Keys
Preliminary
The below write-up assumes some familiarity with
GNUPG and
git.
The use of
git pull
--verify-signatures requires
git version at least 1.8. When
GNUPG gpg commands are listed below, they are
only meant as hints or starting points.
Step 1: Have you imported my keys before?
Have you imported my public keys before?
☐ Yes. Then Go to Step 6.
☐ No. Then Go to Step 2.
Step 2: Download my public keys
Download the keyID.txt files
linked in the table below and listed as
valid.
gpg --import keyID.txt
where keyID.txt has to be
replaced with the files you downloaded in the previous step.
Step 4: Verify my master key
You MUST verify the fingerprint of
my master key, and if it matches then you SHOULD sign my master key with your key.
gpg --edit-key C3744A1F30DE79AABF1B7A33CBB8FD57167A6E04
fpr
(check fingerprint here against table below)
sign
As an alternative, you can trust my key after checking the
fingerprint
gpg --edit-key C3744A1F30DE79AABF1B7A33CBB8FD57167A6E04
fpr
(check fingerprint here against table below)
trust
(ultimate trust)
Step 5: Verify my other keys
You MUST make sure that all my keys
other than my master key are signed by my master key.
gpg --check-sigs
- Make sure keys are still valid. See table below.
- Re-import expired but valid keys if needed.
- Adhere to key usage, as described below.
- When pulling do git pull
--verify-signatures instead of just git pull.
- To verify a given commit git log
--show-signature -1
File |
Valid |
Fingerprint |
Usage |
167A6E04 |
2019-06-19 |
C374 4A1F 30DE 79AA BF1B 7A33 CBB8 FD57 167A
6E04 |
Certification |
805ABC35 |
2019-06-19 |
CEA3 9A64 7EC9 6419 C80E 30D8 83AC 8189 805A
BC35 |
Code Signing |
F1D9361B |
NO, REVOKED |
|
DO NOT USE |
41D44F5D |
NO, REVOKED |
|
DO NOT USE |
Back to step 3 above
Appendix B: Key Usage
- Do not trust signatures made with
expired keys. If the key is expired but shown as valid in the table
above, please re-import it by going to step 6 above.
- If a key is marked invalid, the revoked key will be linked in
the table above with the revoked date. If so, please import the
revoked key immediately.
- Do not trust signatures made with
revoked keys.
- The master key may only be used to verify the other keys
- The code signing key may only be used to verify my commits to
the codes listed here.
- Do not trust usage of keys for
purposes not indicated in the above.
- I only make commits to codes listed here.