opendev
/
system-config
Code Issues Proposed changes

Document signing key cross-signing transition 

When replacing an old signing key with a new one, sign the new key
with the old key for improved proof of provenance.

Change-Id: Ic7b863565c8f264bede1ec4f49c4e00161920152
This commit is contained in:
Jeremy Stanley 2017-03-24 16:43:44 +00:00
parent 0e4bcbe0b0
commit 18ed16c1ec
1 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
doc/source/signing.rst
View File

@ -326,6 +326,40 @@ be valid only for as long as its associated master key is valid:
gpg> save gpg> save
Next, sign the new master key with the key from the previous cycle
(specified with the ``--default-key`` option). This proves that the
new key was created by a party with access to its predecessor, so
provides some added assurance of its validity:
.. code-block:: shell-session
root@puppetmaster:~# gpg --homedir signing.gnupg --default-key 0x70CA2E45DF30B1B8 --sign-key 0x120D3C23C6D5584D
pub 2048R/0x120D3C23C6D5584D created: 2016-07-07 expires: 2017-02-02 usage:SC
trust: ultimate validity: ultimate
sub 2048R/0x1F215B56867C5D9A created: 2016-07-07 expires: 2017-02-02 usage:E
sub 2048R/0xC0224DB5F541FB68 created: 2016-07-07 expires: never usage:S
[ultimate] (1). OpenStack Infra (Pike Cycle) <infra-root@openstack.org>
pub 2048R/0x120D3C23C6D5584D created: 2016-07-07 expires: 2017-02-02 usage:SC
trust: ultimate validity: ultimate
Primary key fingerprint: 120D 3C23 C6D5 584D 6FC2 4646 64DB B05A CC5E 7C28
OpenStack Infra (Some Cycle) <infra-root@openstack.org>
This key is due to expire on 2017-02-02.
Are you sure that you want to sign this key with your
key "OpenStack Infra (Previous Cycle) <infra-root@openstack.org>" (0x70CA2E45DF30B1B8)
Really sign? (y/N) y
You need a passphrase to unlock the secret key for
user: "OpenStack Infra (Previous Cycle) <infra-root@openstack.org>"
2048-bit RSA key, ID 0x70CA2E45DF30B1B8, created 2016-11-03
Enter passphrase: ********************************
Now send the master key to the keyserver network. The subkeys are Now send the master key to the keyserver network. The subkeys are
all submitted along with it, so do not need to be specified all submitted along with it, so do not need to be specified
separately: separately: