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">identify</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">key</span><span class="o">.</span>
<span class="w"> </span><span class="n">Real</span><span class="w"> </span><span class="n">name</span><span class="p">:</span><span class="w"> </span><span class="n">Robert</span><span class="w"> </span><span class="n">Burrell</span><span class="w"> </span><span class="n">Donkin</span>
<span class="w"> </span><span class="n">Email</span><span class="w"> </span><span class="n">address</span><span class="p">:</span><span class="w"> </span><span class="n">rdonkin</span><span class="err">@</span><span class="n">apache</span><span class="o">.</span><span class="n">org</span>
<span class="w"> </span><span class="n">Comment</span><span class="p">:</span><span class="w"> </span><span class="n">CODE</span><span class="w"> </span><span class="n">SIGNING</span><span class="w"> </span><span class="n">KEY</span>
<span class="w"> </span><span class="n">You</span><span class="w"> </span><span class="n">selected</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">USER</span><span class="o">-</span><span class="n">ID</span><span class="p">:</span>
<span class="w"> </span><span class="s2">&quot;Robert Burrell Donkin (CODE SIGNING KEY) &lt;rdonkin@apache.org&gt;&quot;</span>
<span class="w"> </span><span class="n">Change</span><span class="w"> </span><span class="p">(</span><span class="n">N</span><span class="p">)</span><span class="n">ame</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">C</span><span class="p">)</span><span class="n">omment</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="n">E</span><span class="p">)</span><span class="n">mail</span><span class="w"> </span><span class="ow">or</span><span class="w"> </span><span class="p">(</span><span class="n">O</span><span class="p">)</span><span class="n">kay</span><span class="o">/</span><span class="p">(</span><span class="n">Q</span><span class="p">)</span><span class="n">uit</span><span class="err">?</span><span class="w"> </span><span class="n">O</span>
<span class="w"> </span><span class="n">You</span><span class="w"> </span><span class="n">need</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">Passphrase</span><span class="w"> </span><span class="n">to</span><span class="w"> </span><span class="n">protect</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">secret</span><span class="w"> </span><span class="n">key</span><span class="o">.</span>
</code></pre></div>
<h3 id="key-gen-avoid-sha1">Check that the key avoids using SHA-1<a class="headerlink" href="#key-gen-avoid-sha1" title="Permanent link">&para;</a></h3>
<p>Check that the configuration has correctly set the key preferences to avoid SHA-1, using either:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="o">::</span><span class="err">:</span><span class="n">console</span>
<span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="n">edit</span><span class="o">-</span><span class="k">key</span><span class="w"> </span><span class="mi">773447</span><span class="n">FD</span>
<span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="p">(</span><span class="n">GnuPG</span><span class="p">)</span><span class="w"> </span><span class="mf">1.4.10</span><span class="p">;</span><span class="w"> </span><span class="n">Copyright</span><span class="w"> </span><span class="p">(</span><span class="n">C</span><span class="p">)</span><span class="w"> </span><span class="mi">2008</span><span class="w"> </span><span class="k">Free</span><span class="w"> </span><span class="n">Software</span><span class="w"> </span><span class="n">Foundation</span><span class="p">,</span><span class="w"> </span><span class="n">Inc</span><span class="p">.</span>
<span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">free</span><span class="w"> </span><span class="nl">software</span><span class="p">:</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="k">are</span><span class="w"> </span><span class="k">free</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">change</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">redistribute</span><span class="w"> </span><span class="n">it</span><span class="p">.</span>
<span class="w"> </span><span class="n">There</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">NO</span><span class="w"> </span><span class="n">WARRANTY</span><span class="p">,</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">extent</span><span class="w"> </span><span class="n">permitted</span><span class="w"> </span><span class="k">by</span><span class="w"> </span><span class="n">law</span><span class="p">.</span>
<span class="w"> </span><span class="n">Secret</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">available</span><span class="p">.</span>
<span class="w"> </span><span class="n">pub</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="mi">773447</span><span class="n">FD</span><span class="w"> </span><span class="nl">created</span><span class="p">:</span><span class="w"> </span><span class="mi">2010</span><span class="o">-</span><span class="mi">02</span><span class="o">-</span><span class="mi">16</span><span class="w"> </span><span class="nl">expires</span><span class="p">:</span><span class="w"> </span><span class="n">never</span><span class="w"> </span><span class="k">usage</span><span class="err">:</span><span class="w"> </span><span class="n">SC</span><span class="w"> </span>
<span class="w"> </span><span class="nl">trust</span><span class="p">:</span><span class="w"> </span><span class="n">ultimate</span><span class="w"> </span><span class="nl">validity</span><span class="p">:</span><span class="w"> </span><span class="n">ultimate</span>
<span class="w"> </span><span class="n">sub</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="mf">436E0</span><span class="n">F7C</span><span class="w"> </span><span class="nl">created</span><span class="p">:</span><span class="w"> </span><span class="mi">2010</span><span class="o">-</span><span class="mi">02</span><span class="o">-</span><span class="mi">16</span><span class="w"> </span><span class="nl">expires</span><span class="p">:</span><span class="w"> </span><span class="n">never</span><span class="w"> </span><span class="k">usage</span><span class="err">:</span><span class="w"> </span><span class="n">E</span><span class="w"> </span>
<span class="w"> </span><span class="o">[</span><span class="n">ultimate</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="w"> </span><span class="n">Robert</span><span class="w"> </span><span class="n">Burrell</span><span class="w"> </span><span class="n">Donkin</span><span class="w"> </span><span class="p">(</span><span class="n">CODE</span><span class="w"> </span><span class="n">SIGNING</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">rdonkin</span><span class="nv">@apache</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">Command</span><span class="o">&gt;</span><span class="w"> </span><span class="n">showpref</span>
<span class="w"> </span><span class="o">[</span><span class="n">ultimate</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="w"> </span><span class="n">Robert</span><span class="w"> </span><span class="n">Burrell</span><span class="w"> </span><span class="n">Donkin</span><span class="w"> </span><span class="p">(</span><span class="n">CODE</span><span class="w"> </span><span class="n">SIGNING</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span>
<span class="w"> </span><span class="o">&lt;</span><span class="n">rdonkin</span><span class="nv">@apache</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="nl">Cipher</span><span class="p">:</span><span class="w"> </span><span class="n">AES256</span><span class="p">,</span><span class="w"> </span><span class="n">AES192</span><span class="p">,</span><span class="w"> </span><span class="n">AES</span><span class="p">,</span><span class="w"> </span><span class="n">CAST5</span><span class="p">,</span><span class="w"> </span><span class="mi">3</span><span class="n">DES</span>
<span class="w"> </span><span class="nl">Digest</span><span class="p">:</span><span class="w"> </span><span class="n">SHA512</span><span class="p">,</span><span class="w"> </span><span class="n">SHA384</span><span class="p">,</span><span class="w"> </span><span class="n">SHA256</span><span class="p">,</span><span class="w"> </span><span class="n">SHA224</span><span class="p">,</span><span class="w"> </span><span class="n">SHA1</span>
<span class="w"> </span><span class="nl">Compression</span><span class="p">:</span><span class="w"> </span><span class="n">ZLIB</span><span class="p">,</span><span class="w"> </span><span class="n">BZIP2</span><span class="p">,</span><span class="w"> </span><span class="n">ZIP</span><span class="p">,</span><span class="w"> </span><span class="n">Uncompressed</span>
<span class="w"> </span><span class="nl">Features</span><span class="p">:</span><span class="w"> </span><span class="n">MDC</span><span class="p">,</span><span class="w"> </span><span class="n">Keyserver</span><span class="w"> </span><span class="k">no</span><span class="o">-</span><span class="k">modify</span>
</code></pre></div>
<p>or</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="o">::</span><span class="err">:</span><span class="n">console</span>
<span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">gpg2</span><span class="w"> </span><span class="o">--</span><span class="n">edit</span><span class="o">-</span><span class="k">key</span><span class="w"> </span><span class="n">A6EE6908</span>
<span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="p">(</span><span class="n">GnuPG</span><span class="p">)</span><span class="w"> </span><span class="mf">2.0.12</span><span class="p">;</span><span class="w"> </span><span class="n">Copyright</span><span class="w"> </span><span class="p">(</span><span class="n">C</span><span class="p">)</span><span class="w"> </span><span class="mi">2009</span><span class="w"> </span><span class="k">Free</span><span class="w"> </span><span class="n">Software</span><span class="w"> </span><span class="n">Foundation</span><span class="p">,</span><span class="w"> </span><span class="n">Inc</span><span class="p">.</span>
<span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">free</span><span class="w"> </span><span class="nl">software</span><span class="p">:</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="k">are</span><span class="w"> </span><span class="k">free</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">change</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">redistribute</span><span class="w"> </span><span class="n">it</span><span class="p">.</span>
<span class="w"> </span><span class="n">There</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">NO</span><span class="w"> </span><span class="n">WARRANTY</span><span class="p">,</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">extent</span><span class="w"> </span><span class="n">permitted</span><span class="w"> </span><span class="k">by</span><span class="w"> </span><span class="n">law</span><span class="p">.</span>
<span class="w"> </span><span class="n">Secret</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">available</span><span class="p">.</span>
<span class="w"> </span><span class="n">pub</span><span class="w"> </span><span class="mi">8192</span><span class="n">R</span><span class="o">/</span><span class="n">A6EE6908</span><span class="w"> </span><span class="nl">created</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">07</span><span class="w"> </span><span class="nl">expires</span><span class="p">:</span><span class="w"> </span><span class="n">never</span><span class="w"> </span><span class="k">usage</span><span class="err">:</span><span class="w"> </span><span class="n">SC</span><span class="w"> </span>
