[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-devel:10550] GPG migration



佐野@浜松です。

以前、devel@Org に流れていた GPG migration 関連から、
「GPG への移行手順」を抜き出してみました。

 (手元に slink 上で rebuild した gnupg, gpg-rsa, gpg-idea が
  あるんですが、Debian のほうにもありましたっけ ? もし他に
  無くて、かつ需要があれば、 experimental-jp に送ろうかな、とか)

では、いきます。

  ---  ---  ---  ---  ---  ---  ---  ---  ---  ---  ---  ---  ---
 bma@debian.org (Brian Almeida) 著、devel@Org 編
 「開発者向け GnuPG への移行手順 ... とっても簡単なミニ HOWTO」

  ---
 # 必要なパッケージをインストール
 # (US 国内の開発者は gpg-rsaref を gpg-rsa の代わりに使うこと)
 apt-get install gnupg gpg-rsa gpg-idea 

 # とりあえず ~/.gnupg ディレクトリを作って skel ファイルを入れる
 gpg --list-keys 

### <訳者注>
  既に ~/.pgp ディレクトリがあると、これだけでは ~/.gnupg が作られない、
  という意見もあったが、私の環境ではこれだけで良かったような気が。
  真相はどっちだ ? :)

 ところで、gpg で新しいキーを作るのは gpg --gen-key ですね。
### </訳者注>
 
 # 以下の行を ~/.gnupg/options に追加せよ

  ----- insert ~/.gnupg/options -----
 load-extension rsa
 load-extension idea

 # 
 # gpg's keyrings
 keyring ~/.gnupg/pubring.gpg
 secret-keyring ~/.gnupg/secring.gpg
 #
 # your old pgp keyrings
 keyring ~/.pgp/pubring.pgp
 secret-keyring ~/.pgp/secring.pgp

 # if you use the debian-keyring package
 keyring /usr/share/keyrings/debian-keyring.pgp
 keyring /usr/share/keyrings/debian-keyring.gpg
  ----- insert ~/.gnupg/options -----
 
 パッケージを build する時は '[dpkg-buildpackage|debuild] -sgpg -pgpg' を
 使うこと。

 メールソフトに mutt を使っている場合、以下の設定を ~/.muttrc に入れると良い

 set pgp_gpg="/usr/bin/gpg"
 set pgp_default_version="gpg"
 set pgp_receive_version="gpg"
 set pgp_key_version="gpg"
 set pgp_send_version="gpg"

 ただし

 set pgp_default_version="gpg"

 だけで十分では ? という意見や

 set pgp_autosign
 set pgp_default_version=gpg
 set pgp_replyencrypt
 # set pgp_sign_as=0x50BDA0ED
 # set pgp_sign_micalg=md5
 set pgp_sign_as=0xDCF9DAB3
 set pgp_sign_micalg=sha1
 set pgp_strict_enc		# use Q-P encoding when needed for PGP

 という設定もあるよ、という意見もあった。このへんは mutt 使いの人に
 解説をお願いしたいところ。

 あと、mailcrypt で GPG を使うには

 <URL:http://www.lothar.com/tech/crypto>

 と見るといいとか、ここに mailcrypt の 3.5.4 と GPG 用の patch があるけど

 http://www.nb.net/~lbudney/linux/software/mailcrypt.html
 ftp://ftp.lothar.com/linux/mailcrypt-3.5.4-gpg1.mc-gpg.el.gz

 ここにもあるよ、3.5.4-gpg1.mc-gpg.el は GPG と組み合わせて使えるよ、
 といったフォローもありました。

# 以下、参考にした元メールです。

In article <19990912174321.A3655@debian.org>
 bma@debian.org (Brian Almeida) writes:

> [1  <text/plain; us-ascii (quoted-printable)>]
> How to switch to GnuPG for developers..a very brief mini-HOWTO
> --------------------------------------------------------------
> 
> # gpg-rsa instead of rsareffor non-us developers
> apt-get install gnupg gpg-rsaref gpg-idea 
> # whips up a ~/.gnupg directory and populates with skel files
> gpg --list-keys 
> 
> # add these lines to ~/.gnupg/options
> # -------------------
> load-extension rsaref
> load-extension idea
> # if you use the debian-keyring package
> keyring /usr/share/keyrings/debian-keyring.pgp
> keyring /usr/share/keyrings/debian-keyring.gpg
> # gpg's keyrings
> keyring ~/.gnupg/pubring.gpg
> secret-keyring ~/.gnupg/secring.gpg
> # your old pgp keyrings
> keyring ~/.pgp/pubring.pgp
> secret-keyring ~/.pgp/secring.pgp
> # -------------------
> 
> Build your packages with '[dpkg-buildpackage|debuild] -sgpg -pgpg', change
> your .muttrc (or whatever) to use gpg, and you're set!

