Open Bug 817383 Opened 7 years ago Updated 2 years ago

SeaMonkey needs new (public) GPG key, in order to support signing releases properly

Categories

(SeaMonkey :: Release Engineering, defect, P1, critical)

x86
All
defect

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: Callek, Assigned: ewong)

References

(Blocks 4 open bugs)

Details

Attachments

(1 file, 2 obsolete files)

KEY
6.24 KB, text/plain
dveditz
: review+
Details
This will enable us to upload with detached sig's on our servers, and ensure that other OS's (e.g. Linux) can trust our binaries as well.

From what I can tell our expiration on gpg keys is 2 years, we create our own, and we need to publicize the pubkey well.

The most-recent instructions seem to be in Bug 673281 c#3

though there is lots of prior-relevant conversation/bugs around the gpg key in Bug 797690 Bug 377781 and Bug 499709 just for a good start ;-)

CC'ing joduinn for the shear "He is caring that SeaMonkey's signing stuff he got us works", and in that he can likely help me if I get stuck here
Done locally, though I have a different ver of gpg

# Because gpg on windows doesn't use .gnupg -- and I have local keys.
mv /c/Users/Justin/AppData/Roaming/gnupg{,-bak}

$ gpg --version
gpg (GnuPG) 2.0.17 (Gpg4win 2.1.0)
libgcrypt 1.4.6
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:/Users/Justin/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
        CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

================================================
=== 2) Create new key, and two sub keys.
================================================

$ gpg --gen-key
gpg (GnuPG) 2.0.17; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at 12/02/14 09:12:17 Eastern Standard Time
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: SeaMonkey Software Releases
Email address: seamonkey-release@mozilla.org
Comment:
You selected this USER-ID:
    "SeaMonkey Software Releases <seamonkey-release@mozilla.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 447CC9FE marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2014-12-02
pub   1024D/447CC9FE 2012-12-02 [expires: 2014-12-02]
      Key fingerprint = 30BE C2BE BF4F 8052 F2F2  067C 3A56 EC34 447C C9FE
uid                  SeaMonkey Software Releases <seamonkey-release@mozilla.org>

Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.

$ 
$ gpg --list-keys
C:/Users/Justin/AppData/Roaming/gnupg/pubring.gpg
-------------------------------------------------
pub   1024D/447CC9FE 2012-12-02 [expires: 2014-12-02]
uid                  SeaMonkey Software Releases <seamonkey-release@mozilla.org>

$ 
$ echo "so far so good"
$ 
$ gpg --edit-key seamonkey-release@mozilla.org
gpg (GnuPG) 2.0.17; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  1024D/447CC9FE  created: 2012-12-02  expires: 2014-12-02  usage: SC
                     trust: ultimate      validity: ultimate
[ultimate] (1). SeaMonkey Software Releases <seamonkey-release@mozilla.org>

gpg> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "SeaMonkey Software Releases <seamonkey-release@mozilla.org>"
1024-bit DSA key, ID 447CC9FE, created 2012-12-02

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at 12/02/14 09:15:49 Eastern Standard Time
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

pub  1024D/447CC9FE  created: 2012-12-02  expires: 2014-12-02  usage: SC
                     trust: ultimate      validity: ultimate
sub  1024D/62F1E309  created: 2012-12-02  expires: 2014-12-02  usage: S
[ultimate] (1). SeaMonkey Software Releases <seamonkey-release@mozilla.org>

gpg> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "SeaMonkey Software Releases <seamonkey-release@mozilla.org>"
1024-bit DSA key, ID 447CC9FE, created 2012-12-02

