... | ... | @@ -3,4 +3,54 @@ |
|
|
- Meet all [best practices for key holders](best-practices#key-holder)
|
|
|
- Meet all [best practices for generating a new key pair](best-practices#generating-a-new-key-pair)
|
|
|
- The key pair is generated for a valid `<username>@master-key.archlinux.org` mail address
|
|
|
- The key pair comment is set to `Arch Linux Master Key` |
|
|
\ No newline at end of file |
|
|
- The key pair comment is set to `Arch Linux Master Key`
|
|
|
|
|
|
## Workflow
|
|
|
1. Make sure to read the respective requirements and reach out to fellow team members if something is unclear
|
|
|
2. Request the master-key mail address by opening a ticket in the [infrastructure repository](https://gitlab.archlinux.org/archlinux/infrastructure/)
|
|
|
- Validate you can send and receive mails
|
|
|
3. Generate the keypair
|
|
|
- Boot into a live medium
|
|
|
- Generate a keypair (and revocation certificate) according to the requirements
|
|
|
- `gpg --full-gen-key --expert`
|
|
|
- ECC Curve25519
|
|
|
- Select "ECC and ECC"
|
|
|
- Select "Curve 25519"
|
|
|
- RSA
|
|
|
- Select "RSA and RSA"
|
|
|
- Set keysize to `4096`
|
|
|
- Set subkey keysize to `4096`
|
|
|
- Select "0 = key does not expire" and acknowledge
|
|
|
- Enter real name: `<first name> <last name>`
|
|
|
- Enter email address: `<user name>@master-key.archlinux.org`
|
|
|
- Enter comment: `Arch Linux Master Key`
|
|
|
- Acknowledge with `O`
|
|
|
- Enter strong password for keypair
|
|
|
- Backup the keypair and automatically generated revocation certificate according to the requirements
|
|
|
- `gpg --output /mnt/encrypted_backup/secret.key --armor --export-secret-keys`
|
|
|
- `gpg --output /mnt/encrypted_backup/public.asc --armor --export`
|
|
|
- `cp /root/.gnupg/openpgp-revocs.d/*.rev /mnt/encrypted_backup/`
|
|
|
- Move the keypair to the hardware token (deletes key from local keychain!)
|
|
|
- `gpg --edit-key --expert <key ID>`
|
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
|
- Select "Signature key"
|
|
|
- Move optional subkeys
|
|
|
- Select an optional encryption key (subkey): `key <subkey number>`
|
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
|
- Select "Encryption key"
|
|
|
- Select an optional authentication key (subkey): `key <subkey number>`
|
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
|
- Select "Authentication key"
|
|
|
- Enter `quit` and acknowledge with `y`
|
|
|
4. Send the revocation certificate and the generated public key over an end-to-end encrypted channel to the revocation certificate holder
|
|
|
- To increase security, it can be feasible to send only a part of the revocation certificate in the encrypted mail and the rest using another (also end-to-end encrypted) side-channel
|
|
|
- Wait for the revocation certificate holder to verify, that the revocation certificate works
|
|
|
5. Upload public key to keyserver infrastructure
|
|
|
- `gpg --keyserver search.keyserver.net --send-key <key ID>`
|
|
|
6. Add the public key to the distribution keyring
|
|
|
- Open an issue in the [archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring) repository using the "New Main Key" template
|
|
|
- Release new version of the keyring
|
|
|
7. Publish public key via WKD
|
|
|
- Trigger a new deployment of the public keys via [WKD](https://gitlab.archlinux.org/archlinux/wkd/)
|
|
|
8. Publish the new key on the website
|
|
|
- Login as Django Admin on [archweb](https://archlinux.org/admin/) and add a new 'Master key' with the fingerprint, owner and revoker. |
|
|
\ No newline at end of file |