Open
Bug 817383
Opened 12 years ago
Updated 3 years ago
SeaMonkey needs new (public) GPG key, in order to support signing releases properly
Categories
(SeaMonkey :: Release Engineering, defect, P1)
Tracking
(Not tracked)
ASSIGNED
People
(Reporter: Callek, Assigned: ewong)
References
(Blocks 2 open bugs)
Details
Attachments
(1 file, 2 obsolete files)
This will enable us to upload with detached sig's on our servers, and ensure that other OS's (e.g. Linux) can trust our binaries as well. From what I can tell our expiration on gpg keys is 2 years, we create our own, and we need to publicize the pubkey well. The most-recent instructions seem to be in Bug 673281 c#3 though there is lots of prior-relevant conversation/bugs around the gpg key in Bug 797690 Bug 377781 and Bug 499709 just for a good start ;-) CC'ing joduinn for the shear "He is caring that SeaMonkey's signing stuff he got us works", and in that he can likely help me if I get stuck here
Reporter | ||
Comment 1•12 years ago
|
||
Done locally, though I have a different ver of gpg # Because gpg on windows doesn't use .gnupg -- and I have local keys. mv /c/Users/Justin/AppData/Roaming/gnupg{,-bak} $ gpg --version gpg (GnuPG) 2.0.17 (Gpg4win 2.1.0) libgcrypt 1.4.6 Copyright (C) 2011 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: C:/Users/Justin/AppData/Roaming/gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 ================================================ === 2) Create new key, and two sub keys. ================================================ $ gpg --gen-key gpg (GnuPG) 2.0.17; Copyright (C) 2011 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 3 DSA keys may be between 1024 and 3072 bits long. What keysize do you want? (2048) 1024 Requested keysize is 1024 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2y Key expires at 12/02/14 09:12:17 Eastern Standard Time Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: SeaMonkey Software Releases Email address: seamonkey-release@mozilla.org Comment: You selected this USER-ID: "SeaMonkey Software Releases <seamonkey-release@mozilla.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 447CC9FE marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2014-12-02 pub 1024D/447CC9FE 2012-12-02 [expires: 2014-12-02] Key fingerprint = 30BE C2BE BF4F 8052 F2F2 067C 3A56 EC34 447C C9FE uid SeaMonkey Software Releases <seamonkey-release@mozilla.org> Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose. $ $ gpg --list-keys C:/Users/Justin/AppData/Roaming/gnupg/pubring.gpg ------------------------------------------------- pub 1024D/447CC9FE 2012-12-02 [expires: 2014-12-02] uid SeaMonkey Software Releases <seamonkey-release@mozilla.org> $ $ echo "so far so good" $ $ gpg --edit-key seamonkey-release@mozilla.org gpg (GnuPG) 2.0.17; Copyright (C) 2011 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 1024D/447CC9FE created: 2012-12-02 expires: 2014-12-02 usage: SC trust: ultimate validity: ultimate [ultimate] (1). SeaMonkey Software Releases <seamonkey-release@mozilla.org> gpg> addkey Key is protected. You need a passphrase to unlock the secret key for user: "SeaMonkey Software Releases <seamonkey-release@mozilla.org>" 1024-bit DSA key, ID 447CC9FE, created 2012-12-02 Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) Your selection? 3 DSA keys may be between 1024 and 3072 bits long. What keysize do you want? (2048) 1024 Requested keysize is 1024 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2y Key expires at 12/02/14 09:15:49 Eastern Standard Time Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. pub 1024D/447CC9FE created: 2012-12-02 expires: 2014-12-02 usage: SC trust: ultimate validity: ultimate sub 1024D/62F1E309 created: 2012-12-02 expires: 2014-12-02 usage: S [ultimate] (1). SeaMonkey Software Releases <seamonkey-release@mozilla.org> gpg> addkey Key is protected. You need a passphrase to unlock the secret key for user: "SeaMonkey Software Releases <seamonkey-release@mozilla.org>" 1024-bit DSA key, ID 447CC9FE, created 2012-12-02 Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) Your selection? 