Note

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Difference between revisions of "GPG Signatures"

From Funtoo
Jump to navigation Jump to search
m (Protected "GPG Signatures": security-related ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite)))
Line 1: Line 1:
Funtoo Linux stage tarballs are signed using GPG by the build server they are built on. Each official Funtoo Linux build server has its own individual primary key and signing subkey. The following keys are used to create detached binary signatures ending in {{c|.gpg}} of each stage tarball. All keys are 4096 bit RSA with no expiry.
Funtoo Linux stage tarballs are signed using GPG by the master build server. The following key is used to create detached binary signatures ending in {{c|.gpg}} of each stage tarball. The key is 4096 bit RSA with no expiry.


{{TableStart}}
{{TableStart}}
<tr><th>GPG key name/email</th><th>GPG comment</th><th>Fingerprint</th><th>Used for</th></tr>
<tr><th>GPG key name/email</th><th>GPG comment</th><th>Fingerprint</th><th>Used for</th></tr>
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|metro:node}}</td><td>{{c|3073 7D12 308C 9D0C 882F  C34B 57CB 0A12 1BAE CB2E}} (Sign)<br>{{c|70AC BB6B FEE7 BC57 2A89  41D1 9266 C4FA 11FD 00FD}} (Primary)</td><td>Generic and Intel builds</td></tr>
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|metro:node}}</td><td>{{c|3073 7D12 308C 9D0C 882F  C34B 57CB 0A12 1BAE CB2E}} (Sign)<br>{{c|70AC BB6B FEE7 BC57 2A89  41D1 9266 C4FA 11FD 00FD}} (Primary)</td><td>All builds</td></tr>
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|metro:excavator}}</td><td>{{c|3C56 18FB C28A B2FE 90C8  B9EB E510 18CD 4FF3 47DD}} (Sign)<br>{{c|E8C5 7481 5DC1 74AF 5A9E  8385 3AA5 CA5E 683A 2F8A}} (Primary)</td><td>Most AMD builds</td></tr>
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|metro:jaguar}}</td><td>{{c|99AA ADED 1466 1BEF DC37  DE1B 7ABA 2235 4849 211D}} (Sign)<br>{{c|6DDA E857 2788 8A7C A50E  2122 A902 1CE4 BEA8 7CD2}} (Primary)</td><td>AMD Jaguar builds</td></tr>
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|metro:odroid-xu4}}</td><td>{{c|4279 FBF8 FACC 261A 4F34  A486 4F88 3A02 6135 39CB}} (Sign)<br>{{c|38E8 4AD5 3B01 590B A678  5E88 2A7B 0B2E EEE5 4A43}} (Primary)</td><td>ARM 32-bit builds</td></tr>
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|metro:odroid-c2}}</td><td>{{c|C727 34AD 132C 37CD 534B  71BF 03E9 162C 4D84 BAC4}} (Sign)<br>{{c|A9B7 AB05 6485 D1B0 671A  C936 4BE6 9BAE 62DD 6D47}} (Primary)</td><td>ARM 64-bit builds</td></tr>
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|metro:ryzen}}</td><td>{{c|DCDF 46B8 2B35 89AF 2488  086E D763 D3AB 4EFA 01DB}} (Sign)<br>{{c|D5D7 EDE3 38F8 D487 4690 2DB9 28CE 446E 6B36 5A89}} (Primary)</td><td>Ryzen builds</td></tr>
{{TableEnd}}
{{TableEnd}}


Line 21: Line 16:


{{console|body=
{{console|body=
# ##i##gpg --recv-key E986E8EE
$ ##i##gpg --recv-key E986E8EE
# ##i##gpg --edit-key E986E8EE
$ ##i##gpg --edit-key E986E8EE
gpg> ##i##trust
gpg> ##i##trust
Your decision? ##i##5
Your decision? ##i##5
Line 33: Line 28:


{{console|body=
{{console|body=
# ##i##gpg --recv-key 11FD00FD 683A2F8A BEA87CD2 EEE54A43 62DD6D47 6B365A89
$ ##i##gpg --recv-key 11FD00FD
}}
}}


Line 39: Line 34:


{{console|body=
{{console|body=
# ##i##gpg --verify stage3-latest.tar.xz.gpg stage3-latest.tar.xz
$ ##i##gpg --verify stage3-latest.tar.xz.gpg stage3-latest.tar.xz
}}
}}


Line 51: Line 46:
gpg: Good signature from "Daniel Robbins (metro:odroid-xu4) <drobbins@funtoo.org>" [full]
gpg: Good signature from "Daniel Robbins (metro:odroid-xu4) <drobbins@funtoo.org>" [full]
}}
}}
{{Note|For more details on the benefits of GPG, read https://gnupg.org/gph/en/manual.html }}


[[Category:Official Documentation]]
[[Category:Official Documentation]]

Revision as of 02:57, October 1, 2021

Funtoo Linux stage tarballs are signed using GPG by the master build server. The following key is used to create detached binary signatures ending in .gpg of each stage tarball. The key is 4096 bit RSA with no expiry.

GPG key name/emailGPG commentFingerprintUsed for
Daniel Robbins drobbins@funtoo.orgmetro:node3073 7D12 308C 9D0C 882F C34B 57CB 0A12 1BAE CB2E (Sign)
70AC BB6B FEE7 BC57 2A89 41D1 9266 C4FA 11FD 00FD (Primary)
All builds

In turn, these public keys are signed by the Funtoo Linux master signing key:

GPG key name/emailGPG commentFingerprint
Daniel Robbins drobbins@funtoo.orgBDFLD3B9 48F8 2EE8 B402 0A04 1078 9A65 8306 E986 E8EE

To verify the integrity of stage3 tarballs using GPG, first download your preferred stage3 taball, and the matching file with the additional .gpg extension in the same directory. Next, we will receive the public master key from a public keyserver (specifying the last 8 digits of the BDFL fingerprint,) and assign ultimate trust to it:

user $ gpg --recv-key E986E8EE
user $ gpg --edit-key E986E8EE
gpg> trust
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
gpg> quit

Each build server key has been signed by the BDFL key, so by trusting the BDFL key ultimately, you will automatically fully trust the build server keys.

Then, you will want to use the gpg --recv-key command, now specifying the the last 8 digits of the build server's primary key fingerprint listed above for each build server for which you want to verify signatures. The following command will grab public keys for all of the Funtoo Linux build servers listed above:

user $ gpg --recv-key 11FD00FD

Then, you can use the gpg --verify command to verify the stage3's GPG signature:

user $ gpg --verify stage3-latest.tar.xz.gpg stage3-latest.tar.xz

You should see output similar to this, which will specify the last 8 digits of the signing GPG fingerprint:

gpg: Signature made Sun 25 Dec 2016 03:57:27 PM MST using RSA key ID 613539CB
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   4  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   4  signed:   0  trust: 3-, 1q, 0n, 0m, 0f, 0u
gpg: Good signature from "Daniel Robbins (metro:odroid-xu4) <drobbins@funtoo.org>" [full]
   Note

For more details on the benefits of GPG, read https://gnupg.org/gph/en/manual.html