maintainer-pgp-guide.rst 35 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913
  1. .. SPDX-License-Identifier: GPL-2.0
  2. .. _pgpguide:
  3. ===========================
  4. Kernel Maintainer PGP guide
  5. ===========================
  6. :Author: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
  7. This document is aimed at Linux kernel developers, and especially at
  8. subsystem maintainers. It contains a subset of information discussed in
  9. the more general "`Protecting Code Integrity`_" guide published by the
  10. Linux Foundation. Please read that document for more in-depth discussion
  11. on some of the topics mentioned in this guide.
  12. .. _`Protecting Code Integrity`: https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md
  13. The role of PGP in Linux Kernel development
  14. ===========================================
  15. PGP helps ensure the integrity of the code that is produced by the Linux
  16. kernel development community and, to a lesser degree, establish trusted
  17. communication channels between developers via PGP-signed email exchange.
  18. The Linux kernel source code is available in two main formats:
  19. - Distributed source repositories (git)
  20. - Periodic release snapshots (tarballs)
  21. Both git repositories and tarballs carry PGP signatures of the kernel
  22. developers who create official kernel releases. These signatures offer a
  23. cryptographic guarantee that downloadable versions made available via
  24. kernel.org or any other mirrors are identical to what these developers
  25. have on their workstations. To this end:
  26. - git repositories provide PGP signatures on all tags
  27. - tarballs provide detached PGP signatures with all downloads
  28. .. _devs_not_infra:
  29. Trusting the developers, not infrastructure
  30. -------------------------------------------
  31. Ever since the 2011 compromise of core kernel.org systems, the main
  32. operating principle of the Kernel Archives project has been to assume
  33. that any part of the infrastructure can be compromised at any time. For
  34. this reason, the administrators have taken deliberate steps to emphasize
  35. that trust must always be placed with developers and never with the code
  36. hosting infrastructure, regardless of how good the security practices
  37. for the latter may be.
  38. The above guiding principle is the reason why this guide is needed. We
  39. want to make sure that by placing trust into developers we do not merely
  40. shift the blame for potential future security incidents to someone else.
  41. The goal is to provide a set of guidelines developers can use to create
  42. a secure working environment and safeguard the PGP keys used to
  43. establish the integrity of the Linux kernel itself.
  44. .. _pgp_tools:
  45. PGP tools
  46. =========
  47. Use GnuPG 2.4 or later
  48. ----------------------
  49. Your distro should already have GnuPG installed by default, you just
  50. need to verify that you are using a reasonably recent version of it.
  51. To check, run::
  52. $ gpg --version | head -n1
  53. If you have version 2.4 or above, then you are good to go. If you have
  54. an earlier version, then you are using a release of GnuPG that is no
  55. longer maintained and some commands from this guide may not work.
  56. Configure gpg-agent options
  57. ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  58. The GnuPG agent is a helper tool that will start automatically whenever
  59. you use the ``gpg`` command and run in the background with the purpose
  60. of caching the private key passphrase. There are two options you should
  61. know in order to tweak when the passphrase should be expired from cache:
  62. - ``default-cache-ttl`` (seconds): If you use the same key again before
  63. the time-to-live expires, the countdown will reset for another period.
  64. The default is 600 (10 minutes).
  65. - ``max-cache-ttl`` (seconds): Regardless of how recently you've used
  66. the key since initial passphrase entry, if the maximum time-to-live
  67. countdown expires, you'll have to enter the passphrase again. The
  68. default is 30 minutes.
  69. If you find either of these defaults too short (or too long), you can
  70. edit your ``~/.gnupg/gpg-agent.conf`` file to set your own values::
  71. # set to 30 minutes for regular ttl, and 2 hours for max ttl
  72. default-cache-ttl 1800
  73. max-cache-ttl 7200
  74. .. note::
  75. It is no longer necessary to start gpg-agent manually at the
  76. beginning of your shell session. You may want to check your rc files
  77. to remove anything you had in place for older versions of GnuPG, as
  78. it may not be doing the right thing any more.
  79. .. _protect_your_key:
  80. Protect your PGP key
  81. ====================
  82. This guide assumes that you already have a PGP key that you use for Linux
  83. kernel development purposes. If you do not yet have one, please see the
  84. "`Protecting Code Integrity`_" document mentioned earlier for guidance
  85. on how to create a new one.
  86. You should also make a new key if your current one is weaker than 2048
  87. bits (RSA).