<span class="w"> </span><span class="nl">trust</span><span class="p">:</span><span class="w"> </span><span class="n">ultimate</span><span class="w"> </span><span class="nl">validity</span><span class="p">:</span><span class="w"> </span><span class="n">ultimate</span>
<span class="w"> </span><span class="n">sub</span><span class="w"> </span><span class="mi">8192</span><span class="n">R</span><span class="o">/</span><span class="n">B800EFC1</span><span class="w"> </span><span class="nl">created</span><span class="p">:</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">07</span><span class="w"> </span><span class="nl">expires</span><span class="p">:</span><span class="w"> </span><span class="n">never</span><span class="w"> </span><span class="k">usage</span><span class="err">:</span><span class="w"> </span><span class="n">E</span><span class="w"> </span>
<span class="w"> </span><span class="o">[</span><span class="n">ultimate</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="w"> </span><span class="n">Robert</span><span class="w"> </span><span class="n">Burrell</span><span class="w"> </span><span class="n">Donkin</span><span class="w"> </span><span class="p">(</span><span class="n">CODE</span><span class="w"> </span><span class="n">SIGNING</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">rdonkin</span><span class="nv">@apache</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">Command</span><span class="o">&gt;</span><span class="w"> </span><span class="n">showpref</span><span class="w"> </span>
<span class="w"> </span><span class="o">[</span><span class="n">ultimate</span><span class="o">]</span><span class="w"> </span><span class="p">(</span><span class="mi">1</span><span class="p">).</span><span class="w"> </span><span class="n">Robert</span><span class="w"> </span><span class="n">Burrell</span><span class="w"> </span><span class="n">Donkin</span><span class="w"> </span><span class="p">(</span><span class="n">CODE</span><span class="w"> </span><span class="n">SIGNING</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span>
<span class="w"> </span><span class="o">&lt;</span><span class="n">rdonkin</span><span class="nv">@apache</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="nl">Cipher</span><span class="p">:</span><span class="w"> </span><span class="n">AES256</span><span class="p">,</span><span class="w"> </span><span class="n">AES192</span><span class="p">,</span><span class="w"> </span><span class="n">AES</span><span class="p">,</span><span class="w"> </span><span class="n">CAST5</span><span class="p">,</span><span class="w"> </span><span class="mi">3</span><span class="n">DES</span>
<span class="w"> </span><span class="nl">Digest</span><span class="p">:</span><span class="w"> </span><span class="n">SHA512</span><span class="p">,</span><span class="w"> </span><span class="n">SHA384</span><span class="p">,</span><span class="w"> </span><span class="n">SHA256</span><span class="p">,</span><span class="w"> </span><span class="n">SHA224</span><span class="p">,</span><span class="w"> </span><span class="n">SHA1</span>
<span class="w"> </span><span class="nl">Compression</span><span class="p">:</span><span class="w"> </span><span class="n">ZLIB</span><span class="p">,</span><span class="w"> </span><span class="n">BZIP2</span><span class="p">,</span><span class="w"> </span><span class="n">ZIP</span><span class="p">,</span><span class="w"> </span><span class="n">Uncompressed</span>
<span class="w"> </span><span class="nl">Features</span><span class="p">:</span><span class="w"> </span><span class="n">MDC</span><span class="p">,</span><span class="w"> </span><span class="n">Keyserver</span><span class="w"> </span><span class="k">no</span><span class="o">-</span><span class="k">modify</span>
</code></pre></div>
<p>The <code>Digest</code> line should list SHA-512 first and SHA-1 last. Instructions for altering the preferences of a key are
<a href="#key-prefs">here</a>.</p>
<h3 id="final-steps">Final steps<a class="headerlink" href="#final-steps" title="Permanent link">&para;</a></h3>
<p>When you generate a new code signing key, you need to update a number of Apache documents and perform some other tasks.</p>
<h5 id="generation-final-steps-transition">Final transition steps<a class="headerlink" href="#generation-final-steps-transition" title="Permanent link">&para;</a></h5>
<p>If you are generating a key for use in a <a href="release-signing.html#transition">transition</a>, there is more you should do before updating these documents, so <a href="key-transition.html#ContinueAfterGeneration">go to the transition instructions now</a>.</p>
<h5 id="generation-final-steps-new-key">New key final steps<a class="headerlink" href="#generation-final-steps-new-key" title="Permanent link">&para;</a>Final steps for a new key</h5>
<p>If this is a new code signing key not involved with a transition:</p>
<ol>
<li>
<p><a href="release-signing.html#keyserver-upload">Upload</a> the new <a href="release-signing.html#public-private">public key</a> to a public
<a href="release-signing.html#keyserver">keyserver</a> </p>
</li>
<li>
<p>Create backups by following these <a href="#backup">instructions</a> </p>
</li>
<li>
<p>Follow these <a href="#revocation-certs">instructions</a> to create and securely store generic <a href="release-signing.html#revocation-cert">revocation
certificates</a> for the new key</p>
</li>
<li>
<p>Follow these <a href="#update">instructions</a> (ignoring the transition option) to create or update Apache documents</p>
</li>
<li>
<p>Read this <a href="#wot">guide</a> to the Apache use of the <a href="release-signing.html#web-of-trust">web of trust</a> and make arrangements for your
new key to be included at the earliest opportunity.</p>
</li>
</ol>
<h2 id="private-keyring-management">Private keyring management<a class="headerlink" href="#private-keyring-management" title="Permanent link">&para;</a></h2>
<ol>
<li>
<p>Never transmit your private keyring over the internet!</p>
</li>
<li>
<p>Store your keys on unshared local disk storage. If your employer only provides networked storage, ask for permission to use a USB fob (or CD) to store your .gnupg directory.</p>
</li>
<li>
<p>Destroy your retired disks appropriately using a disk wiping utility or similar tools to ensure your keyring is no longer available
on those disks once you are through with them. Failing that, drill through the disk platters so they are physically unusable.</p>
</li>
</ol>
<h2 id="find-key-id">Finding a key ID<a class="headerlink" href="#find-key-id" title="Permanent link">&para;</a></h2>
<p>There are a number of ways to identify a key. Only one is unique: the <a href="release-signing.html#fingerprint">key fingerprint</a>.</p>
<p>Attackers can easily create new keys similar to yours with identical user IDs and comments. Such a public key may be introduced to your keyring when you download keys from a <a href="release-signing.html#keyserver">public keyserver</a> or as part of an import. If this information is used to identify public keys then you may be misled into believing that another public key is yours. A cunning attacker may even introduce a matching secret key that lets you sign with that key.</p>
<p>Creating a different key with a matching identity is considered <a href="release-signing.html#infeasible">infeasible</a>. For all operations where
precise identity matters and that identity is specified on the command line, you should use the key ID to identify the key. Avoid using
user ID or other information.</p>
<h3 id="find-key-id-from-trusted-source">Find a key ID from a trusted source<a class="headerlink" href="#finbd-key-id-from-trusted-source" title="Permanent link">&para;</a></h3>
<p>The best way to find a key ID is to obtain it directly from a trusted source, for example, from a business card you obtain personally from the owner of the key.</p>
<h3 id="find-key-id-with-fingerprint">Find a key ID with its fingerprint<a class="headerlink" href="#find-key-ide-with-fingerprint" title="Permanent link">&para;</a></h3>
<p>If you have a <a href="release-signing.html#fingerprint">fingerprint</a>, the key ID should be the last 8 digits. For example, the ID of the key with this fingerprint:</p>
<div class="highlight"><pre><span></span><code> :::text
FF96 6261 C995 1DDE BF34 5150 D5D2 BDB5 E2B0 54B8
</code></pre></div>
<p>should be:</p>
<div class="highlight"><pre><span></span><code> :::text
E2B054B8
</code></pre></div>
<p>You can confirm this using:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="o">::</span><span class="err">:</span><span class="n">console</span>
<span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="n">list</span><span class="o">-</span><span class="n">keys</span><span class="w"> </span><span class="o">--</span><span class="n">fingerprint</span><span class="w"> </span><span class="n">E2B054B8</span>
<span class="w"> </span><span class="n">pub</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="n">E2B054B8</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
<span class="w"> </span><span class="k">Key</span><span class="w"> </span><span class="n">fingerprint</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">FF96</span><span class="w"> </span><span class="mi">6261</span><span class="w"> </span><span class="n">C995</span><span class="w"> </span><span class="mi">1</span><span class="n">DDE</span><span class="w"> </span><span class="n">BF34</span><span class="w"> </span><span class="mi">5150</span><span class="w"> </span><span class="n">D5D2</span><span class="w"> </span><span class="n">BDB5</span><span class="w"> </span><span class="n">E2B0</span><span class="w"> </span><span class="mi">54</span><span class="n">B8</span>
<span class="w"> </span><span class="n">uid</span><span class="w"> </span><span class="n">Alice</span><span class="w"> </span><span class="n">Example</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">NEW</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">alice</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">sub</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="mi">4</span><span class="n">A6D5217</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
</code></pre></div>
<h3 id="find-key-id-with-secret-key">When you have the secret key<a class="headerlink" href="#find-key-id-with-secret-key" title="Permanent link">&para;</a></h3>
<p>When you have the secret key, listing the secret key details allows the key ID to be read from the <code>sec</code> lines in the output.</p>
<p><strong>Note</strong> that it is possible for an attacker to introduce a new secret key into your keyring (for example, as part of an import). It is vital that you know how many secret keys each keyring should hold. If any unexpected secret keys are present, this probably indicates an attack.</p>
<p>For example, Alice is <a href="key-transition.html">transitioning</a> and so expects two secret keys in her main keyring. (The case of a single key is similar but less complex.) She lists all secret keys on the keyring:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="o">::</span><span class="err">:</span><span class="n">console</span>
<span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="n">list</span><span class="o">-</span><span class="n">secret</span><span class="o">-</span><span class="n">keys</span>
<span class="w"> </span><span class="n">alice</span><span class="o">/</span><span class="n">secring</span><span class="p">.</span><span class="n">gpg</span>
<span class="w"> </span><span class="o">-----------------</span>
<span class="w"> </span><span class="n">sec</span><span class="w"> </span><span class="mi">1024</span><span class="n">D</span><span class="o">/</span><span class="n">AD741727</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
