Note

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Difference between revisions of "GPG Signatures"

From Funtoo
Jump to navigation Jump to search
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Subpages|Metro Plaintext Keys}}
{{Subpages|Metro Plaintext Keys}}


Funtoo Linux stage tarballs are signed using GPG by the master build server. The following key is used to create detached binary signatures ending in {{c|.gpg}} of each stage tarball. The key is 4096 bit RSA with no expiry.
The Funtoo Linux master GPG signing key is the {{c|drobbins@funtoo.org}} key (the "BDFL key"), which has the following signature:


{{TableStart}}
{{TableStart}}
<tr><th>GPG key name/email</th><th>GPG comment</th><th>Fingerprint</th><th>Used for</th></tr>
<tr><th>GPG key name/email</th><th>GPG comment</th><th>Fingerprint</th></tr>
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|metro:node}}</td><td>{{c|3073 7D12 308C 9D0C 882F C34B 57CB 0A12 1BAE CB2E}} (Sign)<br>{{c|70AC BB6B FEE7 BC57 2A89  41D1 9266 C4FA 11FD 00FD}} (Primary)</td><td>All builds</td></tr>
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|BDFL}}</td><td>{{c|D3B9 48F8 2EE8 B402 0A04 1078 9A65 8306 E986 E8EE}}</td></tr>
{{TableEnd}}
{{TableEnd}}


In turn, these public keys are signed by the Funtoo Linux master signing key:
To verify the integrity of stage3 tarballs using GPG, download your preferred stage3 tarball from https://build.funtoo.org, along with the matching file with the additional {{c|.gpg}} extension in the same directory. Next, we will receive the public master key from a public keyserver (specifying the ''last 8 digits of the BDFL fingerprint'') and assign ultimate trust to it:


{{TableStart}}
{{console|body=
<tr><th>GPG key name/email</th><th>GPG comment</th><th>Fingerprint</th></tr>
$ ##i##gpg --keyserver pgp.mit.edu --recv-key D3B948F82EE8B4020A0410789A658306E986E8EE
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|BDFL}}</td><td>{{c|D3B9 48F8 2EE8 B402 0A04  1078 9A65 8306 E986 E8EE}}</td></tr>
}}
{{TableEnd}}


To verify the integrity of stage3 tarballs using GPG, first download your preferred stage3 taball, and the matching file with the additional {{c|.gpg}} extension in the same directory. Next, we will receive the public master key from a public keyserver (specifying the ''last 8 digits of the BDFL fingerprint'',) and assign ultimate trust to it:
{{Important|The above command must ''complete successfully'' for the following commands to work. {{c|pgp.mit.edu}} takes a while to respond, and it can timeout. You may need to make a few attempts to get this first key retrieval to complete successfully. Once this is done, the following steps can be performed:}}


{{console|body=
{{console|body=
$ ##i##gpg --keyserver pgp.mit.edu --recv-key E986E8EE
$ ##i##gpg --edit-key E986E8EE
$ ##i##gpg --edit-key E986E8EE
gpg> ##i##trust
gpg> ##i##trust
Line 25: Line 23:
gpg> ##i##quit
gpg> ##i##quit
}}
}}
Each build server key has been signed by the BDFL key, so by trusting the BDFL key ''ultimately'', you will automatically ''fully'' trust the build server keys.
Each build server key has been signed by the BDFL key, so by trusting the BDFL key ''ultimately'', you will automatically ''fully'' trust the build server key.


