... | ... | @@ -9,9 +9,9 @@ |
|
|
1. Make sure to read the respective requirements and reach out to fellow team members if something is unclear
|
|
|
2. Request the master-key mail address by opening a ticket in the [infrastructure repository](https://gitlab.archlinux.org/archlinux/infrastructure/)
|
|
|
- Validate you can send and receive mails
|
|
|
3. Generate the keypair
|
|
|
3. Generate the key pair
|
|
|
- Boot into a live medium
|
|
|
- Generate a keypair (and revocation certificate) according to the requirements
|
|
|
- Generate a key pair (and revocation certificate) according to the requirements
|
|
|
- `gpg --full-gen-key --expert`
|
|
|
- ECC Curve25519
|
|
|
- Select "ECC and ECC"
|
... | ... | @@ -25,13 +25,13 @@ |
|
|
- Enter email address: `<user name>@master-key.archlinux.org`
|
|
|
- Enter comment: `Arch Linux Master Key`
|
|
|
- Acknowledge with `O`
|
|
|
- Enter strong password for keypair
|
|
|
- Validate the key pair according to the [best practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair) and ensure all requirements are met.
|
|
|
4. Backup the keypair and automatically generated revocation certificate according to the requirements
|
|
|
- Enter strong password for key pair
|
|
|
- Validate the key pair according to the [best practices](https://gitlab.archlinux.org/archlinux/archlinux-keyring/-/wikis/best-practices#validating-a-key-pair) and ensure all requirements are met
|
|
|
4. Backup the key pair and automatically generated revocation certificate according to the requirements
|
|
|
- `gpg --output /mnt/encrypted_backup/secret.key --armor --export-secret-keys`
|
|
|
- `gpg --output /mnt/encrypted_backup/public.asc --armor --export`
|
|
|
- `cp /root/.gnupg/openpgp-revocs.d/*.rev /mnt/encrypted_backup/`
|
|
|
5. Move the keypair to the hardware token (deletes key from local keychain!)
|
|
|
5. Move the key pair to the hardware token (deletes key from local keychain!)
|
|
|
- `gpg --edit-key --expert <key ID>`
|
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
|
- Select "Signature key"
|
... | ... | |