<span class="w"> </span><span class="n">uid</span><span class="w"> </span><span class="n">Alice</span><span class="w"> </span><span class="n">Example</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">OF</span><span class="w"> </span><span class="k">OLD</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">alice</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">ssb</span><span class="w"> </span><span class="mi">1024</span><span class="n">g</span><span class="o">/</span><span class="mi">268883</span><span class="n">A9</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
<span class="w"> </span><span class="n">sec</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="n">E2B054B8</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
<span class="w"> </span><span class="n">uid</span><span class="w"> </span><span class="n">Alice</span><span class="w"> </span><span class="n">Example</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">NEW</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">alice</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">ssb</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="mi">4</span><span class="n">A6D5217</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
</code></pre></div>
<p>Alice verifies that details for only two keys are listed and that there are no unexpected additions.</p>
<p>The <code>sec</code> lines are:</p>
<div class="highlight"><pre><span></span><code> :::text
sec 1024D/AD741727 2009-08-20
</code></pre></div>
<p>and</p>
<div class="highlight"><pre><span></span><code> :::text
sec 4096R/E2B054B8 2009-08-20
</code></pre></div>
<p>The key ID forms part of the second column, to the right of the key length. In this case the key IDs are <code>AD741727</code> and <code>E2B054B8</code>. The
<a href="release-signing.html#key-comment">comments</a> help Alice identify each key.</p>
<h3 id="find-key-id-otherwise">When you do not have the secret key<a class="headerlink" href="#find-key-id-otherwise" title="Permanent link">&para;</a></h3>
<p>Unless you have the <a href="release-signing.html#public-private">private key</a> or a <a href="release-signing.html#fingerprint">fingerprint</a>, the only safe way to find the key ID is to ask the owner of the key, using a secure communication channel.</p>
<p>Trusting that an import contains only the owner's public key is <strong>not recommended</strong>. The import may contain additional public keys (intentionally or not). So, when using an import, always verify the key ID of interest from another source.</p>
<p>For example, a <a href="http://home.apache.org/~rdonkin/" target="_blank">web page with an embedded export</a> should also list the key IDs of interest. </p>
<h2 id="backup">How to back up keys<a class="headerlink" href="#backup" title="Permanent link">&para;</a></h2>
<h3 id="backup-public">Back up public information<a class="headerlink" href="#backup-public" title="Permanent link">&para;</a></h3>
<p>The <a href="release-signing.html#key-id">key ID</a> is not confidential but without access to this information from a trusted source, substitution attacks are <a href="release-signing.html#infeasible">feasible</a> (see this <a href="#find-key-id">discussion</a>).</p>
<p>So, for each <a href="release-signing.html#public-private">key pair</a> you generate, the <a href="release-signing.html#key-id">key ID</a> needs to recorded in a form that makes tampering difficult. Defense in depth is the best strategy. We recommend that you use a range of methods::</p>
<ul>
<li>Print a hard copy of the key ID and store it securely</li>
<li>Include the key ID on your business cards</li>
<li>ASF Members should include the key ID on their Apache business cards</li>
<li>Include a text document containing the key ID in your <a href="#backup-private">secure, tamperproof private backups</a></li>
</ul>
<h3 id="backup-private">Back up private information<a class="headerlink" href="#backup-private" title="Permanent link">&para;</a></h3>
<p>Keep your <a href="release-signing.html#public-private">private key</a> both safe and away from attackers. If a private key is destroyed or lost, it must be revoked and should no longer be used. Given the effort that's needed to build a strong <a href="release-signing.html#web-of-trust">web of trust</a>, it is important to back up the private key without compromising security.</p>
<p>The best way to back up a private key is to securely archive the entire <a href="#home">GnuPG home</a> by copying the contents into secure, encrypted storage. We recommended that you version each archived copy and store it permanently.</p>
<p>Full disk encryption is the best storage solution for disks containing the private key. How to encrypt a full disc is platform dependent and is beyond the scope of this guide, but many major platforms now support this.</p>
<p>Choose a strong passphrase. If this is not possible then use strong, <a href="#symmetric">symmetric</a> encryption to protect a compressed archive.</p>
<p>We recommend a removable medium type with good long term storage characteristics:</p>
<ul>
<li>A small capacity, high quality USB flash drive</li>
<li>A CDROM</li>
</ul>
<p>Make and securely store multiple copies.</p>
<h2 id="export-key">How to export a key<a class="headerlink" href="#export-key" title="Permanent link">&para;</a></h2>
<p>Exporting public keys is a common operation. It is rarely necessary to export a <a href="release-signing.html#public-private">private key</a> and use of that operation should be kept to a minimum (see <a href="#export-secret-key">below</a> ). So, the unqualified term <em>exporting a key</em>
almost always means <em>exporting a public key</em>.</p>
<p>GnuPG seeks to limit accidental private key exports by using different operations for each export. Both operations share common options.</p>
<h3 id="export-option-output">Output options<a class="headerlink" href="#export-option-output" title="Permanent link">&para;</a></h3>
<p>By default, operations print their results to the command line. For example, to export all public keys (with ASCII encoding) to the command line, do:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="p">:::</span><span class="n">console</span>
<span class="w"> </span><span class="o">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="k">export</span><span class="w"> </span><span class="o">--</span><span class="n">armor</span><span class="w"> </span>
</code></pre></div>
<p>The <code>--output</code> option followed by the name of a file creates that file and stores the output in it. To export all public keys (with ASCII encoding) into a newly created file named <code>export.asc</code>, use:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="p">:::</span><span class="n">console</span>
<span class="w"> </span><span class="o">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="k">export</span><span class="w"> </span><span class="o">--</span><span class="n">output</span><span class="w"> </span><span class="k">export</span><span class="o">.</span><span class="n">asc</span><span class="w"> </span><span class="o">--</span><span class="n">armor</span><span class="w"> </span>
</code></pre></div>
<p>Though most of the examples in this guide choose to output to a file, command line output is often useful (for example, the output can be piped into a second command) and is equally valid for most operations. The exception is <a href="#export-secret-key">secret key export</a>, which should always be to a secure temporary file.</p>
<h3 id="export-option-armor">The armor option<a class="headerlink" href="#export-option-armor" title="Permanent link">&para;</a></h3>
<p>The <em>--armor</em> option encodes the output using <a href="release-signing.html#ascii">ASCII characters only</a>. This permits embedding the output easily in documents and displaying it on the command line.</p>
<p>For example, to export all public keys (to the command line) encoded in ASCII, use:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="p">:::</span><span class="n">console</span>
<span class="w"> </span><span class="o">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="k">export</span><span class="w"> </span><span class="o">--</span><span class="n">armor</span><span class="w"> </span>
</code></pre></div>
<p>The binary format is shorter but has few other advantages. For all uses at Apache, use ASCII armor.</p>
<h3 id="export-public-key">How to export public keys<a class="headerlink" href="#export-public-key" title="Permanent link">&para;</a></h3>
<p>The <code>--export</code> operation exports public keys.</p>
<p>When you don't specify a key, the system exports all public keys in the keyring. For example, to export all public keys to the <a href="#export-option-output">command
line</a> with <a href="#export-option-armor">ASCII encoding</a>:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="p">:::</span><span class="n">console</span>
<span class="w"> </span><span class="o">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="k">export</span><span class="w"> </span><span class="o">--</span><span class="n">armor</span><span class="w"> </span>
</code></pre></div>
<p>To export specific keys, add identifiers for these keys to the end of the command. There are a number of ways to identify keys, but only the <a href="release-signing.html#key-id">key ID</a> will definitely select a single key. This <a href="#find-key-id">guide</a> discusses how to find the key ID when it is unknown.</p>
<p>For example, to export to the <a href="#export-option-output">command line</a> with <a href="#export-option-armor">ASCII encoding</a> the public key with ID <code>AD741727</code>, use:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="p">:::</span><span class="n">console</span>
<span class="w"> </span><span class="o">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="k">export</span><span class="w"> </span><span class="o">--</span><span class="n">armor</span><span class="w"> </span><span class="n">AD741727</span>
</code></pre></div>
<h3 id="export-all-or-some-public-keys">Should I export all or some public keys"<a class="headerlink" href="#export-all-or-some-puiblic-keys" title="Permanent link">&para;</a></h3>
<p>This is often a tricky question. An import should not be trusted for key identification (see <a href="#find-key-id">discussion</a>). So, for an import to be useful, usually the key ID of interest needs to be known.</p>
<p>Keys used at Apache should be available through the global <a href="release-signing.html#keyserver">public keyserver</a> network. Using this network, given the <a href="release-signing.html#key-id">key ID</a> the person who needs it can download the public key.</p>
<p>So an export is really only useful for someone who cannot use the global keyserver network. But in this case, the import really needs to include all the public keys on the ring to maximise the chances of a trusted path being found in the <a href="release-signing.html#web-of-trust">web of trust</a>.</p>
<p>The risk of exporting all keys is that users who don't understand that they should not use an export for key identification may be mislead by the other keys in the export. The risk with exporting just one public key is that users may mistakenly think that imports are trustworthy for key identification.</p>
<p>So neither is a very satisfactory solution. Now that global keyserver network works so well, Apache may move away from the use of exports in the future.</p>
<h3 id="export-secret-key">How to export secret keys<a class="headerlink" href="#export-secret-key" title="Permanent link">&para;</a></h3>
<p>This is a risky operation. The most vulnerable part of the system is the <a href="release-signing.html#passphrase">passphrase</a> that encrypts the private key. If an attacker obtains a copy of the encrypted private key file, an attack on the passphrase is likely to be
<a href="release-signing.html#infeasible">feasible</a>. So it is vital to store the <a href="release-signing.html#public-private">private key</a> securely at
all times.</p>