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 5
ELG keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at 12/02/14 09:16:18 Eastern Standard Time
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

pub  1024D/447CC9FE  created: 2012-12-02  expires: 2014-12-02  usage: SC
                     trust: ultimate      validity: ultimate
sub  1024D/62F1E309  created: 2012-12-02  expires: 2014-12-02  usage: S
sub  2048g/F22D828B  created: 2012-12-02  expires: 2014-12-02  usage: E
[ultimate] (1). SeaMonkey Software Releases <seamonkey-release@mozilla.org>

gpg> list

pub  1024D/447CC9FE  created: 2012-12-02  expires: 2014-12-02  usage: SC
                     trust: ultimate      validity: ultimate
sub  1024D/62F1E309  created: 2012-12-02  expires: 2014-12-02  usage: S
sub  2048g/F22D828B  created: 2012-12-02  expires: 2014-12-02  usage: E
[ultimate] (1). SeaMonkey Software Releases <seamonkey-release@mozilla.org>

gpg> quit
Save changes? (y/N) y


================================================
=== 3) create the public key file.
================================================
Create a new text file "KEY" containing the following boilerplate text:
[snip]
This file contains the PGP keys of various developers that work on
Mozilla and its subprojects (such as SeaMonkey).

Please don't use these keys for email unless you have asked the owner
because some keys are only used for code signing.

Please realize that this file itself or the public key servers may be
compromised.  You are encouraged to validate the authenticity of these keys in an out-of-band manner.

[snip]
3a) Append the following to "KEY" text file:
$ gpg --fingerprint --list-sigs releases@mozilla.org >> KEY
$ gpg --armor --export releases@mozilla.org >> KEY

4) Verify the private key / public key pair work
4a) on signing machine:
*) create a small helloworld.txt file
*) $ gpg --armor --detach-sig helloworld.txt
*) transfer KEY, helloworld.txt, helloworld.txt.asc to another machine

4b) on another machine
$ gpg --import KEY
$ gpg --verify helloworld.txt helloworld.txt.asc
gpg: Signature made Sun Dec  2 15:22:40 2012 CET using DSA key ID 62F1E309
gpg: Good signature from "SeaMonkey Software Releases <seamonkey-release@mozilla.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 30BE C2BE BF4F 8052 F2F2  067C 3A56 EC34 447C C9FE
     Subkey fingerprint: 3B17 A7FB CF46 98D5 35F9  AAD6 68F7 A8D1 62F1 E309

=================================
=== STILL TODO (the following)
=================================

5) Post the template public keyfile "KEY" as patch for review, and checkin. This checked in file will later be posted by the automation alongside the signed builds.

6) Post the template public keyfile to http://pgp.mit.edu/, http://wwwkeys.pgp.net/ and other keymasters.

7) all done - declare victory!
Attached file KEY (obsolete) —
The idea here is to get it checked in somewhere.

I'm not sure if there is a better place in revision control than hg atm, MoCo key is stored in svn[?] at 
/mofo/release/keys/pgp/PUBLIC-KEY

Mozilla Messaging's Key was stored in
c-c/mail/build/KEY
(and later removed -- c.f. Bug 499709, Bug 637629 and Bug 761028)

So I propose we store ours in:
c-c/suite/build/KEY  (with additional landings on c-a c-b and c-r)
Attachment #687513 - Flags: review?(ewong)
Attachment #687513 - Flags: review?(dveditz)
FWIW KaiRo verified this, as the "other computer"
Attachment #687513 - Flags: review?(ewong) → review+
Blocks: 830032
Blocks: 866049
Attachment #687513 - Flags: review?(dveditz) → review+
Anything new here?
See Also: → 830032
Duplicate of this bug: 1262904
Attached file KEY (obsolete) —
the previous key has expired (by quite some time), so thought I'd
move this along.

:KaiRo, any time to verify as the 'other computer'? :)
Attachment #687513 - Attachment is obsolete: true
Flags: needinfo?(kairo)
Attachment #8949649 - Flags: review?(dveditz)
Attachment #8949649 - Flags: review?(bugspam.Callek)
(In reply to Edmund Wong (:ewong) from comment #6)
> :KaiRo, any time to verify as the 'other computer'? :)

Where do I get the .asc file to check against the key (assuming the same helloworld.txt was signed, which I still have)?
Flags: needinfo?(kairo) → needinfo?(ewong)
(In reply to Robert Kaiser from comment #7)
> (In reply to Edmund Wong (:ewong) from comment #6)
> > :KaiRo, any time to verify as the 'other computer'? :)
> 
> Where do I get the .asc file to check against the key (assuming the same
> helloworld.txt was signed, which I still have)?

