... | ... | @@ -26,31 +26,31 @@ |
|
|
- Enter comment: `Arch Linux Master Key`
|
|
|
- Acknowledge with `O`
|
|
|
- Enter strong password for keypair
|
|
|
- Backup the keypair and automatically generated revocation certificate according to the requirements
|
|
|
- `gpg --output /mnt/encrypted_backup/secret.key --armor --export-secret-keys`
|
|
|
- `gpg --output /mnt/encrypted_backup/public.asc --armor --export`
|
|
|
- `cp /root/.gnupg/openpgp-revocs.d/*.rev /mnt/encrypted_backup/`
|
|
|
- Move the keypair to the hardware token (deletes key from local keychain!)
|
|
|
- `gpg --edit-key --expert <key ID>`
|
|
|
4. Backup the keypair and automatically generated revocation certificate according to the requirements
|
|
|
- `gpg --output /mnt/encrypted_backup/secret.key --armor --export-secret-keys`
|
|
|
- `gpg --output /mnt/encrypted_backup/public.asc --armor --export`
|
|
|
- `cp /root/.gnupg/openpgp-revocs.d/*.rev /mnt/encrypted_backup/`
|
|
|
5. Move the keypair to the hardware token (deletes key from local keychain!)
|
|
|
- `gpg --edit-key --expert <key ID>`
|
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
|
- Select "Signature key"
|
|
|
- Move optional subkeys
|
|
|
- Select an optional encryption key (subkey): `key <subkey number>`
|
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
|
- Select "Signature key"
|
|
|
- Move optional subkeys
|
|
|
- Select an optional encryption key (subkey): `key <subkey number>`
|
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
|
- Select "Encryption key"
|
|
|
- Select an optional authentication key (subkey): `key <subkey number>`
|
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
|
- Select "Authentication key"
|
|
|
- Enter `quit` and acknowledge with `y`
|
|
|
4. Send the revocation certificate and the generated public key over an end-to-end encrypted channel to the revocation certificate holder
|
|
|
- Select "Encryption key"
|
|
|
- Select an optional authentication key (subkey): `key <subkey number>`
|
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
|
- Select "Authentication key"
|
|
|
- Enter `quit` and acknowledge with `y`
|
|
|
6. Send the revocation certificate and the generated public key over an end-to-end encrypted channel to the revocation certificate holder
|
|
|
- To increase security, it can be feasible to send only a part of the revocation certificate in the encrypted mail and the rest using another (also end-to-end encrypted) side-channel
|
|
|
- Wait for the revocation certificate holder to verify, that the revocation certificate works
|
|
|
5. Upload public key to keyserver infrastructure
|
|
|
7. Upload public key to keyserver infrastructure
|
|
|
- `gpg --keyserver search.keyserver.net --send-key <key ID>`
|
|
|
6. Add the public key to the distribution keyring
|
|
|
8. Add the public key to the distribution keyring
|
|
|
- Open an issue in the [archlinux-keyring](https://gitlab.archlinux.org/archlinux/archlinux-keyring) repository using the "New Main Key" template
|
|
|
- Release new version of the keyring
|
|
|
7. Publish public key via WKD
|
|
|
9. Publish public key via WKD
|
|
|
- Trigger a new deployment of the public keys via [WKD](https://gitlab.archlinux.org/archlinux/wkd/)
|
|
|
8. Publish the new key on the website
|
|
|
10. Publish the new key on the website
|
|
|
- Login as Django Admin on [archweb](https://archlinux.org/admin/) and add a new 'Master key' with the fingerprint, owner and revoker. |
|
|
\ No newline at end of file |