<p>There are very few occasions when this risk is justified. When people talk about exporting keys, this means the export of the <em>public</em> key only (unless the secret key is mentioned explicitly). Whenever a private key export is necessary for a task covered in this guide, we describe the process completely in the section. We do not recommend secret key export in other circumstances.</p>
<p>To ensure that you do not accidentally expose private keys, the GnuPG <code>--export</code> operation exports only public keys.</p>
<p><strong>Never</strong> export secret keys to the command line. Instead, use a secure temporary file that you can securely delete after use. Here is one way to do this:</p>
<h2 id="secret-key-transfer">How to transfer a secret key<a class="headerlink" href="#secret-key-transfer" title="Permanent link">&para;</a></h2>
<p>Start by <a href="#switch-home">switching</a> GnuPG <a href="#home">home</a> to the source. To export all secret keys to a temporary file such as <code>/tmp/new.sec</code>, do this:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="p">:::</span><span class="n">console</span>
<span class="w"> </span><span class="o">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="k">export</span><span class="o">-</span><span class="n">secret</span><span class="o">-</span><span class="n">keys</span><span class="w"> </span><span class="o">--</span><span class="n">armor</span><span class="w"> </span><span class="o">--</span><span class="n">output</span><span class="w"> </span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">new</span><span class="o">.</span><span class="n">sec</span>
</code></pre></div>
<p>Import this temporary file into the target keyring. Ensure that GnuPG <a href="#home">home</a> is set to the target keyring (by either
<a href="#switch-home">switching</a> the current session or opening a new terminal configured to use the target keyring). Then do this:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="p">:::</span><span class="n">console</span>
<span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="kn">import</span><span class="w"> </span><span class="o">/</span><span class="n">tmp</span><span class="o">/</span><span class="n">new</span><span class="o">.</span><span class="n">sec</span><span class="w"> </span>
<span class="w"> </span><span class="n">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">E2B054B8</span><span class="p">:</span><span class="w"> </span><span class="n">secret</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">imported</span>
<span class="w"> </span><span class="n">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="n">E2B054B8</span><span class="p">:</span><span class="w"> </span><span class="n">public</span><span class="w"> </span><span class="n">key</span><span class="w"> </span><span class="s2">&quot;Alice Example (EXAMPLE NEW KEY)</span>
<span class="w"> </span><span class="o">&lt;</span><span class="n">alice</span><span class="nd">@example</span><span class="o">.</span><span class="n">org</span><span class="o">&gt;</span><span class="s2">&quot; imported</span>
<span class="w"> </span><span class="n">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">Total</span><span class="w"> </span><span class="n">number</span><span class="w"> </span><span class="n">processed</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span>
<span class="w"> </span><span class="n">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">imported</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="p">(</span><span class="n">RSA</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">)</span>
<span class="w"> </span><span class="n">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">secret</span><span class="w"> </span><span class="n">keys</span><span class="w"> </span><span class="n">read</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span>
<span class="w"> </span><span class="n">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">secret</span><span class="w"> </span><span class="n">keys</span><span class="w"> </span><span class="n">imported</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span>
</code></pre></div>
<p>Check for <em>secret keys imported</em> in the output. Listing secret keys for the target keyring should now show the existence of the secret key:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="o">::</span><span class="err">:</span><span class="n">console</span>
<span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="n">list</span><span class="o">-</span><span class="n">secret</span><span class="o">-</span><span class="n">keys</span>
<span class="w"> </span><span class="n">alice</span><span class="o">/</span><span class="n">secring</span><span class="p">.</span><span class="n">gpg</span>
<span class="w"> </span><span class="o">-----------------</span>
<span class="w"> </span><span class="n">sec</span><span class="w"> </span><span class="mi">1024</span><span class="n">D</span><span class="o">/</span><span class="n">AD741727</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
<span class="w"> </span><span class="n">uid</span><span class="w"> </span><span class="n">Alice</span><span class="w"> </span><span class="n">Example</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">OF</span><span class="w"> </span><span class="k">OLD</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">alice</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">ssb</span><span class="w"> </span><span class="mi">1024</span><span class="n">g</span><span class="o">/</span><span class="mi">268883</span><span class="n">A9</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
<span class="w"> </span><span class="n">sec</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="n">E2B054B8</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
<span class="w"> </span><span class="n">uid</span><span class="w"> </span><span class="n">Alice</span><span class="w"> </span><span class="n">Example</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">NEW</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">alice</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">ssb</span><span class="w"> </span><span class="mi">4096</span><span class="n">R</span><span class="o">/</span><span class="mi">4</span><span class="n">A6D5217</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
</code></pre></div>
<p>Finally make sure that the temporary file you used cannot be read. We recommend secure deletion. If you are working on Linux, for example, you can use the <a href="http://www.linfo.org/shred.html" target="_blank">shred</a> command:</p>
<div class="highlight"><pre><span></span><code> :::console
$ shred /tmp/new.sec
$ rm /tmp/new.sec
</code></pre></div>
<p>Those using encrypted <code>tmp</code> should now restart the machine.</p>
<h2 id="transition">How to transition from an old to a new key<a class="headerlink" href="#transition" title="Permanent link">&para;</a></h2>
<p>If you have a short but uncompromised key and would like to <a href="release-signing.html#transition">transition</a> to a longer one, follow these
<a href="key-transition.html">instructions</a>.</p>
<p>If your key has been compromised, you <strong>must not</strong> transition. Instead, <a href="release-signing.html#revoke-key">revoke</a> the old key and replace it with a new one immediately. <strong>Do not</strong> use a transition period.</p>
<h2 id="revocation-certs">How to use revocation certificates<a class="headerlink" href="#revocation-certs" title="Permanent link">&para;</a></h2>
<p>When a private key is lost or compromised, a <a href="release-signing.html#revocation-cert">revocation certificate</a> should be
<a href="release-signing.html#revoke-cert">distributed</a> to <a href="release-signing.html#keyserver">publicly</a> <a href="release-signing.html#delete-vs-revoke">revoke the key</a>. In the event of a compromise or loss of the key, it is best to create a new revocation certification including the particulars of the case. Since this may not always be possible, you can <a href="#generate-key">generate</a> and <a href="release-signing.html#revocation-certificate-storage">securely
store</a> generic revocation certificates for each new key pair.</p>
<h3 id="revocation-cert-generic">Generic revocation certificates<a class="headerlink" href="#revocation-cert-generic" title="Permanent link">&para;</a></h3>
<p>When you create a new <a href="release-signing.html#public-private">key pair</a>, also generate and store generic revocation certificates for that key pair. We recommend that you generate a certificate (following the instructions in the next section) for each appropriate
revocation reason type:</p>
<ul>
<li>No reason specified</li>
<li>Key has been compromised</li>
<li>Key is no longer used</li>
</ul>
<p>Note that <em>Key is superseded</em> is not appropriate for a new key since it is not possible to know which key will replace it.</p>
<p>Store your generic revocation certificates securely until you need to use them. If an attacker obtains a revocation certificate, they will be able to deny your use of the key by publishing it. The private key is not compromised by this act and this limits the harm they can do. However, you will need to generate a new key to replace the one that has been revoked, rebuild the <a href="release-signing.html#web-of-trust">web of trust</a> and follow the <a href="release-signing.html#revoke-cert">Apache revocation process</a>.</p>
<p>We recommend that you store these certificates directly onto secure media with good long term stability (for example, an encrypted file
system on a top end USB drive or a CDROM). Print and store hard copies of the certificates yourself, and with trusted third parties.</p>
<h3 id="revocation-cert-gen">How to generate a revocation certificate<a class="headerlink" href="#revocation-cert-gen" title="Permanent link">&para;</a></h3>
<p>Revocation certificates include a small amount of additional information"</p>
<p>One of four machine readable reason types:</p>
<ul>
<li>No reason specified - <em>a catch-all category</em> </li>
<li>Key has been compromised - <em>also use this if you believe that the key may have been compromised (for example, when a storage device containing the private key has been lost)</em> </li>
<li>Key is superseded - <em>the comment should suggest the replacement key</em> </li>
<li>Key is no longer used - <em>useful when the key has been destroyed and so a generic revocation prepared earlier must be used</em> </li>
</ul>
<p>The certificate also includes a human-readable <em>comment</em>. Explain here the reason why you are revoking the key. This lets those affected by the revocation to formulate an appropriate response.</p>
<p>When a key has been compromised, lost or superseded, when possible generate a new certificate containing a comment explaining the
situation. For example, generate an <a href="release-signing.html#ascii">ASCII armored</a> (for
ease of handling) revocation certificate for key <code>AD741727</code> like this:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="o">::</span><span class="err">:</span><span class="n">console</span>
<span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="k">output</span><span class="w"> </span><span class="k">revoke</span><span class="o">-</span><span class="n">AD741727</span><span class="p">.</span><span class="k">asc</span><span class="w"> </span><span class="o">--</span><span class="n">armor</span><span class="w"> </span><span class="o">--</span><span class="n">gen</span><span class="o">-</span><span class="k">revoke</span><span class="w"> </span><span class="n">AD741727</span>
<span class="w"> </span><span class="n">sec</span><span class="w"> </span><span class="mi">1024</span><span class="n">D</span><span class="o">/</span><span class="n">AD741727</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span><span class="w"> </span><span class="n">Alice</span><span class="w"> </span><span class="n">Example</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">OF</span><span class="w"> </span><span class="k">OLD</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span>
