|
| 1 | +# SDK GPG Keys |
| 2 | + |
| 3 | +## Current *key*pers |
| 4 | + |
| 5 | +The keys are currently in the hands of [Joe Lanford](https://github.com/joelanford/). |
| 6 | + |
| 7 | +## Transferring keys |
| 8 | + |
| 9 | +In order to transfer the keys to other members of the Operator SDK admins, following the following: |
| 10 | + |
| 11 | +1. get public GPG key from the person(s) you will transfer to |
| 12 | +2. import their key into your keyring |
| 13 | + |
| 14 | +``` |
| 15 | +gpg --import KEY |
| 16 | +``` |
| 17 | + |
| 18 | +3. verify their identity, is this really their key. Video call can be useful for this. |
| 19 | +4. sign their key |
| 20 | + |
| 21 | +``` |
| 22 | +gpg --sign-key EMAIL-OF-USERS-KEY |
| 23 | +``` |
| 24 | + |
| 25 | +5. export the SDK public key |
| 26 | + |
| 27 | +``` |
| 28 | +gpg --export --armor -o 3B2F1481D146238080B346BB052996E2A20B5C7E.pub .asc 3B2F1481D146238080B346BB052996E2A20B5C7 |
| 29 | +``` |
| 30 | +6. export the SDK private key |
| 31 | + |
| 32 | +``` |
| 33 | +gpg --export-secret-key --armor -o 3B2F1481D146238080B346BB052996E2A2 0B5C7E.priv.asc 3B2F1481D146238080B346BB052996E2A20B5C7E |
| 34 | +``` |
| 35 | +7. export the SDK sub key |
| 36 | + |
| 37 | +``` |
| 38 | +gpg --export-secret-subkeys --armor -o 3B2F1481D146238080B346BB052996 E2A20B5C7E.sub_priv.asc 3B2F1481D146238080B346BB052996E2A20B5C7E |
| 39 | +``` |
| 40 | + |
| 41 | +8. encrypt each key for the person |
| 42 | + |
| 43 | +``` |
| 44 | +gpg --encrypt --sign --armor -r EMAIL-OF-USERS-KEY --output 052996E2A20B5C7E.subkey.private.asc.enc 052996E2A20B5C7E.subkey.private.asc |
| 45 | +``` |
| 46 | + |
| 47 | +9. send them the encrypted key to the user |
| 48 | + |
| 49 | +10. user should be able to decrypt with their key. |
| 50 | + |
| 51 | +## Updating expiration date |
| 52 | + |
| 53 | +There will be a few people that have the keys. Those people should be able to update the expiration date. This won't have to be done until November 8, 2025. |
| 54 | + |
| 55 | +You will want to update the date of the key: |
| 56 | + |
| 57 | +``` |
| 58 | +gpg --edit-key (key id) |
| 59 | +``` |
| 60 | + |
| 61 | +Once you're in the gpg console select the key , there are 2, you need to update both. I just pick a 3 year term. |
| 62 | + |
| 63 | +``` |
| 64 | +gpg> expire |
| 65 | +(follow prompts) |
| 66 | +3y |
| 67 | +gpg> save |
| 68 | +``` |
| 69 | + |
| 70 | +You can use whatever term the team wants. |
| 71 | + |
| 72 | +One of the resources I used: [How to change the expiration date of a GPG key](https://www.g-loaded.eu/2010/11/01/change-expiration-date-gpg-key/) |
| 73 | + |
| 74 | +## Sending keys to keyserver |
| 75 | + |
| 76 | +Once you have the keys updated, you should send them to a keyserver. I have a couple examples, not sure if both are needed. |
| 77 | + |
| 78 | +``` |
| 79 | +gpg --keyserver keyserver.ubuntu.com --send-key 3B2F1481D146238080B346BB052996E2A20B5C7E |
| 80 | +gpg --keyserver pgp.mit.edu --send-key 3B2F1481D146238080B346BB052996E2A20B5C7E |
| 81 | +``` |
| 82 | + |
| 83 | +I *think* you only need to send it to one server, most of the commands in my shell history use `pgp.mit.edu` |
| 84 | + |
| 85 | +## Updating secring.auto.gpg |
| 86 | + |
| 87 | +Once you have the keys updated, you need to regenerate the keyrings that are stored in the [SDK repo](https://github.com/operator-framework/operator-sdk/tree/master/.ci/gpg). |
| 88 | + |
| 89 | +Use the SDK key to sign and encrypt it. You need to use `--local-user` to avoid GPG from using your own key. |
| 90 | + |
| 91 | +``` |
| 92 | +gpg --cipher-algo AES256 --output secring.auto.gpg --local-user "cncf-operator-sdk@cncf.io" --sign --symmetric 3B2F1481D146238080B346BB052996E2A20B5C7E.sub_priv.asc |
| 93 | +``` |
| 94 | + |
| 95 | +## Updating pubring.auto |
| 96 | + |
| 97 | +This is the public keyring. It's simply the public key. Export the public key then rename it as `pubring.auto` |
| 98 | + |
| 99 | +``` |
| 100 | +gpg --export --armor -o 3B2F1481D146238080B346BB052996E2A20B5C7E.pub.asc 3B2F1481D146238080B346BB052996E2A20B5C7E |
| 101 | +cp 3B2F1481D146238080B346BB052996E2A20B5C7E.pub.asc pubring.auto |
| 102 | +``` |
| 103 | + |
| 104 | +## CI usage of keys |
| 105 | + |
| 106 | +The GPG keys are stored in [.ci/gpg](https://github.com/operator-framework/operator-sdk/tree/master/.ci/gpg) of the Operator SDK repo. |
| 107 | + |
| 108 | +In Github settings, there is a `GPG_PASSWORD` environment variable. It is set here in the [Environments](https://github.com/operator-framework/operator-sdk/settings/environments/172302554/edit) tab. You need to be admin. |
| 109 | + |
| 110 | +The `GPG_PASSWORD` has been encrypted and handed to a few people. These people are the keepers of the password. |
| 111 | + |
| 112 | +## Original process |
| 113 | + |
| 114 | +The original keys were setup using the following article. |
| 115 | + |
| 116 | +https://blogs.itemis.com/en/secure-your-travis-ci-releases-part-2-signature-with-openpgp |
0 commit comments