  88. Understanding PGP Subkeys
  89. -------------------------
  90. A PGP key rarely consists of a single keypair -- usually it is a
  91. collection of independent subkeys that can be used for different
  92. purposes based on their capabilities, assigned at their creation time.
  93. PGP defines four capabilities that a key can have:
  94. - **[S]** keys can be used for signing
  95. - **[E]** keys can be used for encryption
  96. - **[A]** keys can be used for authentication
  97. - **[C]** keys can be used for certifying other keys
  98. The key with the **[C]** capability is often called the "master" key,
  99. but this terminology is misleading because it implies that the Certify
  100. key can be used in place of any of other subkey on the same chain (like
  101. a physical "master key" can be used to open locks made for other keys).
  102. Since this is not the case, this guide will refer to it as "the Certify
  103. key" to avoid any ambiguity.
  104. It is critical to fully understand the following:
  105. 1. All subkeys are fully independent from each other. If you lose a
  106. private subkey, it cannot be restored or recreated from any other
  107. private key on your chain.
  108. 2. With the exception of the Certify key, there can be multiple subkeys
  109. with identical capabilities (e.g. you can have 2 valid encryption
  110. subkeys, 3 valid signing subkeys, but only one valid certification
  111. subkey). All subkeys are fully independent -- a message encrypted to
  112. one **[E]** subkey cannot be decrypted with any other **[E]** subkey
  113. you may also have.
  114. 3. A single subkey may have multiple capabilities (e.g. your **[C]** key
  115. can also be your **[S]** key).
  116. The key carrying the **[C]** (certify) capability is the only key that
  117. can be used to indicate relationship with other keys. Only the **[C]**
  118. key can be used to:
  119. - add or revoke other keys (subkeys) with S/E/A capabilities
  120. - add, change or revoke identities (uids) associated with the key
  121. - add or change the expiration date on itself or any subkey
  122. - sign other people's keys for web of trust purposes
  123. By default, GnuPG creates the following when generating new keys:
  124. - One subkey carrying both Certify and Sign capabilities (**[SC]**)
  125. - A separate subkey with the Encryption capability (**[E]**)
  126. If you used the default parameters when generating your key, then that
  127. is what you will have. You can verify by running ``gpg --list-secret-keys``,
  128. for example::
  129. sec ed25519 2022-12-20 [SC] [expires: 2024-12-19]
  130. 000000000000000000000000AAAABBBBCCCCDDDD
  131. uid [ultimate] Alice Dev <adev@kernel.org>
  132. ssb cv25519 2022-12-20 [E] [expires: 2024-12-19]
  133. The long line under the ``sec`` entry is your key fingerprint --
  134. whenever you see ``[fpr]`` in the examples below, that 40-character
  135. string is what it refers to.
  136. Ensure your passphrase is strong
  137. --------------------------------
  138. GnuPG uses passphrases to encrypt your private keys before storing them on
  139. disk. This way, even if your ``.gnupg`` directory is leaked or stolen in
  140. its entirety, the attackers cannot use your private keys without first
  141. obtaining the passphrase to decrypt them.
  142. It is absolutely essential that your private keys are protected by a
  143. strong passphrase. To set it or change it, use::
  144. $ gpg --change-passphrase [fpr]
  145. Create a separate Signing subkey
  146. --------------------------------
  147. Our goal is to protect your Certify key by moving it to offline media,
  148. so if you only have a combined **[SC]** key, then you should create a
  149. separate signing subkey::
  150. $ gpg --quick-addkey [fpr] ed25519 sign
  151. Back up your Certify key for disaster recovery
  152. ----------------------------------------------
  153. The more signatures you have on your PGP key from other developers, the
  154. more reasons you have to create a backup version that lives on something
  155. other than digital media, for disaster recovery reasons.
  156. A good way to create a printable hardcopy of your private key is by
  157. using the ``paperkey`` software written for this very purpose. See ``man
  158. paperkey`` for more details on the output format and its benefits over
  159. other solutions. Paperkey should already be packaged for most
  160. distributions.
  161. Run the following command to create a hardcopy backup of your private
  162. key::
  163. $ gpg --export-secret-key [fpr] | paperkey -o /tmp/key-backup.txt
  164. Print out that file, then take a pen and write your passphrase on the
  165. margin of the paper. **This is strongly recommended** because the key
  166. printout is still encrypted with that passphrase, and if you ever change
  167. it you will not remember what it used to be when you had created the
  168. backup -- *guaranteed*.