<span class="w"> </span><span class="o">&lt;</span><span class="n">alice</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="k">Create</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">revocation</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="k">key</span><span class="vm">?</span><span class="w"> </span><span class="p">(</span><span class="n">y</span><span class="o">/</span><span class="n">N</span><span class="p">)</span><span class="w"> </span><span class="n">y</span>
<span class="w"> </span><span class="n">Please</span><span class="w"> </span><span class="k">select</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">reason</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="nl">revocation</span><span class="p">:</span>
<span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">No</span><span class="w"> </span><span class="n">reason</span><span class="w"> </span><span class="n">specified</span>
<span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">Key</span><span class="w"> </span><span class="n">has</span><span class="w"> </span><span class="n">been</span><span class="w"> </span><span class="n">compromised</span>
<span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">Key</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">superseded</span>
<span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">Key</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">no</span><span class="w"> </span><span class="n">longer</span><span class="w"> </span><span class="n">used</span>
<span class="w"> </span><span class="n">Q</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Cancel</span>
<span class="w"> </span><span class="p">(</span><span class="n">Probably</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">want</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">select</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">here</span><span class="p">)</span>
<span class="w"> </span><span class="n">Your</span><span class="w"> </span><span class="n">decision</span><span class="vm">?</span><span class="w"> </span><span class="mi">1</span>
<span class="w"> </span><span class="n">Enter</span><span class="w"> </span><span class="n">an</span><span class="w"> </span><span class="n">optional</span><span class="w"> </span><span class="n">description</span><span class="p">;</span><span class="w"> </span><span class="k">end</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">an</span><span class="w"> </span><span class="n">empty</span><span class="w"> </span><span class="nl">line</span><span class="p">:</span>
<span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="n">THIS</span><span class="w"> </span><span class="k">IS</span><span class="w"> </span><span class="n">AN</span><span class="w"> </span><span class="n">EXAMPLE</span><span class="w"> </span><span class="n">MESSAGE</span><span class="w"> </span><span class="n">DESCRIBING</span><span class="w"> </span><span class="n">THAT</span><span class="w"> </span><span class="n">THIS</span><span class="w"> </span><span class="k">KEY</span><span class="w"> </span><span class="n">WAS</span><span class="w"> </span><span class="n">COMPROMISED</span><span class="w"> </span>
<span class="w"> </span><span class="o">&gt;</span><span class="w"> </span>
<span class="w"> </span><span class="n">Reason</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nl">revocation</span><span class="p">:</span><span class="w"> </span><span class="k">Key</span><span class="w"> </span><span class="n">has</span><span class="w"> </span><span class="n">been</span><span class="w"> </span><span class="n">compromised</span>
<span class="w"> </span><span class="n">THIS</span><span class="w"> </span><span class="k">IS</span><span class="w"> </span><span class="n">AN</span><span class="w"> </span><span class="n">EXAMPLE</span><span class="w"> </span><span class="n">MESSAGE</span><span class="w"> </span><span class="n">DESCRIBING</span><span class="w"> </span><span class="n">THAT</span><span class="w"> </span><span class="n">THIS</span><span class="w"> </span><span class="k">KEY</span><span class="w"> </span><span class="n">WAS</span><span class="w"> </span><span class="n">COMPROMISED</span>
<span class="w"> </span><span class="k">Is</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">okay</span><span class="vm">?</span><span class="w"> </span><span class="p">(</span><span class="n">y</span><span class="o">/</span><span class="n">N</span><span class="p">)</span><span class="w"> </span><span class="n">y</span>
<span class="w"> </span><span class="n">You</span><span class="w"> </span><span class="n">need</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">passphrase</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">unlock</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">secret</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="k">for</span>
<span class="w"> </span><span class="k">user</span><span class="err">:</span><span class="w"> </span><span class="ss">&quot;Alice Example (EXAMPLE OF OLD KEY) &lt;alice@example.org&gt;&quot;</span>
<span class="w"> </span><span class="mi">1024</span><span class="o">-</span><span class="nc">bit</span><span class="w"> </span><span class="n">DSA</span><span class="w"> </span><span class="k">key</span><span class="p">,</span><span class="w"> </span><span class="n">ID</span><span class="w"> </span><span class="n">AD741727</span><span class="p">,</span><span class="w"> </span><span class="n">created</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
<span class="w"> </span><span class="n">Revocation</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="n">created</span><span class="p">.</span>
<span class="w"> </span><span class="n">Please</span><span class="w"> </span><span class="n">move</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">medium</span><span class="w"> </span><span class="n">which</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">hide</span><span class="w"> </span><span class="n">away</span><span class="p">;</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">Mallory</span><span class="w"> </span><span class="n">gets</span>
<span class="w"> </span><span class="n">access</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="n">he</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="k">use</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">make</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="n">unusable</span><span class="p">.</span>
<span class="w"> </span><span class="n">It</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">smart</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">print</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">store</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">away</span><span class="p">,</span><span class="w"> </span><span class="n">just</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="k">case</span>
<span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">media</span><span class="w"> </span><span class="n">become</span><span class="w"> </span><span class="n">unreadable</span><span class="p">.</span><span class="w"> </span><span class="n">But</span><span class="w"> </span><span class="n">have</span><span class="w"> </span><span class="ow">some</span><span class="w"> </span><span class="nl">caution</span><span class="p">:</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="k">print</span><span class="w"> </span><span class="k">system</span><span class="w"> </span><span class="k">of</span>
<span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">machine</span><span class="w"> </span><span class="n">might</span><span class="w"> </span><span class="n">store</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">data</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">make</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">available</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">others</span><span class="err">!</span>
</code></pre></div>
<p>When preparing generic certificates (for use if the <a href="release-signing.html#public-private">private key</a> is unavailable), the comment
cannot include the specifics and so should indicate this. </p>
<p>The process for generating a generic certificate is identical, but you should add a different comment. For example, generate an <a href="release-signing.html#ascii">ASCII armored</a> (for ease of handling) revocation certificate for key <code>AD741727</code> like this:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="o">::</span><span class="err">:</span><span class="n">console</span>
<span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="k">output</span><span class="w"> </span><span class="k">revoke</span><span class="o">-</span><span class="n">AD741727</span><span class="p">.</span><span class="k">asc</span><span class="w"> </span><span class="o">--</span><span class="n">armor</span><span class="w"> </span><span class="o">--</span><span class="n">gen</span><span class="o">-</span><span class="k">revoke</span><span class="w"> </span><span class="n">AD741727</span>
<span class="w"> </span><span class="n">sec</span><span class="w"> </span><span class="mi">1024</span><span class="n">D</span><span class="o">/</span><span class="n">AD741727</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span><span class="w"> </span><span class="n">Alice</span><span class="w"> </span><span class="n">Example</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">OF</span><span class="w"> </span><span class="k">OLD</span><span class="w"> </span><span class="k">KEY</span><span class="p">)</span>
<span class="w"> </span><span class="o">&lt;</span><span class="n">alice</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="k">Create</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">revocation</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="k">key</span><span class="vm">?</span><span class="w"> </span><span class="p">(</span><span class="n">y</span><span class="o">/</span><span class="n">N</span><span class="p">)</span><span class="w"> </span><span class="n">y</span>
<span class="w"> </span><span class="n">Please</span><span class="w"> </span><span class="k">select</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">reason</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="nl">revocation</span><span class="p">:</span>
<span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">No</span><span class="w"> </span><span class="n">reason</span><span class="w"> </span><span class="n">specified</span>
<span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">Key</span><span class="w"> </span><span class="n">has</span><span class="w"> </span><span class="n">been</span><span class="w"> </span><span class="n">compromised</span>
<span class="w"> </span><span class="mi">2</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">Key</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">superseded</span>
<span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">Key</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">no</span><span class="w"> </span><span class="n">longer</span><span class="w"> </span><span class="n">used</span>
<span class="w"> </span><span class="n">Q</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Cancel</span>
<span class="w"> </span><span class="p">(</span><span class="n">Probably</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">want</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">select</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">here</span><span class="p">)</span>
<span class="w"> </span><span class="n">Your</span><span class="w"> </span><span class="n">decision</span><span class="vm">?</span><span class="w"> </span><span class="mi">1</span>
