Re: Migrating to GPG - A mini-HOWTO

[Martin Schulze <joey@finlandia.Infodrom.North.DE>]

Ok, this is a real Mini-HOWTO, please edit and distribute.

Debian GnuPG Mini-Howto
-----------------------

Copyright

   Freely redistributable

Authors

   People from debian-devel, Martin Schulze.

Todo

   Proper format (SGML), proper location (web, ftp)

Scope

   This Mini-HOWTO is intended to help debian people converting from
   using PGP to GnuPG for their work within the Debian Project.

Where is signing done?

   . .dsc files are signed

   . .changes files are signed

   . Mutt is used to read and write mails, partially signed

   . Votes are signed

Setting up GnuPG

   Here is a sample ~/.gnupg/options file.

   # Options for GnuPG
   #
   # Unless you you specify which option file to use (with the
   # commandline option "--options filename"), GnuPG uses the
   # file ~/.gnupg/options by default.
   #
   # An option file can contain all long options which are
   # available in GnuPG. If the first non white space character of
   # a line is a '#', this line is ignored.  Empty lines are also
   # ignored.
   #
   # See the man page for a list of options.

   # If you have more than 1 secret key in your keyring, you may want
   # to uncomment the following option and set your preffered keyid
   #
   # default-key 621CC013

   ## Compatibility options
				   # PGPv2/5 compatibility
   # force-v3-sigs
   # rfc1991
   # digest-algo md5
				   # Screw PGP, let's be RFC compatible  =>
   openpgp

   ## These extensions have patents or other issues, these are only
   # required if you want to use pgp signatures and keys as well.  If
   # you're only using the free and patent-less GnuPG you don't need
   them.
   #
   #load-extension rsaref
				   # Not for use in the States
   #load-extension rsa
				   # Patented in much of Europe
   load-extension idea

   ## Other fun options
   escape-from-lines
   lock-once
   no-verbose
   no-greeting

   ## Keyrings
   secret-keyring secring.gpg
   #secret-keyring secring.pgp
   keyring pubring.gpg
   #keyring pubring.pgp
   keyring /usr/share/keyrings/debian-keyring.gpg
   #keyring /usr/share/keyrings/debian-keyring.pgp

Setting up Mutt

   The following configuration will switch from PGP to GnuPG as
   default signing method.  There are ways both can coexist, though.

   # Adjust the PGP method
   #
   set pgp_default_version="gpg"
   #set pgp_gpg="/usr/bin/gpg"
   #set pgp_receive_version="gpg"
   #set pgp_key_version="gpg"
   #set pgp_send_version="gpg"

   # Some detailed adjustments
   #set pgp_sign_as=0xDCF9DAB3
   #set pgp_sign_micalg=sha1
   #set pgp_strict_enc              # use Q-P encoding when needed for PGP


   # Adjust highlighting of good and bad signatures
   #
   color  body     brightyellow    black   "^(gpg: )?Good signature"
   mono   body     bold                    "^(gpg: )?Good signature"
   color  body     brightwhite     red     "^(gpg: )?(Bad|BAD) signature from.*"
   mono   body     bold                    "^(gpg: )?(Bad|BAD) signature from.*"

Signing .dsc and .changes files

   The Debian Installation routine (dinstall) is already prepared to
   accept GnuPG keys.  Your key has to be included in the keyring.gpg,
   though.  If this isn't done yet, send it to the keyring maintainer
   at keyring-maint@debian.org.  If your GnuPG key doesn't have a
   proper signature, you should sign that mail using your old PGP key,
   so the keyring maintainer can ensure that he's not adding an
   intruder's key.

   Since GnuPG behaves differently to PGP you need to add a newline to
   a .dsc file before signing it with GnuPG.  The command to sign is
   »gpg --clearsign foo.dsc«.

Voting in Debian

   Is our UseVote already prepared to accept GnuPG keys?

Regards,

	Joey

-- 
GNU GPL: "The source will be with you... always."

Please always Cc to me when replying to me on the lists.