  169. Put the resulting printout and the hand-written passphrase into an envelope
  170. and store in a secure and well-protected place, preferably away from your
  171. home, such as your bank vault.
  172. .. note::
  173. The key is still encrypted with your passphrase, so printing out
  174. even to "cloud-integrated" modern printers should remain a
  175. relatively safe operation.
  176. Back up your whole GnuPG directory
  177. ----------------------------------
  178. .. warning::
  179. **!!!Do not skip this step!!!**
  180. It is important to have a readily available backup of your PGP keys
  181. should you need to recover them. This is different from the
  182. disaster-level preparedness we did with ``paperkey``. You will also rely
  183. on these external copies whenever you need to use your Certify key --
  184. such as when making changes to your own key or signing other people's
  185. keys after conferences and summits.
  186. Start by getting an external media card (preferably two!) that you will
  187. use for backup purposes. You will need to create an encrypted partition
  188. on this device using LUKS -- refer to your distro's documentation on how
  189. to accomplish this.
  190. For the encryption passphrase, you can use the same one as on your
  191. PGP key.
  192. Once the encryption process is over, re-insert your device and make sure
  193. it gets properly mounted. Copy your entire ``.gnupg`` directory over to
  194. the encrypted storage::
  195. $ cp -a ~/.gnupg /media/disk/foo/gnupg-backup
  196. You should now test to make sure everything still works::
  197. $ gpg --homedir=/media/disk/foo/gnupg-backup --list-key [fpr]
  198. If you don't get any errors, then you should be good to go. Unmount the
  199. device, distinctly label it so you don't overwrite it by accident, and
  200. put in a safe place -- but not too far away, because you'll need to use
  201. it every now and again for things like editing identities, adding or
  202. revoking subkeys, or signing other people's keys.
  203. Remove the Certify key from your homedir
  204. ----------------------------------------
  205. The files in our home directory are not as well protected as we like to
  206. think. They can be leaked or stolen via many different means:
  207. - by accident when making quick homedir copies to set up a new workstation
  208. - by systems administrator negligence or malice
  209. - via poorly secured backups
  210. - via malware in desktop apps (browsers, pdf viewers, etc)
  211. - via coercion when crossing international borders
  212. Protecting your key with a good passphrase greatly helps reduce the risk
  213. of any of the above, but passphrases can be discovered via keyloggers,
  214. shoulder-surfing, or any number of other means. For this reason, the
  215. recommended setup is to remove your Certify key from your home directory
  216. and store it on offline storage.
  217. .. warning::
  218. Please see the previous section and make sure you have backed up
  219. your GnuPG directory in its entirety. What we are about to do will
  220. render your key useless if you do not have a usable backup!
  221. First, identify the "keygrip" of your Certify key::
  222. $ gpg --with-keygrip --list-key [fpr]
  223. The output will be something like this::
  224. pub ed25519 2022-12-20 [SC] [expires: 2022-12-19]
  225. 000000000000000000000000AAAABBBBCCCCDDDD
  226. Keygrip = 1111000000000000000000000000000000000000
  227. uid [ultimate] Alice Dev <adev@kernel.org>
  228. sub cv25519 2022-12-20 [E] [expires: 2022-12-19]
  229. Keygrip = 2222000000000000000000000000000000000000
  230. sub ed25519 2022-12-20 [S]
  231. Keygrip = 3333000000000000000000000000000000000000
  232. Find the keygrip entry that is beneath the ``pub`` line (right under the
  233. Certify key fingerprint). This will correspond directly to a file in your
  234. ``~/.gnupg`` directory::
  235. $ cd ~/.gnupg/private-keys-v1.d
  236. $ ls
  237. 1111000000000000000000000000000000000000.key
  238. 2222000000000000000000000000000000000000.key
  239. 3333000000000000000000000000000000000000.key
  240. It is sufficient to remove the .key file that corresponds to the Certify
  241. key keygrip::
  242. $ cd ~/.gnupg/private-keys-v1.d
  243. $ rm 1111000000000000000000000000000000000000.key
  244. Now, if you issue the ``--list-secret-keys`` command, it will show that
  245. the Certify key is missing (the ``#`` indicates it is not available)::
  246. $ gpg --list-secret-keys
  247. sec# ed25519 2022-12-20 [SC] [expires: 2024-12-19]
  248. 000000000000000000000000AAAABBBBCCCCDDDD
  249. uid [ultimate] Alice Dev <adev@kernel.org>
  250. ssb cv25519 2022-12-20 [E] [expires: 2024-12-19]
  251. ssb ed25519 2022-12-20 [S]
  252. You should also remove any ``secring.gpg`` files in the ``~/.gnupg``
  253. directory, which may be left over from previous versions of GnuPG.
  254. If you don't have the "private-keys-v1.d" directory
  255. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  256. If you do not have a ``~/.gnupg/private-keys-v1.d`` directory, then your
  257. secret keys are still stored in the legacy ``secring.gpg`` file used by
  258. GnuPG v1. Making any changes to your key, such as changing the
  259. passphrase or adding a subkey, should automatically convert the old
  260. ``secring.gpg`` format to use ``private-keys-v1.d`` instead.
  261. Once you get that done, make sure to delete the obsolete ``secring.gpg``
  262. file, which still contains your private keys.
  263. .. _smartcards:
  264. Move the subkeys to a dedicated crypto device
  265. =============================================
  266. Even though the Certify key is now safe from being leaked or stolen, the
  267. subkeys are still in your home directory. Anyone who manages to get
  268. their hands on those will be able to decrypt your communication or fake
  269. your signatures (if they know the passphrase). Furthermore, each time a
  270. GnuPG operation is performed, the keys are loaded into system memory and
  271. can be stolen from there by sufficiently advanced malware (think
  272. Meltdown and Spectre).
  273. A good way to completely protect your keys is to move them to a
  274. specialized hardware device that is capable of smartcard operations.
  275. The benefits of smartcards
  276. --------------------------
  277. A smartcard contains a cryptographic chip that is capable of storing
  278. private keys and performing crypto operations directly on the card
  279. itself. Because the key contents never leave the smartcard, the
  280. operating system of the computer into which you plug in the hardware
  281. device is not able to retrieve the private keys themselves. This is very
  282. different from the encrypted media storage device we used earlier for
  283. backup purposes -- while that device is plugged in and mounted, the
  284. operating system is able to access the private key contents.
  285. Using external encrypted media is not a substitute to having a
  286. smartcard-capable device.
  287. Available smartcard devices
  288. ---------------------------
  289. Unless all your laptops and workstations have smartcard readers, the
  290. easiest is to get a specialized USB device that implements smartcard
  291. functionality. There are several options available:
  292. - `Nitrokey Start`_: Open hardware and Free Software, based on FSI
  293. Japan's `Gnuk`_. One of the cheapest options, but offers fewest
  294. security features (such as resistance to tampering or some
  295. side-channel attacks).
  296. - `Nitrokey 3`_: Similar to the Nitrokey Start, but more
  297. tamper-resistant and offers more security features and USB
  298. form-factors. Supports ECC cryptography (ED25519 and NISTP).
  299. - `Yubikey 5`_: proprietary hardware and software, but cheaper than
  300. Nitrokey with a similar set of features. Supports ECC cryptography
  301. (ED25519 and NISTP).
  302. Your choice will depend on cost, shipping availability in your
  303. geographical region, and open/proprietary hardware considerations.
  304. .. note::
  305. If you are listed in an `M:` entry in MAINTAINERS or have an account at
  306. kernel.org, you `qualify for a free Nitrokey Start`_ courtesy of The Linux
  307. Foundation.
  308. .. _`Nitrokey Start`: https://www.nitrokey.com/products/nitrokeys
  309. .. _`Nitrokey 3`: https://www.nitrokey.com/products/nitrokeys
  310. .. _`Yubikey 5`: https://www.yubico.com/products/yubikey-5-overview/
  311. .. _Gnuk: https://www.fsij.org/doc-gnuk/
  312. .. _`qualify for a free Nitrokey Start`: https://www.kernel.org/nitrokey-digital-tokens-for-kernel-developers.html
  313. Configure your smartcard device
  314. -------------------------------
  315. Your smartcard device should Just Work (TM) the moment you plug it into
  316. any modern Linux workstation. You can verify it by running::
  317. $ gpg --card-status
  318. If you see full smartcard details, then you are good to go.
  319. Unfortunately, troubleshooting all possible reasons why things may not
  320. be working for you is way beyond the scope of this guide. If you are
  321. having trouble getting the card to work with GnuPG, please seek help via
  322. usual support channels.
  323. To configure your smartcard, you will need to use the GnuPG menu system, as
  324. there are no convenient command-line switches::
  325. $ gpg --card-edit
  326. [...omitted...]