<span class="w"> </span><span class="n">Enter</span><span class="w"> </span><span class="n">an</span><span class="w"> </span><span class="n">optional</span><span class="w"> </span><span class="n">description</span><span class="p">;</span><span class="w"> </span><span class="k">end</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">an</span><span class="w"> </span><span class="n">empty</span><span class="w"> </span><span class="nl">line</span><span class="p">:</span>
<span class="w"> </span><span class="o">&gt;</span><span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="n">revocation</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="n">was</span><span class="w"> </span><span class="n">generate</span><span class="w"> </span><span class="k">when</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="n">was</span><span class="w"> </span><span class="n">created</span><span class="p">.</span><span class="w"> </span>
<span class="w"> </span><span class="o">&gt;</span><span class="w"> </span>
<span class="w"> </span><span class="n">Reason</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nl">revocation</span><span class="p">:</span><span class="w"> </span><span class="k">Key</span><span class="w"> </span><span class="n">has</span><span class="w"> </span><span class="n">been</span><span class="w"> </span><span class="n">compromised</span>
<span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="n">revocation</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="n">was</span><span class="w"> </span><span class="n">generate</span><span class="w"> </span><span class="k">when</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="n">was</span><span class="w"> </span><span class="n">created</span><span class="p">.</span><span class="w"> </span>
<span class="w"> </span><span class="k">Is</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">okay</span><span class="vm">?</span><span class="w"> </span><span class="p">(</span><span class="n">y</span><span class="o">/</span><span class="n">N</span><span class="p">)</span><span class="w"> </span><span class="n">y</span>
<span class="w"> </span><span class="n">You</span><span class="w"> </span><span class="n">need</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">passphrase</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">unlock</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">secret</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="k">for</span>
<span class="w"> </span><span class="k">user</span><span class="err">:</span><span class="w"> </span><span class="ss">&quot;Alice Example (EXAMPLE OF OLD KEY) &lt;alice@example.org&gt;&quot;</span>
<span class="w"> </span><span class="mi">1024</span><span class="o">-</span><span class="nc">bit</span><span class="w"> </span><span class="n">DSA</span><span class="w"> </span><span class="k">key</span><span class="p">,</span><span class="w"> </span><span class="n">ID</span><span class="w"> </span><span class="n">AD741727</span><span class="p">,</span><span class="w"> </span><span class="n">created</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">08</span><span class="o">-</span><span class="mi">20</span>
<span class="w"> </span><span class="n">Revocation</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="n">created</span><span class="p">.</span>
<span class="w"> </span><span class="n">Please</span><span class="w"> </span><span class="n">move</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">medium</span><span class="w"> </span><span class="n">which</span><span class="w"> </span><span class="n">you</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="n">hide</span><span class="w"> </span><span class="n">away</span><span class="p">;</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="n">Mallory</span><span class="w"> </span><span class="n">gets</span>
<span class="w"> </span><span class="n">access</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="n">he</span><span class="w"> </span><span class="n">can</span><span class="w"> </span><span class="k">use</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">make</span><span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="n">unusable</span><span class="p">.</span>
<span class="w"> </span><span class="n">It</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">smart</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="k">print</span><span class="w"> </span><span class="n">this</span><span class="w"> </span><span class="n">certificate</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">store</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">away</span><span class="p">,</span><span class="w"> </span><span class="n">just</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="k">case</span>
<span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">media</span><span class="w"> </span><span class="n">become</span><span class="w"> </span><span class="n">unreadable</span><span class="p">.</span><span class="w"> </span><span class="n">But</span><span class="w"> </span><span class="n">have</span><span class="w"> </span><span class="ow">some</span><span class="w"> </span><span class="nl">caution</span><span class="p">:</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="k">print</span><span class="w"> </span><span class="k">system</span><span class="w"> </span><span class="k">of</span>
<span class="w"> </span><span class="n">your</span><span class="w"> </span><span class="n">machine</span><span class="w"> </span><span class="n">might</span><span class="w"> </span><span class="n">store</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="k">data</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">make</span><span class="w"> </span><span class="n">it</span><span class="w"> </span><span class="n">available</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">others</span><span class="err">!</span>
</code></pre></div>
<h2 id="symmetric">How to use symmetric encryption<a class="headerlink" href="#symmetric" title="Permanent link">&para;</a></h2>
<p>GnuPG supports symmetric (in addition to public key) cryptography, but the ciphers available sometimes differ. Use <code>gpg --version</code> to discover which ciphers are available in the current installation:</p>
<div class="highlight"><pre><span></span><code> :::console
$ gpg --version
gpg (GnuPG) 1.4.9
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
&lt;http://gnu.org/licenses/gpl.html&gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: alice
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
</code></pre></div>
<p>In this case, the available ciphers are:</p>
<div class="highlight"><pre><span></span><code> :::text
3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
</code></pre></div>
<p>Note that most of the ciphers early on the list are weak. This is typical. We recommend that you specify a strong cipher on the command
line. For example, to encrypt a document <code>INPUT_FILENAME</code> using <code>AES256</code> (a strong cipher) and output it to file <code>ENCRYPTED_FILE</code>:</p>
<div class="highlight"><pre><span></span><code> :::console
$ gpg --cipher-algo AES256 --output ENCRYPTED_FILE --symmetric INPUT_FILENAME
</code></pre></div>
<p>When prompted for a <a href="release-signing.html#passphrase">passphrase</a>, choose a strong one.</p>
<p>The file format contains metadata, including the cipher used. So to decrypt <code>ENCRYPTED_FILE</code> into <code>OUTPUT_FILE</code> use:</p>
<div class="highlight"><pre><span></span><code> :::console
$ gpg --output OUTPUT_FILE --decrypt ENCRYPTED_FILE
</code></pre></div>
<h2 id="update">How to update Apache documents with details of a new key<a class="headerlink" href="#update" title="Permanent link">&para;</a></h2>
<p>For the new key, you will need to provide both the <a href="release-signing.html#fingerprint">fingerprint</a> and the <a href="release-signing.html#public-private">public key</a> export more than once. We repeat the creation instructions below for each case but you may find it more convenient to create, store then reuse the results.</p>
<h3 id="publish-in-web-space">Publish the new public key<a class="headerlink" href="#publish-in-web-space" title="Permanent link">&para;</a></h3>
<p><strong>Note</strong>: you must <a href="release-signing.html#keyserver-upload">upload signing keys to a public key server</a>. You must also add them to your LDAP record using the Apache <a href="https://id.apache.org" target="_blank">self-service app</a>.</p>
<p>A reliable, permanent URL for your new public key is useful. Your Apache web space is an ideal location for this. Copy an
<a href="release-signing.html#ascii">ASCII armored</a> <a href="release-signing.html#public-private">public key</a>
<a href="release-signing.html#export">export</a> (see instructions later, or use documents you created earlier) into the <code>public_html</code> subdirectory of your home on <a href="https://home.apache.org" target="_blank">home.apache.org</a>.</p>
<p>The suffix <code>.asc</code> is conventional for ASCII armored public key exports. So, for example, <code>A6EE6908.asc</code> is a reasonable choice for the export of key <code>A6EE6908</code>. Record the URL (for example <code>http://home.apache.org/~rdonkin/A6EE6908.asc</code> ) for use later in your
<a href="#foaf">FOAF</a>.</p>
<p>If your Apache home page contains details of your keys (recommended), update the <a href="release-signing.html#fingerprint">fingerprints</a> and the <a href="release-signing.html#ascii">ASCII armored</a> <a href="release-signing.html#public-private">public key</a> <a href="release-signing.html#export">export</a>. Any browser with a suitable <a href="release-signing.html#openpgp">OpenPGP</a> plugin (for example, <a href="https://www.mozilla.com/firefox/" target="_blank">Firefox</a> with the <a href="https://www.getfiregpg.org" target="_blank">FireGPG plugin</a>) will let you download the key into the local keyring.</p>
<p>For example, <a href="https://home.apache.org/~rdonkin/" target="_blank">this home page contains a section with fingerprints and a for exporting them. At the bottom, the export has been inlined so browsers with <a href="release-signing.html#opengpg">OpenPGP</a> support can import the keys.</p>
<p>To create an <a href="release-signing.html#ascii">ASCII armored</a> <a href="release-signing.html#public-private">public key</a> <a href="release-signing.html#export">export</a>:</p>
<ul>
<li>When using a <a href="release-signing.html#transition">transition</a>, follow these <a href="key-transition.html#transition-export">instructions</a>.</li>
<li>Otherwise this <a href="#export-key">discussion</a> describes how to export public keys.</li>
</ul>
<p>To find the <a href="release-signing.html#fingerprint">fingerprint</a> for a key:</p>
<ul>
<li>When using a <a href="release-signing.html#transition">transition</a>, follow these <a href="key-transition.html#transition-fingerprints">instructions</a>.</li>
<li>Otherwise use <code>gpg --fingerprint</code>.</li>
</ul>
<p>Ensure that each <code>pubkeyAddress</code> points to the new export <a href="#publish-in-web-space">uploaded into your Apache home web space</a>.</p>
<p>When <a href="release-signing.html#transition">transitioning</a>, include one entry for the old and one for the new key. Yu can use the same URL for both since the target should be the <a href="key-transition.html#transition-export">dual export</a> you <a href="#publish-in-web-space">uploadedearlier</a>. For example, for keys A6EE6908 (new) and B1313DE2 (old):</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span>:::xml
<span class="w"> </span><span class="nt">&lt;wot:hasKey&gt;</span>
<span class="w"> </span><span class="nt">&lt;wot:PubKey&gt;</span>
<span class="w"> </span><span class="nt">&lt;wot:hex_id&gt;</span>A6EE6908<span class="nt">&lt;/wot:hex_id&gt;</span>
<span class="w"> </span><span class="nt">&lt;wot:fingerprint&gt;</span>597C729B02371932E77CB9D5EDB8C082A6EE6908<span class="nt">&lt;/wot:fingerprint&gt;</span>
<span class="w"> </span><span class="nt">&lt;wot:pubkeyAddress</span>
