Closed Bug 673281 Opened 14 years ago Closed 14 years ago

Generate new public GPG key, existing one expired today

Categories

(Release Engineering :: General, defect, P1)

x86
All
defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: joduinn, Assigned: joduinn)

References

Details

Attachments

(1 file)

...in the middle of the FF6.0b3 respin. :-(
Attachment #547609 - Flags: review? → review?(nrthomas)
Comment on attachment 547609 [details] [diff] [review] public key Checking in PUBLIC-KEY; /mofo/release/keys/pgp/PUBLIC-KEY,v <-- PUBLIC-KEY new revision: 1.9; previous revision: 1.8 done
Attachment #547609 - Flags: review?(nrthomas) → checked-in+
This is my third time renewing GPG keys, but unlike the Authenticode renewals, for some reason I neglected to write notes on GPG renewals. This sequence of steps should make future renewals faster/easier. 0) login to signing machine 1) Verify you are in a clean working directory and have a good gpg install. $ cd $ mv ~/.gnupg ~/.gnupg.backup $ mkdir ~/.gnupg $ cd ~/.gnupg $ gpg --version gpg (GnuPG) 1.4.7 2) Create new key, and two sub keys. $ gpg --gen-key gpg (GnuPG) 1.4.7; Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: keyring `/Users/john/.gnupg/secring.gpg' created Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 2 DSA keypair will have 1024 bits. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2y Key expires at Sat Jul 20 20:06:32 2013 PDT Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Mozilla Software Releases Email address: releases@mozilla.org Comment: You selected this USER-ID: "Mozilla Software Releases <releases@mozilla.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ... gpg: key 1797CA3D marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2013-07-21 pub 1024D/1797CA3D 2011-07-22 [expires: 2013-07-21] Key fingerprint = C60B CDD2 9B91 A82F B837 A467 C0F5 550C 1797 CA3D uid Mozilla Software Releases <releases@mozilla.org> Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose. Command> Command> quit $ $ gpg --list-keys /Users/john/.gnupg/pubring.gpg ------------------------------ pub 1024D/1797CA3D 2011-07-22 [expires: 2013-07-21] uid Mozilla Software Releases <releases@mozilla.org> $ $ echo "so far so good" $ $ gpg --edit-key releases@mozilla.org gpg (GnuPG) 1.4.7; Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Secret key is available. pub 1024D/1797CA3D created: 2011-07-22 expires: 2013-07-21 usage: SC trust: ultimate validity: ultimate [ultimate] (1). Mozilla Software Releases <releases@mozilla.org> Command> Command> Command> addkey Key is protected. You need a passphrase to unlock the secret key for user: "Mozilla Software Releases <releases@mozilla.org>" 1024-bit DSA key, ID 1797CA3D, created 2011-07-22 Please select what kind of key you want: (2) DSA (sign only) (4) Elgamal (encrypt only) (5) RSA (sign only) (6) RSA (encrypt only) Your selection? 2 DSA keypair will have 1024 bits. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2y Key expires at Sat Jul 20 20:14:05 2013 PDT Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ..... pub 1024D/1797CA3D created: 2011-07-22 expires: 2013-07-21 usage: SC trust: ultimate validity: ultimate sub 1024D/B7D648C4 created: 2011-07-22 expires: 2013-07-21 usage: S [ultimate] (1). Mozilla Software Releases <releases@mozilla.org> Command> Command> Command> addkey Key is protected. You need a passphrase to unlock the secret key for user: "Mozilla Software Releases <releases@mozilla.org>" 1024-bit DSA key, ID 1797CA3D, created 2011-07-22 Please select what kind of key you want: (2) DSA (sign only) (4) Elgamal (encrypt only) (5) RSA (sign only) (6) RSA (encrypt only) Your selection? 4 ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2y Key expires at Sat Jul 20 20:14:53 2013 PDT Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ... pub 1024D/1797CA3D created: 2011-07-22 expires: 2013-07-21 usage: SC trust: ultimate validity: ultimate sub 1024D/B7D648C4 created: 2011-07-22 expires: 2013-07-21 usage: S sub 2048g/46784661 created: 2011-07-22 expires: 2013-07-21 usage: E [ultimate] (1). Mozilla Software Releases <releases@mozilla.org> Command> Command> list pub 1024D/1797CA3D created: 2011-07-22 expires: 2013-07-21 usage: SC trust: ultimate validity: ultimate sub 1024D/B7D648C4 created: 2011-07-22 expires: 2013-07-21 usage: S sub 2048g/46784661 created: 2011-07-22 expires: 2013-07-21 usage: E [ultimate] (1). Mozilla Software Releases <releases@mozilla.org> Command> Command> quit Save changes? (y/N) y $ 3) create the public key file. [snip] Create a new text file "KEY" containing the following boilerplate text: This file contains the PGP keys of various developers that work on Mozilla and its subprojects (such as Firefox and Thunderbird). Please don't use these keys for email unless you have asked the owner because some keys are only used for code signing. Please realize that this file itself or the public key servers may be compromised. You are encouraged to validate the authenticity of these keys in an out-of-band manner. [snip] 3a) Append the following to "KEY" text file: $ gpg --fingerprint --list-sigs releases@mozilla.org >> KEY $ gpg --armor --export releases@mozilla.org >> KEY 4) Verify the private key / public key pair work 4a) on signing machine: *) create a small helloworld.txt file *) $ gpg --armor --detach-sig readme.txt *) transfer KEY, readme.txt, readme.txt.asc to another machine 4b) on another machine $ gpg --import KEY $ gpg --verify readme.txt.asc readme.txt gpg: Signature made Thu Jul 21 22:08:21 2011 PDT using DSA key ID C52175E2 gpg: Good signature from "Mozilla Software Releases <releases@mozilla.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 9D03 193D 6BDC 541B D796 C4E4 7F4D 6645 1EBC AB3A Subkey fingerprint: 247C A658 AA95 F617 1EB0 F13E A7D7 5CC7 C521 75E2 5) Post the template public keyfile "KEY" as patch for review, and checkin. This checked in file will later be posted by the automation alongside the signed builds. 6) Post the template public keyfile to http://pgp.mit.edu/, http://wwwkeys.pgp.net/ and other keymasters. 7) all done - declare victory!
OS: Mac OS X → All
FF6.0beta3 was done with this new GPG key. All done here.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: