• Home
• Resume
• Software
• Memoranda
• Resources

Keys

Preliminary

The below write-up assumes some familiarity with GNUPG and git. The use of git pull --verify-signatures requires git version at least 1.8. When GNUPG gpg commands are listed below, they are only meant as hints or starting points.

Step 1: Have you imported my keys before?

Have you imported my public keys before?
☐ Yes. Then Go to Step 6.
☐ No. Then Go to Step 2.

Step 2: Download my public keys

Download the keyID.txt files linked in the table below and listed as valid.

Step3: Import my public keys

gpg --import keyID.txt

where keyID.txt has to be replaced with the files you downloaded in the previous step.

Step 4: Verify my master key

You MUST verify the fingerprint of my master key, and if it matches then you SHOULD sign my master key with your key.

gpg --edit-key C3744A1F30DE79AABF1B7A33CBB8FD57167A6E04 
fpr
(check fingerprint here against table below)
sign

As an alternative, you can trust my key after checking the fingerprint

gpg --edit-key C3744A1F30DE79AABF1B7A33CBB8FD57167A6E04 
fpr
(check fingerprint here against table below)
trust
(ultimate trust)

Step 5: Verify my other keys

You MUST make sure that all my keys other than my master key are signed by my master key.

gpg --check-sigs

Step 6: Using keys to verify my commits

• Make sure keys are still valid. See table below.
• Re-import expired but valid keys if needed.
• Adhere to key usage, as described below.
• When pulling do git pull --verify-signatures instead of just git pull.
• To verify a given commit git log --show-signature -1

Appendix A: Table of keys

File	Valid	Fingerprint	Usage
167A6E04	2019-06-19	C374 4A1F 30DE 79AA BF1B 7A33 CBB8 FD57 167A 6E04	Certification
805ABC35	2019-06-19	CEA3 9A64 7EC9 6419 C80E 30D8 83AC 8189 805A BC35	Code Signing
F1D9361B	NO, REVOKED		DO NOT USE
41D44F5D	NO, REVOKED		DO NOT USE

Back to step 3 above

Appendix B: Key Usage

• Do not trust signatures made with expired keys. If the key is expired but shown as valid in the table above, please re-import it by going to step 6 above.
• If a key is marked invalid, the revoked key will be linked in the table above with the revoked date. If so, please import the revoked key immediately.
• Do not trust signatures made with revoked keys.
• The master key may only be used to verify the other keys
• The code signing key may only be used to verify my commits to the codes listed here.
• Do not trust usage of keys for purposes not indicated in the above.
• I only make commits to codes listed here.