  327. gpg/card> admin
  328. Admin commands are allowed
  329. gpg/card> passwd
  330. You should set the user PIN (1), Admin PIN (3), and the Reset Code (4).
  331. Please make sure to record and store these in a safe place -- especially
  332. the Admin PIN and the Reset Code (which allows you to completely wipe
  333. the smartcard). You so rarely need to use the Admin PIN, that you will
  334. inevitably forget what it is if you do not record it.
  335. Getting back to the main card menu, you can also set other values (such
  336. as name, gender, login data, etc), but it's not necessary and will
  337. additionally leak information about your smartcard should you lose it.
  338. .. note::
  339. Despite having the name "PIN", neither the user PIN nor the admin
  340. PIN on the card need to be numbers.
  341. .. warning::
  342. Some devices may require that you move the subkeys onto the device
  343. before you can change the passphrase. Please check the documentation
  344. provided by the device manufacturer.
  345. Move the subkeys to your smartcard
  346. ----------------------------------
  347. Exit the card menu (using "q") and save all changes. Next, let's move
  348. your subkeys onto the smartcard. You will need both your PGP key
  349. passphrase and the admin PIN of the card for most operations::
  350. $ gpg --edit-key [fpr]
  351. Secret subkeys are available.
  352. pub ed25519/AAAABBBBCCCCDDDD
  353. created: 2022-12-20 expires: 2024-12-19 usage: SC
  354. trust: ultimate validity: ultimate
  355. ssb cv25519/1111222233334444
  356. created: 2022-12-20 expires: never usage: E
  357. ssb ed25519/5555666677778888
  358. created: 2017-12-07 expires: never usage: S
  359. [ultimate] (1). Alice Dev <adev@kernel.org>
  360. gpg>
  361. Using ``--edit-key`` puts us into the menu mode again, and you will
  362. notice that the key listing is a little different. From here on, all
  363. commands are done from inside this menu mode, as indicated by ``gpg>``.
  364. First, let's select the key we'll be putting onto the card -- you do
  365. this by typing ``key 1`` (it's the first one in the listing, the **[E]**
  366. subkey)::
  367. gpg> key 1
  368. In the output, you should now see ``ssb*`` on the **[E]** key. The ``*``
  369. indicates which key is currently "selected." It works as a *toggle*,
  370. meaning that if you type ``key 1`` again, the ``*`` will disappear and
  371. the key will not be selected any more.
  372. Now, let's move that key onto the smartcard::
  373. gpg> keytocard
  374. Please select where to store the key:
  375. (2) Encryption key
  376. Your selection? 2
  377. Since it's our **[E]** key, it makes sense to put it into the Encryption
  378. slot. When you submit your selection, you will be prompted first for
  379. your PGP key passphrase, and then for the admin PIN. If the command
  380. returns without an error, your key has been moved.
  381. **Important**: Now type ``key 1`` again to unselect the first key, and
  382. ``key 2`` to select the **[S]** key::
  383. gpg> key 1
  384. gpg> key 2
  385. gpg> keytocard
  386. Please select where to store the key:
  387. (1) Signature key
  388. (3) Authentication key
  389. Your selection? 1
  390. You can use the **[S]** key both for Signature and Authentication, but
  391. we want to make sure it's in the Signature slot, so choose (1). Once
  392. again, if your command returns without an error, then the operation was
  393. successful::
  394. gpg> q
  395. Save changes? (y/N) y
  396. Saving the changes will delete the keys you moved to the card from your
  397. home directory (but it's okay, because we have them in our backups
  398. should we need to do this again for a replacement smartcard).
  399. Verifying that the keys were moved
  400. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  401. If you perform ``--list-secret-keys`` now, you will see a subtle
  402. difference in the output::
  403. $ gpg --list-secret-keys
  404. sec# ed25519 2022-12-20 [SC] [expires: 2024-12-19]
  405. 000000000000000000000000AAAABBBBCCCCDDDD
  406. uid [ultimate] Alice Dev <adev@kernel.org>
  407. ssb> cv25519 2022-12-20 [E] [expires: 2024-12-19]
  408. ssb> ed25519 2022-12-20 [S]
  409. The ``>`` in the ``ssb>`` output indicates that the subkey is only
  410. available on the smartcard. If you go back into your secret keys
  411. directory and look at the contents there, you will notice that the
  412. ``.key`` files there have been replaced with stubs::
  413. $ cd ~/.gnupg/private-keys-v1.d
  414. $ strings *.key | grep 'private-key'
  415. The output should contain ``shadowed-private-key`` to indicate that
  416. these files are only stubs and the actual content is on the smartcard.
