Difference between revisions of "GPG Signatures"

From Funtoo
Jump to navigation Jump to search
m
(19 intermediate revisions by the same user not shown)
Line 1: Line 1:
Funtoo Linux stage tarballs are signed using GPG by the build server they are built on. Each official Funtoo Linux build server has its own individual key, which can be identified by the GPG comment field. The following keys are used to create detached binary signatures ending in {{c|.gpg}} of each stage tarball:
{{Subpages|Metro Plaintext Keys}}
 
The Funtoo Linux master GPG signing key is the {{c|drobbins@funtoo.org}} key (the "BDFL key"), which has the following signature:


{{TableStart}}
{{TableStart}}
<tr><th>GPG key name/email</th><th>GPG comment</th><th>GPG Key ID</th><th>Fingerprint</th><th>GPG Key Type</th><th>Used for</th></tr>
<tr><th>GPG key name/email</th><th>GPG comment</th><th>Fingerprint</th></tr>
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|metro:node}}</td><td>{{c|11FD00FD}}</td><td>{{c|70AC BB6B FEE7 BC57 2A89  41D1 9266 C4FA 11FD 00FD}}</td><td>4096-bit RSA (no expiry)</td><td>Generic and Intel builds</td></tr>
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|BDFL}}</td><td>{{c|D3B9 48F8 2EE8 B402 0A04 1078 9A65 8306 E986 E8EE}}</td></tr>
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|metro:excavator}}</td><td>{{c|4FF347DD}} (Sign)<br>{{c|683A2F8A}} (Primary)</td><td>{{c|3C56 18FB C28A B2FE 90C8  B9EB E510 18CD 4FF3 47DD}} (Sign)<br>{{c|E8C5 7481 5DC1 74AF 5A9E 8385 3AA5 CA5E 683A 2F8A}} (Primary)</td><td>4096-bit RSA (no expiry)</td><td>Most AMD builds</td></tr>
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|metro:jaguar}}</td><td>{{c|BEA87CD2}}</td><td>{{c|6DDA E857 2788 8A7C A50E  2122 A902 1CE4 BEA8 7CD2}}</td><td>4096-bit RSA (no expiry)</td><td>AMD Jaguar builds</td></tr>
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|metro:odroid-xu4}}</td><td>{{c|EEE54A43}}</td><td>{{c|38E8 4AD5 3B01 590B A678  5E88 2A7B 0B2E EEE5 4A43}}</td><td>4096-bit RSA (no expiry)</td><td>ARM 32-bit builds</td></tr>
{{TableEnd}}
{{TableEnd}}


In turn, these public keys are signed by the Funtoo Linux master signing key:
To verify the integrity of stage3 tarballs using GPG, download your preferred stage3 tarball from https://build.funtoo.org, along with the matching file with the additional {{c|.gpg}} extension in the same directory. Next, we will receive the public master key from a public keyserver (specifying the ''last 8 digits of the BDFL fingerprint'') and assign ultimate trust to it:


{{TableStart}}
{{console|body=
<tr><th>GPG key name/email</th><th>GPG comment</th><th>GPG Key ID</th><th>Fingerprint</th><th>GPG Key Type</th></tr>
$ ##i##gpg --keyserver pgp.mit.edu --recv-key E986E8EE
<tr><td>Daniel Robbins {{c|drobbins@funtoo.org}}</td><td>{{c|BDFL}}</td><td>{{c|E986E8EE}}</td><td>{{c|D3B9 48F8 2EE8 B402 0A04  1078 9A65 8306 E986 E8EE}}</td><td>4096-bit RSA (no expiry)</td></tr>
$ ##i##gpg --edit-key E986E8EE
{{TableEnd}}
gpg> ##i##trust
Your decision? ##i##5
Do you really want to set this key to ultimate trust? (y/N) ##i##y
gpg> ##i##quit
}}
Each build server key has been signed by the BDFL key, so by trusting the BDFL key ''ultimately'', you will automatically ''fully'' trust the build server key.