5 ELG keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 2048 Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2y Key expires at 12/02/14 09:16:18 Eastern Standard Time Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. pub 1024D/447CC9FE created: 2012-12-02 expires: 2014-12-02 usage: SC trust: ultimate validity: ultimate sub 1024D/62F1E309 created: 2012-12-02 expires: 2014-12-02 usage: S sub 2048g/F22D828B created: 2012-12-02 expires: 2014-12-02 usage: E [ultimate] (1). SeaMonkey Software Releases <seamonkey-release@mozilla.org> gpg> list pub 1024D/447CC9FE created: 2012-12-02 expires: 2014-12-02 usage: SC trust: ultimate validity: ultimate sub 1024D/62F1E309 created: 2012-12-02 expires: 2014-12-02 usage: S sub 2048g/F22D828B created: 2012-12-02 expires: 2014-12-02 usage: E [ultimate] (1). SeaMonkey Software Releases <seamonkey-release@mozilla.org> gpg> quit Save changes? (y/N) y ================================================ === 3) create the public key file. ================================================ Create a new text file "KEY" containing the following boilerplate text: [snip] This file contains the PGP keys of various developers that work on Mozilla and its subprojects (such as SeaMonkey). Please don't use these keys for email unless you have asked the owner because some keys are only used for code signing. Please realize that this file itself or the public key servers may be compromised. You are encouraged to validate the authenticity of these keys in an out-of-band manner. [snip] 3a) Append the following to "KEY" text file: $ gpg --fingerprint --list-sigs releases@mozilla.org >> KEY $ gpg --armor --export releases@mozilla.org >> KEY 4) Verify the private key / public key pair work 4a) on signing machine: *) create a small helloworld.txt file *) $ gpg --armor --detach-sig helloworld.txt *) transfer KEY, helloworld.txt, helloworld.txt.asc to another machine 4b) on another machine $ gpg --import KEY $ gpg --verify helloworld.txt helloworld.txt.asc gpg: Signature made Sun Dec 2 15:22:40 2012 CET using DSA key ID 62F1E309 gpg: Good signature from "SeaMonkey Software Releases <seamonkey-release@mozilla.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 30BE C2BE BF4F 8052 F2F2 067C 3A56 EC34 447C C9FE Subkey fingerprint: 3B17 A7FB CF46 98D5 35F9 AAD6 68F7 A8D1 62F1 E309 ================================= === STILL TODO (the following) ================================= 5) Post the template public keyfile "KEY" as patch for review, and checkin. This checked in file will later be posted by the automation alongside the signed builds. 6) Post the template public keyfile to http://pgp.mit.edu/, http://wwwkeys.pgp.net/ and other keymasters. 7) all done - declare victory!
Reporter | ||
Comment 2•12 years ago
|
||
The idea here is to get it checked in somewhere. I'm not sure if there is a better place in revision control than hg atm, MoCo key is stored in svn[?] at /mofo/release/keys/pgp/PUBLIC-KEY Mozilla Messaging's Key was stored in c-c/mail/build/KEY (and later removed -- c.f. Bug 499709, Bug 637629 and Bug 761028) So I propose we store ours in: c-c/suite/build/KEY (with additional landings on c-a c-b and c-r)
Attachment #687513 -
Flags: review?(ewong)
Attachment #687513 -
Flags: review?(dveditz)
Reporter | ||
Comment 3•12 years ago
|
||
FWIW KaiRo verified this, as the "other computer"
Assignee | ||
Updated•12 years ago
|
Attachment #687513 -
Flags: review?(ewong) → review+
Updated•12 years ago
|
Attachment #687513 -
Flags: review?(dveditz) → review+
Comment 4•9 years ago
|
||
Anything new here?
Assignee | ||
Comment 6•7 years ago
|
||
the previous key has expired (by quite some time), so thought I'd move this along. :KaiRo, any time to verify as the 'other computer'? :)
Attachment #687513 -
Attachment is obsolete: true
Flags: needinfo?(kairo)
Attachment #8949649 -
Flags: review?(dveditz)
Attachment #8949649 -
Flags: review?(bugspam.Callek)
Comment 7•7 years ago
|
||
(In reply to Edmund Wong (:ewong) from comment #6) > :KaiRo, any time to verify as the 'other computer'? :) Where do I get the .asc file to check against the key (assuming the same helloworld.txt was signed, which I still have)?
Flags: needinfo?(kairo) → needinfo?(ewong)
Assignee | ||
Comment 8•7 years ago
|
||
(In reply to Robert Kaiser from comment #7) > (In reply to Edmund Wong (:ewong) from comment #6) > > :KaiRo, any time to verify as the 'other computer'? :) > > Where do I get the .asc file to check against the key (assuming the same > helloworld.txt was signed, which I still have)? Ah sorry. See email.