  417. Verifying that the smartcard is functioning
  418. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  419. To verify that the smartcard is working as intended, you can create a
  420. signature::
  421. $ echo "Hello world" | gpg --clearsign > /tmp/test.asc
  422. $ gpg --verify /tmp/test.asc
  423. This should ask for your smartcard PIN on your first command, and then
  424. show "Good signature" after you run ``gpg --verify``.
  425. Congratulations, you have successfully made it extremely difficult to
  426. steal your digital developer identity!
  427. Other common GnuPG operations
  428. -----------------------------
  429. Here is a quick reference for some common operations you'll need to do
  430. with your PGP key.
  431. Mounting your safe offline storage
  432. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  433. You will need your Certify key for any of the operations below, so you
  434. will first need to mount your backup offline storage and tell GnuPG to
  435. use it::
  436. $ export GNUPGHOME=/media/disk/foo/gnupg-backup
  437. $ gpg --list-secret-keys
  438. You want to make sure that you see ``sec`` and not ``sec#`` in the
  439. output (the ``#`` means the key is not available and you're still using
  440. your regular home directory location).
  441. Extending key expiration date
  442. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  443. The Certify key has the default expiration date of 2 years from the date
  444. of creation. This is done both for security reasons and to make obsolete
  445. keys eventually disappear from keyservers.
  446. To extend the expiration on your key by a year from current date, just
  447. run::
  448. $ gpg --quick-set-expire [fpr] 1y
  449. You can also use a specific date if that is easier to remember (e.g.
  450. your birthday, January 1st, or Canada Day)::
  451. $ gpg --quick-set-expire [fpr] 2038-07-01
  452. Remember to send the updated key back to keyservers::
  453. $ gpg --send-key [fpr]
  454. Updating your work directory after any changes
  455. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  456. After you make any changes to your key using the offline storage, you will
  457. want to import these changes back into your regular working directory::
  458. $ gpg --export | gpg --homedir ~/.gnupg --import
  459. $ unset GNUPGHOME
  460. Using gpg-agent over ssh
  461. ~~~~~~~~~~~~~~~~~~~~~~~~
  462. You can forward your gpg-agent over ssh if you need to sign tags or
  463. commits on a remote system. Please refer to the instructions provided
  464. on the GnuPG wiki:
  465. - `Agent Forwarding over SSH`_
  466. It works more smoothly if you can modify the sshd server settings on the
  467. remote end.
  468. .. _`Agent Forwarding over SSH`: https://wiki.gnupg.org/AgentForwarding
  469. .. _pgp_with_git:
  470. Using PGP with Git
  471. ==================
  472. One of the core features of Git is its decentralized nature -- once a
  473. repository is cloned to your system, you have full history of the
  474. project, including all of its tags, commits and branches. However, with
  475. hundreds of cloned repositories floating around, how does anyone verify
  476. that their copy of linux.git has not been tampered with by a malicious
  477. third party?
  478. Or what happens if malicious code is discovered in the kernel and the
  479. "Author" line in the commit says it was done by you, while you're pretty
  480. sure you had `nothing to do with it`_?
  481. To address both of these issues, Git introduced PGP integration. Signed
  482. tags prove the repository integrity by assuring that its contents are
  483. exactly the same as on the workstation of the developer who created the
  484. tag, while signed commits make it nearly impossible for someone to
  485. impersonate you without having access to your PGP keys.
  486. .. _`nothing to do with it`: https://github.com/jayphelps/git-blame-someone-else
  487. Configure git to use your PGP key
  488. ---------------------------------
  489. If you only have one secret key in your keyring, then you don't really
  490. need to do anything extra, as it becomes your default key. However, if
  491. you happen to have multiple secret keys, you can tell git which key
  492. should be used (``[fpr]`` is the fingerprint of your key)::
  493. $ git config --global user.signingKey [fpr]
  494. How to work with signed tags
  495. ----------------------------
  496. To create a signed tag, pass the ``-s`` switch to the tag command::
  497. $ git tag -s [tagname]
  498. Our recommendation is to always sign git tags, as this allows other
  499. developers to ensure that the git repository they are pulling from has
  500. not been maliciously altered.