To verify the integrity of stage3 tarballs using GPG, first download your preferred stage3 taball, and the matching file with the additional {{c|.gpg}} extension in the same directory. Then, you will want to use the {{c|gpg --recv-key}} command, specifying the ''primary key id'' listed above that is necessary for verification:
Next, head to [[GPG Signatures/Metro Plaintext Keys]] and copy and paste the public key and associated signatures for the metro build server into a file called {{c|node.txt}}. Then, import this key into GPG:


{{console|body=
{{console|body=
# ##i##gpg --recv-key 11FD00FD
$ ##i##gpg --import node.txt
# ##i##gpg --recv-key 683A2F8A
# ##i##gpg --recv-key BEA87CD2
# ##i##gpg --verify stage3-latest.tar.xz.gpg stage3-latest.tar.xz
}}
}}


You should see output similar to this, which will specify the ''signing'' GPG key ID:
Then, you can use the {{c|gpg --verify}} command to verify the stage3's GPG signature. You should see output similar to this. The BDFL trusts this key, and if your stage file is not corrupted, you will see a message of a "Good signature" and an exit code of zero:
 
{{console|body=
{{console|body=
gpg: Signature made Sat 10 Dec 2016 08:46:41 PM MST using RSA key ID 4FF347DD
$ ##i##gpg --verify stage3-amd64-zen2-1.4-release-std-2021-11-23.tar.xz.gpg stage3-amd64-zen2-1.4-release-std-2021-11-23.tar.xz
gpg: Good signature from "Daniel Robbins (metro:excavator) <drobbins@funtoo.org>" [ultimate]
gpg: Signature made Fri 03 Dec 2021 09:27:55 AM MST
gpg:                using RSA key 30737D12308C9D0C882FC34B57CB0A121BAECB2E
gpg: Good signature from "Daniel Robbins (metro:node) <drobbins@funtoo.org>" [full]
$ ##i##echo $?
0
}}
 
{{Note|For more details on the benefits of GPG, read https://gnupg.org/gph/en/manual.html }}


}}
[[Category:Official Documentation]]

Revision as of 04:59, December 5, 2021

The Funtoo Linux master GPG signing key is the drobbins@funtoo.org key (the "BDFL key"), which has the following signature:

GPG key name/emailGPG commentFingerprint
Daniel Robbins drobbins@funtoo.orgBDFLD3B9 48F8 2EE8 B402 0A04 1078 9A65 8306 E986 E8EE

To verify the integrity of stage3 tarballs using GPG, download your preferred stage3 tarball from https://build.funtoo.org, along with the matching file with the additional .gpg extension in the same directory. Next, we will receive the public master key from a public keyserver (specifying the last 8 digits of the BDFL fingerprint) and assign ultimate trust to it:

user $ gpg --keyserver pgp.mit.edu --recv-key E986E8EE
user $ gpg --edit-key E986E8EE
gpg> trust
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
gpg> quit

Each build server key has been signed by the BDFL key, so by trusting the BDFL key ultimately, you will automatically fully trust the build server key.

Next, head to GPG Signatures/Metro Plaintext Keys and copy and paste the public key and associated signatures for the metro build server into a file called node.txt. Then, import this key into GPG:

user $ gpg --import node.txt

Then, you can use the gpg --verify command to verify the stage3's GPG signature. You should see output similar to this. The BDFL trusts this key, and if your stage file is not corrupted, you will see a message of a "Good signature" and an exit code of zero:

user $ gpg --verify stage3-amd64-zen2-1.4-release-std-2021-11-23.tar.xz.gpg stage3-amd64-zen2-1.4-release-std-2021-11-23.tar.xz
gpg: Signature made Fri 03 Dec 2021 09:27:55 AM MST
gpg:                using RSA key 30737D12308C9D0C882FC34B57CB0A121BAECB2E
gpg: Good signature from "Daniel Robbins (metro:node) <drobbins@funtoo.org>" [full]
user $ echo $?
0
   Note

For more details on the benefits of GPG, read https://gnupg.org/gph/en/manual.html