<span class="w"> </span><span class="na">rdf:resource=</span><span class="s">&quot;http://home.apache.org/~rdonkin/A6EE6908.asc&quot;</span><span class="nt">/&gt;</span>
<span class="w"> </span><span class="nt">&lt;/wot:PubKey&gt;</span>
<span class="w"> </span><span class="nt">&lt;wot:PubKey&gt;</span>
<span class="w"> </span><span class="nt">&lt;wot:hex_id&gt;</span>B1313DE2<span class="nt">&lt;/wot:hex_id&gt;</span>
<span class="w"> </span><span class="nt">&lt;wot:fingerprint&gt;</span>EA6141E8E49E560C224B2F74D5334E75B1313DE2<span class="nt">&lt;/wot:fingerprint&gt;</span>
<span class="w"> </span><span class="nt">&lt;wot:pubkeyAddress</span>
<span class="w"> </span><span class="na">rdf:resource=</span><span class="s">&quot;http://home.apache.org/~rdonkin/A6EE6908.asc&quot;</span><span class="nt">/&gt;</span>
<span class="w"> </span><span class="nt">&lt;/wot:PubKey&gt;</span>
<span class="w"> </span><span class="nt">&lt;/wot:hasKey&gt;</span>
</code></pre></div>
<h3 id="update-KEYS">Update keys on the next release<a class="headerlink" href="#update-KEYS" title="Permanent link">&para;</a></h3>
<p>Projects maintain <a href="release-signing.html#keys-policy">KEYS</a> files containing the public keys used to sign Apache releases. These documents need not be updated immediately, but you <strong>must</strong> update your project's file with the new key, with an export, before publishing a release using the new key.</p>
<p>To create an <a href="release-signing.html#ascii">ASCII armored</a> <a href="release-signing.html#export">export</a>:</p>
<ul>
<li>When using a <a href="release-signing.html#transition">transition</a>, follow these <a href="key-transition.html#transition-export">instructions</a>.</li>
<li>Otherwise this <a href="#export-key">discussion</a> describes how to export public keys</li>
</ul>
<p>If there is an older export in the <code>KEYS</code> file, only remove it if it has not been used to sign a release. It is important
that the KEYS file can also be used to check archived releases.</p>
<h3 id="members-details">ASF Members only: update details<a class="headerlink" href="#members-details" title="Permanent link">&para;</a></h3>
<p><a href="https://www.apache.org/foundation/members.html" target="_blank">ASF Members</a> should add the new key to their details stored in Subversion.</p>
<p>Update your Apache business card with fingerprints (see <code>Cards</code> directory in the members area in Subversion) and place a new order for cards.</p>
<h2 id="wot">How to use the Web of Trust<a class="headerlink" href="#wot" title="Permanent link">&para;</a></h2>
<p>A link to a new key from a <a href="release-signing.html#web-of-trust">web of trust</a> is made when a key that is part of that network signs the new key.</p>
<p>Each link is only one way. By signing a key, you indicate that you have verified the identity of the owner of that key. Links are established in both directions once the owner of that key also signs your key. When the owner has suitable identification, expect the owner to ask you to sign their key in return.</p>
<p>You can use directional links to establish trust in the identity of a key whose owner you haven't met.</p>
<h3 id="wot-verifying-links">How to verify identity<a class="headerlink" href="#wot-verifying-links" title="Permanent link">&para;</a></h3>
<p>Verifying identities is usually automated, but here is an example to explain the process. If you already understand the process, feel free to <a href="#apache-wot">skip forward</a>.</p>
<h4 id="wot-manual-example">Example - the hard way<a class="headerlink" href="#wot-manual-example" title="Permanent link">&para;</a></h4>
<p>Take Alice, Bob and Charlie. Alice has verified Bob's identity in person. Bob has verified Charlie's identity in person. But Alice has
never met Charlie. So</p>
<ul>
<li>Bob's key has been signed by Alice's key</li>
<li>Charlie's key has been signed by Bob's key</li>
</ul>
<p>Alice has obtained a file ( <code>document</code> in this example) which Charlie may have created, and a detached signature for that file ( <code>document.asc</code> in this example). Alice wishes to discover whether Charlie signed this file.</p>
<p>The basic idea is easy. If Alice has verified Bob's identity and trusts Bob to verify the Charlie's identity before signing, then Alice should be able to work out whether Charlie owns the key which was used to sign the file.</p>
<p>Alice starts by verifying the signature:</p>
<div class="highlight"><pre><span></span><code> :::console
$ gpg --verify document.asc
gpg: Signature made Wed Sep 9 14:33:12 2009 BST using RSA key ID 8F8A2525
gpg: Can&#39;t check signature: public key not found
</code></pre></div>
<p>This indicates that the key used to create this signature is missing from Alice's keyring. This is not unexpected. Alice adds the public key, perhaps by using a public key server or by importing an export, and tries again:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="o">::</span><span class="err">:</span><span class="n">console</span>
<span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="n">verify</span><span class="w"> </span><span class="n">document</span><span class="p">.</span><span class="k">asc</span><span class="w"> </span>
<span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">Signature</span><span class="w"> </span><span class="n">made</span><span class="w"> </span><span class="n">Wed</span><span class="w"> </span><span class="n">Sep</span><span class="w"> </span><span class="mi">9</span><span class="w"> </span><span class="mi">14</span><span class="err">:</span><span class="mi">33</span><span class="err">:</span><span class="mi">12</span><span class="w"> </span><span class="mi">2009</span><span class="w"> </span><span class="n">BST</span><span class="w"> </span><span class="k">using</span><span class="w"> </span><span class="n">RSA</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="n">ID</span><span class="w"> </span><span class="mi">8</span><span class="n">F8A2525</span>
<span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">checking</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">trustdb</span>
<span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="n">marginal</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="w"> </span><span class="n">needed</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="n">complete</span><span class="p">(</span><span class="n">s</span><span class="p">)</span><span class="w"> </span><span class="n">needed</span><span class="p">,</span><span class="w"> </span><span class="n">PGP</span><span class="w"> </span><span class="n">trust</span><span class="w"> </span><span class="n">model</span>
<span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="k">depth</span><span class="err">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="nl">valid</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="nl">signed</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="nl">trust</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="o">-</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="n">q</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="n">n</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="n">m</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="n">f</span><span class="p">,</span><span class="w"> </span><span class="mi">1</span><span class="n">u</span>
<span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="k">depth</span><span class="err">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="nl">valid</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="nl">signed</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="nl">trust</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="o">-</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="n">q</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="n">n</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="n">m</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="n">f</span><span class="p">,</span><span class="w"> </span><span class="mi">0</span><span class="n">u</span>
<span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">Good</span><span class="w"> </span><span class="n">signature</span><span class="w"> </span><span class="k">from</span><span class="w"> </span><span class="ss">&quot;Charlie (EXAMPLE ONLY NOT FOR DISTRIBUTION)</span>
<span class="ss"> &lt;charlie@example.org&gt;&quot;</span>
<span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="nl">WARNING</span><span class="p">:</span><span class="w"> </span><span class="n">This</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="ow">not</span><span class="w"> </span><span class="n">certified</span><span class="w"> </span><span class="k">with</span><span class="w"> </span><span class="n">a</span><span class="w"> </span><span class="n">trusted</span><span class="w"> </span><span class="n">signature</span><span class="err">!</span>
<span class="w"> </span><span class="nl">gpg</span><span class="p">:</span><span class="w"> </span><span class="n">There</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="k">no</span><span class="w"> </span><span class="n">indication</span><span class="w"> </span><span class="n">that</span><span class="w"> </span><span class="n">the</span><span class="w"> </span><span class="n">signature</span><span class="w"> </span><span class="n">belongs</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">the</span>
<span class="w"> </span><span class="n">owner</span><span class="p">.</span>
<span class="w"> </span><span class="k">Primary</span><span class="w"> </span><span class="k">key</span><span class="w"> </span><span class="nl">fingerprint</span><span class="p">:</span><span class="w"> </span><span class="n">B7F6</span><span class="w"> </span><span class="mi">17</span><span class="n">FA</span><span class="w"> </span><span class="mi">4</span><span class="n">DEF</span><span class="w"> </span><span class="n">E61F</span><span class="w"> </span><span class="mi">37</span><span class="n">A4</span><span class="w"> </span><span class="mi">7463</span><span class="w"> </span><span class="mi">41</span><span class="n">F4</span><span class="w"> </span><span class="mi">40</span><span class="n">D4</span><span class="w"> </span><span class="mi">8</span><span class="n">F8A</span><span class="w"> </span><span class="mi">2525</span>
</code></pre></div>
<p>This output indicates that this key says that Charlie created it. This is a reasonable start but is easily faked.</p>
<p>Alice examines the signatures on this key:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="o">::</span><span class="err">:</span><span class="n">console</span>
<span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="n">list</span><span class="o">-</span><span class="n">sigs</span><span class="w"> </span><span class="mi">8</span><span class="n">F8A2525</span>
<span class="w"> </span><span class="n">pub</span><span class="w"> </span><span class="mi">2048</span><span class="n">R</span><span class="o">/</span><span class="mi">8</span><span class="n">F8A2525</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">09</span><span class="o">-</span><span class="mi">09</span>
<span class="w"> </span><span class="n">uid</span><span class="w"> </span><span class="n">Charlie</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">ONLY</span><span class="w"> </span><span class="ow">NOT</span><span class="w"> </span><span class="k">FOR</span><span class="w"> </span><span class="n">DISTRIBUTION</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">charlie</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">sig</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="mi">8</span><span class="n">F8A2525</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">09</span><span class="o">-</span><span class="mi">09</span><span class="w"> </span><span class="n">Charlie</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">ONLY</span><span class="w"> </span><span class="ow">NOT</span><span class="w"> </span><span class="k">FOR</span><span class="w"> </span><span class="n">DISTRIBUTION</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">charlie</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
