After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 757524 - GPG docs suggest to keep private keys on a device.
GPG docs suggest to keep private keys on a device.
Status: RESOLVED FIXED
Product: ostree
Classification: Infrastructure
Component: general
unspecified
Other Linux
: Normal normal
: ---
Assigned To: OSTree maintainer(s)
OSTree maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2015-11-03 13:49 UTC by Gatis Paeglis
Modified: 2015-11-08 02:29 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Gatis Paeglis 2015-11-03 13:49:12 UTC
From "man ostree":

"GPG VERIFICATION
OSTree supports signing commits with GPG. The set of trusted keys is stored as keyring files in /usr/share/ostree/trusted.gpg.d.
*Any key in any keyring in that directory may be used to sign commits.*"

GPG docs suggest to keep private keys on a device. This sounds like a bad idea, since private key should be kept private. To verify a signature of updates on a device it is sufficient to keep only the pubring.gpg in /usr/share/ostree/trusted.gpg.d on a device.

The confusing line is:
"*Any key in any keyring in that directory may be used to sign commits.*"

It doesn't really matter where you keep the key on the server when signing the commits.
Comment 1 Colin Walters 2015-11-08 02:16:48 UTC
Ok, I tried to reword this in:

https://git.gnome.org/browse/ostree/commit/?id=efdb4d8f443768e59529c299290bee8b1f8f93c3
Comment 2 Matthew Barnes 2015-11-08 02:29:28 UTC
Should it mention something about importing keys for a particular remote?  I thought we had deprecated the global /usr/share/ostree/trusted.gpg.d location.