Flags: needinfo?(ewong)
Comment 9•7 years ago
|
||
(In reply to Edmund Wong (:ewong) from comment #8) > Ah sorry. See email. > gpg --verify helloworld.txt.asc helloworld.txt gpg: Signature made Fre 09 Feb 2018 09:09:05 CET gpg: using DSA key 0E823F8410C6CB76 gpg: Good signature from "SeaMonkey Software Releases <seamonkey-release@mozilla.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: EF66 D5EA D3CA 440F 4BC5 3A41 9122 E30B 12D9 2A42 Subkey fingerprint: 35B6 57CF 64BC 754E B2B7 CA4C 0E82 3F84 10C6 CB76 I believe that means it's fine :)
Assignee | ||
Comment 10•7 years ago
|
||
(In reply to Robert Kaiser from comment #9) > (In reply to Edmund Wong (:ewong) from comment #8) > > Ah sorry. See email. > > > gpg --verify helloworld.txt.asc helloworld.txt > gpg: Signature made Fre 09 Feb 2018 09:09:05 CET > gpg: using DSA key 0E823F8410C6CB76 > gpg: Good signature from "SeaMonkey Software Releases > <seamonkey-release@mozilla.org>" [unknown] > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the owner. > Primary key fingerprint: EF66 D5EA D3CA 440F 4BC5 3A41 9122 E30B 12D9 2A42 > Subkey fingerprint: 35B6 57CF 64BC 754E B2B7 CA4C 0E82 3F84 10C6 CB76 > > I believe that means it's fine :) Yay! Next step: > 5) Post the template public keyfile "KEY" as patch for review, and checkin. This checked in file will > later be posted by the automation alongside the signed builds. Though I don't know how relevant this is since our automation don't having signing capabilities. Do we submit it to Moco's automation or do we stand up our own? >6) Post the template public keyfile to http://pgp.mit.edu/, http://wwwkeys.pgp.net/ and other keymasters. This can easily be done. Just need clarification about point #5.
Comment 11•7 years ago
|
||
Not sure what I'm reviewing -- do you need a review to update a key? It's a fine looking key, r+ ?
Flags: needinfo?(ewong)
Assignee | ||
Comment 12•7 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #11) > Not sure what I'm reviewing -- do you need a review to update a key? It's a > fine looking key, r+ ? The person that came to mind was you when it came to Moco security, so I figured having you look over the key whether it's ok would be appropriate. So yes, I'm seeking a r+. After reading the original bug, just realized the original key wasn't put anywhere else. But at least this part of the 'bring-up-SeaMonkey-to-speed-with-signing' is done. Thanks!
Flags: needinfo?(ewong)
Comment 13•7 years ago
|
||
Comment on attachment 8949649 [details]
KEY
The 2K key gives me pause, but it expires in 2020 so it should be OK unless crypto research gets a breakthrough. Next time use a 3K or 4K key.
Attachment #8949649 -
Flags: review?(dveditz) → review+
Assignee | ||
Comment 14•7 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #13) > Comment on attachment 8949649 [details] > KEY > > The 2K key gives me pause, but it expires in 2020 so it should be OK unless > crypto research gets a breakthrough. Next time use a 3K or 4K key. Ah. thanks dveditz. Since you have reservations about 2k, I've done a 3k key. (don't have the 4k available). Sent the result to KaiRo.. waiting confirmation before I post here.
Assignee | ||
Comment 15•7 years ago
|
||
Assignee: bugspam.Callek → ewong
Attachment #8949649 -
Attachment is obsolete: true
Attachment #8949649 -
Flags: review?(bugspam.Callek)
Assignee | ||
Comment 16•7 years ago
|
||
Comment on attachment 8955965 [details]
KEY
:dveditz, is this better?
Attachment #8955965 -
Flags: review?(dveditz)
Updated•7 years ago
|
Attachment #8955965 -
Flags: review?(dveditz) → review+
Assignee | ||
Comment 17•7 years ago
|
||
Thanks dveditz!
Assignee | ||
Comment 18•7 years ago
|
||
Ok, I have added the KEY to the following servers: gpg.mozilla.org http://pgp.mit.edu/ and http://wwwkeys.pgp.net/
Assignee | ||
Updated•7 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 19•7 years ago
|
||
> http://wwwkeys.pgp.net/
couldn't add anything to the this one.
You need to log in
before you can comment on or make changes to this bug.
Description
•