</code></pre></div>
<p>This key is signed only by itself. This is not indicative. Unless all keys in the ring have been refreshed, it is possible that a signature has been made but is missing from the ring. Alice refreshes the keys on the ring then verifies once more:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="o">::</span><span class="err">:</span><span class="n">console</span>
<span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="n">list</span><span class="o">-</span><span class="n">sigs</span><span class="w"> </span><span class="mi">8</span><span class="n">F8A2525</span>
<span class="w"> </span><span class="n">pub</span><span class="w"> </span><span class="mi">2048</span><span class="n">R</span><span class="o">/</span><span class="mi">8</span><span class="n">F8A2525</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">09</span><span class="o">-</span><span class="mi">09</span>
<span class="w"> </span><span class="n">uid</span><span class="w"> </span><span class="n">Charlie</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">ONLY</span><span class="w"> </span><span class="ow">NOT</span><span class="w"> </span><span class="k">FOR</span><span class="w"> </span><span class="n">DISTRIBUTION</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">charlie</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">sig</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="mi">8</span><span class="n">F8A2525</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">09</span><span class="o">-</span><span class="mi">09</span><span class="w"> </span><span class="n">Charlie</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">ONLY</span><span class="w"> </span><span class="ow">NOT</span><span class="w"> </span><span class="k">FOR</span><span class="w"> </span><span class="n">DISTRIBUTION</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">charlie</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">sig</span><span class="w"> </span><span class="mi">1</span><span class="n">B912854</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">09</span><span class="o">-</span><span class="mi">09</span><span class="w"> </span><span class="n">Bob___</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">ONLY</span><span class="w"> </span><span class="ow">NOT</span><span class="w"> </span><span class="k">FOR</span><span class="w"> </span><span class="n">DISTRIBUTION</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">bob</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
</code></pre></div>
<p>The key now has a signature from Bob's key - or so says the key. But Alice has met Bob. So, she lists the signatures for that key that may - or may not - be owned by Bob:</p>
<div class="highlight"><pre><span></span><code><span class="w"> </span><span class="o">::</span><span class="err">:</span><span class="n">console</span>
<span class="w"> </span><span class="err">$</span><span class="w"> </span><span class="n">gpg</span><span class="w"> </span><span class="o">--</span><span class="n">list</span><span class="o">-</span><span class="n">sigs</span><span class="w"> </span><span class="mi">1</span><span class="n">B912854</span>
<span class="w"> </span><span class="n">pub</span><span class="w"> </span><span class="mi">2048</span><span class="n">R</span><span class="o">/</span><span class="mi">1</span><span class="n">B912854</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">09</span><span class="o">-</span><span class="mi">09</span>
<span class="w"> </span><span class="n">uid</span><span class="w"> </span><span class="n">Bob___</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">ONLY</span><span class="w"> </span><span class="ow">NOT</span><span class="w"> </span><span class="k">FOR</span><span class="w"> </span><span class="n">DISTRIBUTION</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">bob</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">sig</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="mi">1</span><span class="n">B912854</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">09</span><span class="o">-</span><span class="mi">09</span><span class="w"> </span><span class="n">Bob___</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">ONLY</span><span class="w"> </span><span class="ow">NOT</span><span class="w"> </span><span class="k">FOR</span><span class="w"> </span><span class="n">DISTRIBUTION</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">bob</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
<span class="w"> </span><span class="n">sig</span><span class="w"> </span><span class="mi">81590910</span><span class="w"> </span><span class="mi">2009</span><span class="o">-</span><span class="mi">09</span><span class="o">-</span><span class="mi">09</span><span class="w"> </span><span class="n">Alice</span><span class="w"> </span><span class="p">(</span><span class="n">EXAMPLE</span><span class="w"> </span><span class="k">ONLY</span><span class="w"> </span><span class="ow">NOT</span><span class="w"> </span><span class="k">FOR</span><span class="w"> </span><span class="n">DISTRIBUTION</span><span class="p">)</span><span class="w"> </span><span class="o">&lt;</span><span class="n">alice</span><span class="nv">@example</span><span class="p">.</span><span class="n">org</span><span class="o">&gt;</span>
</code></pre></div>
<p>Alice finds it signed by <code>81590910</code> - the master key for this keyring. Alice can therefore trust that Charlie has signed the file provided so long as Alice trusts Bob to verify Charlie's identity.</p>
<h4 id="wot-automated">Automated trust<a class="headerlink" href="#wot-automated" title="Permanent link">&para;</a></h4>
<p>Most clients allow automation of this process of transitive trust resolution. This is easier and more convenient than by hand but clients differ in the amount of human control they provide. Some clients (including GnuPG) are highly configurable (allowing different trust models to be used) and allow finely grained control over trust placed in each signed key. For more details see <a href="https://www.gnupg.org/gph/en/manual.html" target="_blank">The GNU Privacy Handbook&lt;/a&lt;</p>
<p><h3 id="apache-wot">Code signing keys and the Web of Trust<a class="headerlink" href="#apache-wot" title="Permanent link">&para;</a></h3></p>
<p>It is vital that Apache code signing keys are linked into a strong <a href="release-signing.html#web-of-trust">web of trust</a>. This allows independent verification of the fidelity of Apache releases by anyone strongly linked to this web. In particular, this lets two important groups independently verify releases:</p>
<ul>
<li>The Apache Infrastructure Team</li>
<li>Downstream packagers</li>
</ul>
<p>The Apache web of trust is reasonably well connected to the wider-open source web of trust. Though every opportunity should be taken to link into wider networks, the most important action needs to be to plan to exchange signatures with other Apache committers.</p>
<h3 id="apache-wot-link">How to link into the Apache Web of Trust<a class="headerlink" href="#apache-wot-link" title="Permanent link">&para;</a></h3>
<p>The process (explained below) is the same but the people are different: this means arranging to meet in person with Apache committers. For a global distributed organisation like Apache, this is not always easy and usually takes some planning.</p>
<h4 id="wot-apachecon">Keysigning at ApacheCon<a class="headerlink" href="#wot-apachecon" title="Permanent link">&para;</a></h4>
<p>Apache organizes a major <a href="release-signing.html#key-signing-party">keysigning party</a> at every <a href="https://apachecon.com/" target="_blank">ApacheCon</a>. This is a great opportunity to collect dozens of signatures.</p>
<h4 id="wot-apache-other-events">Keysigning at other Apache events<a class="headerlink" href="#wot-apache-other-events" title="Permanent link">&para;</a></h4>
<p>Other Apache events may also hold keysigning parties (and most will if asked). Typically, these will be smaller and less informal.</p>
<h4 id="wot-apache-party">Informal Apache meetings<a class="headerlink" href="#wot-apache-party" title="Permanent link">&para;</a></h4>
<p>Smaller, informal Apache-sponsored meetings are also an opportunity to swap keys (as well as gossip) with other committers.</p>
<p>Subscribe to the party list (see committer documentation) to find out about informal meetings. When you travel, take advantage of this opportunity to meet up with other Apache committers by posting to the party list. The <a href="https://community.zones.apache.org/map.html" target="_blank>committer map</a> shows locations for many committers. If there are committers near you, you can organise an informal meetup.</p>
<p><h3 id="wot-link-in">How to link into a public web of trust<a class="headerlink" href="#wot-link-in" title="Permanent link">&para;</a></h3></p>
<p>In short, expect that:</p>
<ul>
<li>this will involve a face-to-face meeting</li>
<li>you will have to provide some sort of real-world identification, like a driver's license</li>
<li>you will be asked to verify their identity and sign their public key in
exchange</li>
</ul>
<p>Bring the key <a href="release-signing.html#fingerprint">fingerprint</a> but keep the private key safely at home.</p>
<h4 id="wot-public-preparations">Be prepared<a class="headerlink" href="#wot-public-preparations" title="Permanent link">&para;</a></h4>
<p>A small amount of preparation (before attending technical conferences or meetings) lets you exchange keys easily (if the other person is suitably prepared) or get your key signed if the opportunity presents itself. All that is required is suitable identification and the <a href="release-signing.html#fingerprint">public key fingerprint</a> (which can can be conveniently printed onto a small card).</p>
<h4 id="wot-public-keysigning">Keysigning parties<a class="headerlink" href="#wot-public-keysigning" title="Permanent link">&para;</a></h4>
<p>The most effective way to achieve this is to attend a <a href="release-signing.html#key-signing-party">key signing party</a>. Apache and many other open-source organisations organize parties at their conferences. It may also be possible to arrange such a party at other events.</p>
<p>Expect to:</p>
<ul>
<li>bring identification</li>
<li>bring a hard copy of your key's <a href="release-signing.html#fingerprint">fingerprint</a> </li>
<li>supply the key ID or public key to the organiser before the party</li>
<li>check that the <a href="release-signing.html#fingerprint">fingerprint</a> for your key supplied by the organiser matches your hard copy</li>
<li>confirm this to those present</li>
</ul>
<p>Do <strong>not</strong> bring your private key. This <strong>must</strong> stay safe and secure at all times. Wait until the conference has finished and you have returned home before signing keys.</p>
<p>For more information, see this <a href="https://www.cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html" target="_blank">guide</a>.</p>
</div>
</div>
</div>
<!-- footer -->
<div class="row">
<div class="large-12 medium-12 columns">
<p style="font-style: italic; font-size: 0.8rem; text-align: center;">
Copyright 2024, <a href="https://www.apache.org/">The Apache Software Foundation</a>, Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
Apache&reg; and the Apache feather logo are trademarks of The Apache Software Foundation...
</p>
</div>
</div>
<script type="application/ecmascript" src="/js/bootstrap.bundle.min.js" integrity="sha384-OERcA2EqjJCMA+/3y+gxIOqMEjwtxJY7qPCqsdltbNJuaOe923+mo//f6V8Qbsw3"></script> </div>
</main>
<script>hljs.initHighlightingOnLoad();</script>
</body>
</html>