  501. How to verify signed tags
  502. ~~~~~~~~~~~~~~~~~~~~~~~~~
  503. To verify a signed tag, use the ``verify-tag`` command::
  504. $ git verify-tag [tagname]
  505. If you are pulling a tag from another fork of the project repository,
  506. git should automatically verify the signature at the tip you're pulling
  507. and show you the results during the merge operation::
  508. $ git pull [url] tags/sometag
  509. The merge message will contain something like this::
  510. Merge tag 'sometag' of [url]
  511. [Tag message]
  512. # gpg: Signature made [...]
  513. # gpg: Good signature from [...]
  514. If you are verifying someone else's git tag, you will first need to
  515. import their PGP key. Please refer to the ":ref:`verify_identities`"
  516. section below.
  517. Configure git to always sign annotated tags
  518. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  519. Chances are, if you're creating an annotated tag, you'll want to sign
  520. it. To force git to always sign annotated tags, you can set a global
  521. configuration option::
  522. $ git config --global tag.forceSignAnnotated true
  523. How to work with signed commits
  524. -------------------------------
  525. It is also possible to create signed commits, but they have limited
  526. usefulness in Linux kernel development. The kernel contribution workflow
  527. relies on sending in patches, and converting commits to patches does not
  528. preserve git commit signatures. Furthermore, when rebasing your own
  529. repository on a newer upstream, PGP commit signatures will end up
  530. discarded. For this reason, most kernel developers don't bother signing
  531. their commits and will ignore signed commits in any external
  532. repositories that they rely upon in their work.
  533. That said, if you have your working git tree publicly available at some
  534. git hosting service (kernel.org, infradead.org, ozlabs.org, or others),
  535. then the recommendation is that you sign all your git commits even if
  536. upstream developers do not directly benefit from this practice.
  537. We recommend this for the following reasons:
  538. 1. Should there ever be a need to perform code forensics or track code
  539. provenance, even externally maintained trees carrying PGP commit
  540. signatures will be valuable for such purposes.
  541. 2. If you ever need to re-clone your local repository (for example,
  542. after reinstalling your system), this lets you verify the repository
  543. integrity before resuming your work.
  544. 3. If someone needs to cherry-pick your commits, this allows them to
  545. quickly verify their integrity before applying them.
  546. Creating signed commits
  547. ~~~~~~~~~~~~~~~~~~~~~~~
  548. To create a signed commit, pass the ``-S`` flag to the ``git commit``
  549. command (it's capital ``-S`` due to collision with another flag)::
  550. $ git commit -S
  551. Configure git to always sign commits
  552. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  553. You can tell git to always sign commits::
  554. git config --global commit.gpgSign true
  555. .. note::
  556. Make sure you configure ``gpg-agent`` before you turn this on.
  557. .. _verify_identities:
  558. How to work with signed patches
  559. -------------------------------
  560. It is possible to use your PGP key to sign patches sent to kernel
  561. developer mailing lists. Since existing email signature mechanisms
  562. (PGP-Mime or PGP-inline) tend to cause problems with regular code
  563. review tasks, you should use the tool kernel.org created for this
  564. purpose that puts cryptographic attestation signatures into message
  565. headers (a-la DKIM):
  566. - `Patatt Patch Attestation`_
  567. .. _`Patatt Patch Attestation`: https://pypi.org/project/patatt/
  568. Installing and configuring patatt
  569. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  570. .. note::
  571. If you use B4 to send in your patches, patatt is already installed
  572. and integrated into your workflow.
  573. Patatt is packaged for many distributions already, so please check there
  574. first. You can also install it from pypi using "``pip install patatt``".
  575. If you already have your PGP key configured with git (via the
  576. ``user.signingKey`` configuration parameter), then patatt requires no
  577. further configuration. You can start signing your patches by installing
  578. the git-send-email hook in the repository you want::
  579. patatt install-hook
  580. Now any patches you send with ``git send-email`` will be automatically
  581. signed with your cryptographic signature.
  582. Checking patatt signatures
  583. ~~~~~~~~~~~~~~~~~~~~~~~~~~
  584. If you are using ``b4`` to retrieve and apply patches, then it will
  585. automatically attempt to verify all DKIM and patatt signatures it
  586. encounters, for example::
  587. $ b4 am 20220720205013.890942-1-broonie@kernel.org
  588. [...]
