Closed Bug 673281 Opened 13 years ago Closed 13 years ago

Generate new public GPG key, existing one expired today

Categories

(Release Engineering :: General, defect, P1)

Product:
Release Engineering
Component:
General
Platform:
x86
All
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: joduinn, Assigned: joduinn)

References

Details

Attachments

(1 file)

public key
3.73 KB, patch
nthomas
: checked-in+
Details | Diff | Splinter Review 
...in the middle of the FF6.0b3 respin. :-(
Attachment #547609 - Flags: review? → review?(nrthomas)
Comment on attachment 547609 [details] [diff] [review]
public key

Checking in PUBLIC-KEY;
/mofo/release/keys/pgp/PUBLIC-KEY,v  <--  PUBLIC-KEY
new revision: 1.9; previous revision: 1.8
done
Attachment #547609 - Flags: review?(nrthomas) → checked-in+
This is my third time renewing GPG keys, but unlike the Authenticode renewals, for some reason I neglected to write notes on GPG renewals. This sequence of steps should make future renewals faster/easier.


0) login to signing machine


1) Verify you are in a clean working directory and have a good gpg install.
$ cd
$ mv ~/.gnupg ~/.gnupg.backup
$ mkdir ~/.gnupg
$ cd ~/.gnupg
 $ gpg --version
gpg (GnuPG) 1.4.7



2) Create new key, and two sub keys.
$ gpg --gen-key
gpg (GnuPG) 1.4.7; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: keyring `/Users/john/.gnupg/secring.gpg' created
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 2
DSA keypair will have 1024 bits.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Sat Jul 20 20:06:32 2013 PDT
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Mozilla Software Releases
Email address: releases@mozilla.org 
Comment:                           
You selected this USER-ID:
    "Mozilla Software Releases <releases@mozilla.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.    
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...
gpg: key 1797CA3D marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2013-07-21
pub   1024D/1797CA3D 2011-07-22 [expires: 2013-07-21]
      Key fingerprint = C60B CDD2 9B91 A82F B837  A467 C0F5 550C 1797 CA3D
uid                  Mozilla Software Releases <releases@mozilla.org>
Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.
Command>
Command> quit
$
$ gpg --list-keys
/Users/john/.gnupg/pubring.gpg
------------------------------
pub   1024D/1797CA3D 2011-07-22 [expires: 2013-07-21]
uid                  Mozilla Software Releases <releases@mozilla.org>
$ 
$ echo "so far so good"
$ 
$ gpg --edit-key releases@mozilla.org
gpg (GnuPG) 1.4.7; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Secret key is available.
pub  1024D/1797CA3D  created: 2011-07-22  expires: 2013-07-21  usage: SC  
                     trust: ultimate      validity: ultimate
[ultimate] (1). Mozilla Software Releases <releases@mozilla.org>
Command> 
Command> 
Command> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Mozilla Software Releases <releases@mozilla.org>"
1024-bit DSA key, ID 1797CA3D, created 2011-07-22
Please select what kind of key you want:
   (2) DSA (sign only)
   (4) Elgamal (encrypt only)
   (5) RSA (sign only)
   (6) RSA (encrypt only)
Your selection? 2
DSA keypair will have 1024 bits.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Sat Jul 20 20:14:05 2013 PDT
Is this correct? (y/N) y
Really create? (y/N) y  
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.....
pub 1024D/1797CA3D created: 2011-07-22 expires: 2013-07-21 usage: SC  
                     trust: ultimate      validity: ultimate
sub 1024D/B7D648C4 created: 2011-07-22 expires: 2013-07-21 usage: S   
[ultimate] (1). Mozilla Software Releases <releases@mozilla.org>
Command> 
Command> 
Command> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Mozilla Software Releases <releases@mozilla.org>"
1024-bit DSA key, ID 1797CA3D, created 2011-07-22
Please select what kind of key you want:
   (2) DSA (sign only)
   (4) Elgamal (encrypt only)
   (5) RSA (sign only)
   (6) RSA (encrypt only)
Your selection? 4
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits   
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Sat Jul 20 20:14:53 2013 PDT
Is this correct? (y/N) y
Really create? (y/N) y  
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...
pub 1024D/1797CA3D created: 2011-07-22 expires: 2013-07-21 usage: SC  
                     trust: ultimate      validity: ultimate
sub 1024D/B7D648C4 created: 2011-07-22 expires: 2013-07-21 usage: S   
sub 2048g/46784661 created: 2011-07-22 expires: 2013-07-21 usage: E   
[ultimate] (1). Mozilla Software Releases <releases@mozilla.org>
Command> 
Command> list
pub 1024D/1797CA3D created: 2011-07-22 expires: 2013-07-21 usage: SC  
                     trust: ultimate      validity: ultimate
sub 1024D/B7D648C4 created: 2011-07-22 expires: 2013-07-21 usage: S   
sub 2048g/46784661 created: 2011-07-22 expires: 2013-07-21 usage: E   
[ultimate] (1). Mozilla Software Releases <releases@mozilla.org>
Command> 
Command> quit
Save changes? (y/N) y
$



3) create the public key file. 
[snip]
Create a new text file "KEY" containing the following boilerplate text:

This file contains the PGP keys of various developers that work on
Mozilla and its subprojects (such as Firefox and Thunderbird).

Please don't use these keys for email unless you have asked the owner
because some keys are only used for code signing.

Please realize that this file itself or the public key servers may be
compromised.  You are encouraged to validate the authenticity of these keys in an out-of-band manner.

[snip]
3a) Append the following to "KEY" text file:
$ gpg --fingerprint --list-sigs releases@mozilla.org >> KEY
$ gpg --armor --export releases@mozilla.org >> KEY




4) Verify the private key / public key pair work
4a) on signing machine:
*) create a small helloworld.txt file
*) $ gpg --armor --detach-sig readme.txt
*) transfer KEY, readme.txt, readme.txt.asc to another machine

4b) on another machine
$ gpg --import KEY 
$ gpg --verify readme.txt.asc readme.txt
gpg: Signature made Thu Jul 21 22:08:21 2011 PDT using DSA key ID C52175E2
gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:  There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9D03 193D 6BDC 541B D796  C4E4 7F4D 6645 1EBC AB3A
Subkey fingerprint: 247C A658 AA95 F617 1EB0  F13E A7D7 5CC7 C521 75E2




5) Post the template public keyfile "KEY" as patch for review, and checkin. This checked in file will later be posted by the automation alongside the signed builds.



6) Post the template public keyfile to http://pgp.mit.edu/, http://wwwkeys.pgp.net/ and other keymasters.

7) all done - declare victory!
OS: Mac OS X → All
FF6.0beta3 was done with this new GPG key. All done here.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: