GPG Signing Party

Eclipse IoT F2F meeting

GPG?

  • GPG is the GNU implementation of the OpenPGP standard
  • It allows to encrypt/decrypt documents as well as to sign them.
  • Used by Maven Central, Debian, or Ubuntu to sign artifacts & package repositories.

GPG?

  • Public-key cryptography
  • Encryption
    • public key: used to encrypt data,
    • private key: decrypt
  • Signing
    • private key: sign an electronic document (email, JAR, …)
    • public key: validate the document’s authenticity

Gnu PG

GnuPG is a GPL licensed tool available on all the major platforms (Linux, Windows, MacOSX)

Create your GPG keypair

gpg --gen-key

Best practices

  • Use RSA/RSA algorithm
  • Adopt a key-length of 4096 bits
  • Avoid setting a "comment" field
  • Set a reasonable expiration date (e.g. 5 years)
  • Generate a revocation certificate

More: https://alexcabal.com/creating-the-perfect-gpg-keypair/

Turning your self-signed certificate into a more trustworthy one

Signing a key

Provide your key information (fingerprint) + proof of identity to the person you want to sign your key

    • Make sure to upload your key to a keyserver so as the other party can download the complete and up-to-date version of your key

Note: the actual signing does not need to happen live!

Signing a key

Once you have someone’s key fingerprint and checked his/her ID:

  • Download the key from keyserver, and check the key details correspond to the person
  • Sign it!
  • Re-upload to keyserver
Eclipse IoT F2F meeting - Signing party - Google Slides