  589. Checking attestation on all messages, may take a moment...
  590. ---
  591. ✓ [PATCH v1 1/3] kselftest/arm64: Correct buffer allocation for SVE Z registers
  592. ✓ [PATCH v1 2/3] arm64/sve: Document our actual ABI for clearing registers on syscall
  593. ✓ [PATCH v1 3/3] kselftest/arm64: Enforce actual ABI for SVE syscalls
  594. ---
  595. ✓ Signed: openpgp/broonie@kernel.org
  596. ✓ Signed: DKIM/kernel.org
  597. .. note::
  598. Patatt and b4 are still in active development and you should check
  599. the latest documentation for these projects for any new or updated
  600. features.
  601. .. _kernel_identities:
  602. How to verify kernel developer identities
  603. =========================================
  604. Signing tags and commits is straightforward, but how does one go about
  605. verifying that the key used to sign something belongs to the actual
  606. kernel developer and not to a malicious imposter?
  607. Configure auto-key-retrieval using WKD and DANE
  608. -----------------------------------------------
  609. If you are not already someone with an extensive collection of other
  610. developers' public keys, then you can jumpstart your keyring by relying
  611. on key auto-discovery and auto-retrieval. GnuPG can piggyback on other
  612. delegated trust technologies, namely DNSSEC and TLS, to get you going if
  613. the prospect of starting your own Web of Trust from scratch is too
  614. daunting.
  615. Add the following to your ``~/.gnupg/gpg.conf``::
  616. auto-key-locate wkd,dane,local
  617. auto-key-retrieve
  618. DNS-Based Authentication of Named Entities ("DANE") is a method for
  619. publishing public keys in DNS and securing them using DNSSEC signed
  620. zones. Web Key Directory ("WKD") is the alternative method that uses
  621. https lookups for the same purpose. When using either DANE or WKD for
  622. looking up public keys, GnuPG will validate DNSSEC or TLS certificates,
  623. respectively, before adding auto-retrieved public keys to your local
  624. keyring.
  625. Kernel.org publishes the WKD for all developers who have kernel.org
  626. accounts. Once you have the above changes in your ``gpg.conf``, you can
  627. auto-retrieve the keys for Linus Torvalds and Greg Kroah-Hartman (if you
  628. don't already have them)::
  629. $ gpg --locate-keys torvalds@kernel.org gregkh@kernel.org
  630. If you have a kernel.org account, then you should `add the kernel.org
  631. UID to your key`_ to make WKD more useful to other kernel developers.
  632. .. _`add the kernel.org UID to your key`: https://korg.docs.kernel.org/mail.html#adding-a-kernel-org-uid-to-your-pgp-key
  633. Web of Trust (WOT) vs. Trust on First Use (TOFU)
  634. ------------------------------------------------
  635. PGP incorporates a trust delegation mechanism known as the "Web of
  636. Trust." At its core, this is an attempt to replace the need for
  637. centralized Certification Authorities of the HTTPS/TLS world. Instead of
  638. various software makers dictating who should be your trusted certifying
  639. entity, PGP leaves this responsibility to each user.
  640. Unfortunately, very few people understand how the Web of Trust works.
  641. While it is still an important part of the OpenPGP specification,
  642. recent versions of GnuPG (2.2 and above) have implemented an alternative
  643. mechanism called "Trust on First Use" (TOFU). You can think of TOFU as
  644. "the SSH-like approach to trust." With SSH, the first time you connect
  645. to a remote system, its key fingerprint is recorded and remembered. If
  646. the key changes in the future, the SSH client will alert you and refuse
  647. to connect, forcing you to make a decision on whether you choose to
  648. trust the changed key or not. Similarly, the first time you import
  649. someone's PGP key, it is assumed to be valid. If at any point in the
  650. future GnuPG comes across another key with the same identity, both the
  651. previously imported key and the new key will be marked for verification
  652. and you will need to manually figure out which one to keep.
  653. We recommend that you use the combined TOFU+PGP trust model (which is
  654. the new default in GnuPG v2). To set it, add (or modify) the
  655. ``trust-model`` setting in ``~/.gnupg/gpg.conf``::
  656. trust-model tofu+pgp
  657. Using the kernel.org web of trust repository
  658. --------------------------------------------
  659. Kernel.org maintains a git repository with developers' public keys as a
  660. replacement for replicating keyserver networks that have gone mostly
  661. dark in the past few years. The full documentation for how to set up
  662. that repository as your source of public keys can be found here:
  663. - `Kernel developer PGP Keyring`_
  664. If you are a kernel developer, please consider submitting your key for
  665. inclusion into that keyring.
  666. .. _`Kernel developer PGP Keyring`: https://korg.docs.kernel.org/pgpkeys.html