Skip to content
Taras Drozdovskyi edited this page Oct 30, 2021 · 11 revisions

Contents

How to sign a release using GPG?
How to use GPG to verify signed release?
Where can I create a ticket issue concerning the LF Edge infrastructure?

How to sign a release using GPG? (for maintainers)

A good example of a release signature can be found on the link. However, 5 and 6 items are described separately.

Creating a key pair

gpg --full-generate-key

During the execution of this command, you will need to enter additional data:

  • Please select what kind of key you want: 1
  • What keysize do you want? (3072): 4096
  • Please specify how long the key should be valid: 0
  • Key is valid for? (0): 0
  • Is this correct? (y/N): y
  • Real name: LF Home Edge
  • Email address: [email protected]
  • Comment: Keys for edge-home-orchestration-go

In this case, the result will be the next

gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: LF Home Edge
Email address: [email protected]
Comment: Keys for edge-home-orchestration-go
You selected this USER-ID:
    "LF Home Edge (Keys for edge-home-orchestration-go) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key BE13B1D440E813F0 marked as ultimately trusted
gpg: revocation certificate stored as '/home/virtual-pc/.gnupg/openpgp-revocs.d/D3C7C06AC34BDA9A41388E76BE13B1D440E813F0.rev'
public and secret key created and signed.

pub   rsa4096 2021-10-15 [SC]
      D3C7C06AC34BDA9A41388E76BE13B1D440E813F0
uid                      LF Home Edge (Keys for edge-home-orchestration-go) <[email protected]>
sub   rsa4096 2021-10-15 [E]

Create and sign a tag with your created key

Set your GPG signing key in Git

git config --global user.signingkey <key-ID>

Create and sign the tag

git tag -s <tag>

Sign the release tarball with your created key

gpg --armor --detach-sign edge-home-orchestration-go-vx.x.x.tar.gz

If you have multiple keys, you must specify the key that will be used by adding the option -u <key-ID>

Extraction a copy of a key pair from local gpg keyring

gpg --output edge-home-orchestration-go-public.pgp --armor --export [email protected] 
gpg --output edge-home-orchestration-go-private.pgp --armor --export-secret-key [email protected]

It should be noted that only the signature file (edge-home-orchestration-go-vx.x.x.tar.gz.asc) and the public key (edge-home-orchestration-go-public.pgp) must be loaded as an artifact to release.

To sign the release using another computer

For this need to download the private key (edge-home-orchestration-go-private.pgp) by the next command:

gpg --import edge-home-orchestration-go-private.pgp

How to use GPG to verify signed release?

To perform the verification, you need the following:

  • signed file – for example edge-home-orchestration-go-vx.x.x.tar.gz
  • signature file – accompanying file with “.asc” extension (Ex. edge-home-orchestration-go-vx.x.x.tar.gz.asc)
  • public key – for example edge-home-orchestration-go-public.pgp

Import the public key to your keystore

gpg --import <public key>

Verification signed file

gpg --verify <signature file> <signed file>

If you have multiple keys, you must specify the key that will be used by adding the option -u <key-ID>


Where can I create a ticket issue concerning the LF Edge infrastructure?

Get IT Support for LF Projects