Then, you will want to use the {{c|gpg --recv-key}} command, now specifying the ''the last 8 digits of the build server's primary key fingerprint'' listed above for each build server for which you want to verify signatures. The following command will grab public keys for all of the Funtoo Linux build servers listed above:
Next, head to [[GPG Signatures/Metro Plaintext Keys]] and copy and paste the public key and associated signatures for the metro build server into a file called {{c|node.txt}}. Then, import this key into GPG:


{{console|body=
{{console|body=
$ ##i##gpg --keyserver pgp.mit.edu --recv-key 11FD00FD
$ ##i##gpg --import node.txt
}}
}}


Then, you can use the {{c|gpg --verify}} command to verify the stage3's GPG signature:
Then, you can use the {{c|gpg --verify}} command to verify the stage3's GPG signature. You should see output similar to this. The BDFL trusts this key, and if your stage file is not corrupted, you will see a message of a "Good signature" and an exit code of zero:
 
{{console|body=
$ ##i##gpg --verify stage3-latest.tar.xz.gpg stage3-latest.tar.xz
}}


You should see output similar to this, which will specify the ''last 8 digits of the signing GPG fingerprint'':
{{console|body=
{{console|body=
gpg: Signature made Sun 25 Dec 2016 03:57:27 PM MST using RSA key ID 613539CB
$ ##i##gpg --verify stage3-amd64-zen2-1.4-release-std-2021-11-23.tar.xz.gpg stage3-amd64-zen2-1.4-release-std-2021-11-23.tar.xz
gpg: checking the trustdb
gpg: Signature made Fri 03 Dec 2021 09:27:55 AM MST
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg:               using RSA key 30737D12308C9D0C882FC34B57CB0A121BAECB2E
gpg: depth: 0  valid:  1 signed:  4 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Good signature from "Daniel Robbins (metro:node) <drobbins@funtoo.org>" [full]
gpg: depth: 1  valid:   4  signed:   0  trust: 3-, 1q, 0n, 0m, 0f, 0u
$ ##i##echo $?
gpg: Good signature from "Daniel Robbins (metro:odroid-xu4) <drobbins@funtoo.org>" [full]
0
}}
}}



Latest revision as of 17:41, July 23, 2023

The Funtoo Linux master GPG signing key is the drobbins@funtoo.org key (the "BDFL key"), which has the following signature:

GPG key name/emailGPG commentFingerprint
Daniel Robbins drobbins@funtoo.orgBDFLD3B9 48F8 2EE8 B402 0A04 1078 9A65 8306 E986 E8EE

To verify the integrity of stage3 tarballs using GPG, download your preferred stage3 tarball from https://build.funtoo.org, along with the matching file with the additional .gpg extension in the same directory. Next, we will receive the public master key from a public keyserver (specifying the last 8 digits of the BDFL fingerprint) and assign ultimate trust to it:

user $ gpg --keyserver pgp.mit.edu --recv-key D3B948F82EE8B4020A0410789A658306E986E8EE
   Important

The above command must complete successfully for the following commands to work. pgp.mit.edu takes a while to respond, and it can timeout. You may need to make a few attempts to get this first key retrieval to complete successfully. Once this is done, the following steps can be performed:

user $ gpg --edit-key E986E8EE
gpg> trust
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
gpg> quit

Each build server key has been signed by the BDFL key, so by trusting the BDFL key ultimately, you will automatically fully trust the build server key.

Next, head to GPG Signatures/Metro Plaintext Keys and copy and paste the public key and associated signatures for the metro build server into a file called node.txt. Then, import this key into GPG:

user $ gpg --import node.txt

Then, you can use the gpg --verify command to verify the stage3's GPG signature. You should see output similar to this. The BDFL trusts this key, and if your stage file is not corrupted, you will see a message of a "Good signature" and an exit code of zero:

user $ gpg --verify stage3-amd64-zen2-1.4-release-std-2021-11-23.tar.xz.gpg stage3-amd64-zen2-1.4-release-std-2021-11-23.tar.xz
gpg: Signature made Fri 03 Dec 2021 09:27:55 AM MST
gpg:                using RSA key 30737D12308C9D0C882FC34B57CB0A121BAECB2E
gpg: Good signature from "Daniel Robbins (metro:node) <drobbins@funtoo.org>" [full]
user $ echo $?
0
   Note

For more details on the benefits of GPG, read https://gnupg.org/gph/en/manual.html