Ah sorry.  See email.
Flags: needinfo?(ewong)
(In reply to Edmund Wong (:ewong) from comment #8)
> Ah sorry.  See email.

> gpg --verify helloworld.txt.asc helloworld.txt
gpg: Signature made Fre 09 Feb 2018 09:09:05 CET
gpg:                using DSA key 0E823F8410C6CB76
gpg: Good signature from "SeaMonkey Software Releases <seamonkey-release@mozilla.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF66 D5EA D3CA 440F 4BC5  3A41 9122 E30B 12D9 2A42
     Subkey fingerprint: 35B6 57CF 64BC 754E B2B7  CA4C 0E82 3F84 10C6 CB76

I believe that means it's fine :)
(In reply to Robert Kaiser from comment #9)
> (In reply to Edmund Wong (:ewong) from comment #8)
> > Ah sorry.  See email.
> 
> > gpg --verify helloworld.txt.asc helloworld.txt
> gpg: Signature made Fre 09 Feb 2018 09:09:05 CET
> gpg:                using DSA key 0E823F8410C6CB76
> gpg: Good signature from "SeaMonkey Software Releases
> <seamonkey-release@mozilla.org>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: EF66 D5EA D3CA 440F 4BC5  3A41 9122 E30B 12D9 2A42
>      Subkey fingerprint: 35B6 57CF 64BC 754E B2B7  CA4C 0E82 3F84 10C6 CB76
> 
> I believe that means it's fine :)

Yay!

Next step:

> 5) Post the template public keyfile "KEY" as patch for review, and checkin. This checked in file will 
> later be posted by the automation alongside the signed builds.

Though I don't know  how relevant this is since our automation don't having signing capabilities.
Do we submit it to Moco's automation or do we stand up our own?


>6) Post the template public keyfile to http://pgp.mit.edu/, http://wwwkeys.pgp.net/ and other keymasters.

This can easily be done.  Just need clarification about point #5.
Blocks: signSM
Not sure what I'm reviewing -- do you need a review to update a key? It's a fine looking key, r+ ?
Flags: needinfo?(ewong)
(In reply to Daniel Veditz [:dveditz] from comment #11)
> Not sure what I'm reviewing -- do you need a review to update a key? It's a
> fine looking key, r+ ?

The person that came to mind was you when it came to Moco security, so I figured having you
look over the key whether it's ok would be appropriate.  So yes, I'm seeking a r+.

After reading the original bug, just realized the original key wasn't put anywhere else.  
But at least this part of the 'bring-up-SeaMonkey-to-speed-with-signing' is done.

Thanks!
Flags: needinfo?(ewong)
Comment on attachment 8949649 [details]
KEY

The 2K key gives me pause, but it expires in 2020 so it should be OK unless crypto research gets a breakthrough. Next time use a 3K or 4K key.
Attachment #8949649 - Flags: review?(dveditz) → review+
(In reply to Daniel Veditz [:dveditz] from comment #13)
> Comment on attachment 8949649 [details]
> KEY
> 
> The 2K key gives me pause, but it expires in 2020 so it should be OK unless
> crypto research gets a breakthrough. Next time use a 3K or 4K key.

Ah.  thanks dveditz.  Since you have reservations about 2k, I've done a 3k key.
(don't have the 4k available).  Sent the result to KaiRo..  waiting confirmation
before I post here.
Attached file KEY
Assignee: bugspam.Callek → ewong
Attachment #8949649 - Attachment is obsolete: true
Attachment #8949649 - Flags: review?(bugspam.Callek)
Comment on attachment 8955965 [details]
KEY

:dveditz, is this better?
Attachment #8955965 - Flags: review?(dveditz)
Attachment #8955965 - Flags: review?(dveditz) → review+
Thanks dveditz!
Ok, I have added the KEY to the following servers:

gpg.mozilla.org
http://pgp.mit.edu/
and  http://wwwkeys.pgp.net/
Status: NEW → ASSIGNED
Blocks: 1443390
> http://wwwkeys.pgp.net/

couldn't add anything to the this one.
You need to log in before you can comment on or make changes to this bug.