In article <19990912144731.R25749@xxxxxxxxxxx>
 joey@xxxxxxxxxxx (Joey Hess) writes:

> Brian Almeida wrote:
> > # if you use the debian-keyring package
> > keyring /usr/share/keyrings/debian-keyring.pgp
> > keyring /usr/share/keyrings/debian-keyring.gpg
> > # gpg's keyrings
> > keyring ~/.gnupg/pubring.gpg
> > secret-keyring ~/.gnupg/secring.gpg
> > # your old pgp keyrings
> > keyring ~/.pgp/pubring.pgp
> > secret-keyring ~/.pgp/secring.pgp
> > # -------------------
> 
> I've found that you should list your own keyrings first. When I had the
> debian-keyrings listed first and tried to sign a key, gpg tried to write to
> those files. Changing the order around let it write to my personal keyring
> instead.
> 
> -- 
> see shy jo

In article <19990912182043.A4125@debian.org>
 bma@debian.org (Brian Almeida) writes:

> On Sun, Sep 12, 1999 at 03:18:19PM -0700, Aaron Van Couwenberghe wrote:
> > On Sun, Sep 12, 1999 at 05:43:21PM -0400, Brian Almeida wrote:
> > [snip]
> > > Build your packages with '[dpkg-buildpackage|debuild] -sgpg -pgpg', change
> > > your .muttrc (or whatever) to use gpg, and you're set!
> > 
> > It might stifle additional inquiries if you were to add exactly how exactly
> > to make mutt use gpg.
> Put in ~/.muttrc
> 
> set pgp_gpg="/usr/bin/gpg"
> set pgp_default_version="gpg"
> set pgp_receive_version="gpg"
> set pgp_key_version="gpg"
> set pgp_send_version="gpg"

In article <19990912162843.D17319@xxxxxxxxxxxxxxxx>
 knghtbrd@debian.org (Joseph Carter) writes:

> [1  <text/plain; us-ascii (quoted-printable)>]
> On Sun, Sep 12, 1999 at 06:35:45PM -0400, Daniel Burrows wrote:
> > On Sun, Sep 12, 1999 at 06:20:43PM -0400, Brian Almeida was heard to say:
> > > set pgp_gpg="/usr/bin/gpg"
> > > set pgp_default_version="gpg"
> > > set pgp_receive_version="gpg"
> > > set pgp_key_version="gpg"
> > > set pgp_send_version="gpg"
> > 
> >   Shouldn't just
> > set pgp_default_version="gpg"
> >   be sufficient?
> 
> set pgp_autosign
> set pgp_default_version=gpg
> set pgp_replyencrypt
> # set pgp_sign_as=0x50BDA0ED
> # set pgp_sign_micalg=md5
> set pgp_sign_as=0xDCF9DAB3
> set pgp_sign_micalg=sha1
> set pgp_strict_enc		# use Q-P encoding when needed for PGP
> 
> That more what you were expecting?
> 
> -- 
> Joseph Carter <knghtbrd@debian.org>             Debian GNU/Linux developer
> GnuPG: 2048g/3F9C2A43 - 20F6 2261 F185 7A3E 79FC  44F9 8FF7 D7A3 DCF9 DAB3
> PGP 2.6: 2048R/50BDA0ED - E8 D6 84 81 E3 A8 BB 77  8E E2 29 96 C9 44 5F BE
> --------------------------------------------------------------------------
> <Apple_IIe> anyone seen my 80 column card?

che@debian.org (Ben Gertzfield) writes:

> >>>>> "Brian" == Brian Almeida <bma@debian.org> writes:
> 
>     Brian> # whips up a ~/.gnupg directory and populates with skel files 
>     Brian> gpg --list-keys
> 
> Note that if you have a ~/.pgp directory already, this will not create
> a ~/.gnupg directory..
> 
> -- 
> Brought to you by the letters T and Z and the number 2.
> "Hoosh is a kind of soup."
> Debian GNU/Linux maintainer of Gimp and GTK+ -- http://www.debian.org/

In article <19990912172006.E17319@xxxxxxxxxxxxxxxx>
 knghtbrd@debian.org (Joseph Carter) writes:

> [1  <text/plain; us-ascii (quoted-printable)>]
> On Sun, Sep 12, 1999 at 05:43:21PM -0400, Brian Almeida wrote:
> > How to switch to GnuPG for developers..a very brief mini-HOWTO
> 
> Thank you very much for this bma, I'm working on a much more comprehensive
> HOWTO but then again it should have been done weeks ago and the
> information at least needs to get out there.
> 
> To help give another example of settings, here's what I have in my
> ~/.gnupg/options:
> 
> # Options for GnuPG
> #
> # Unless you you specify which option file to use (with the
> # commandline option "--options filename"), GnuPG uses the
> # file ~/.gnupg/options by default.
> #
> # An option file can contain all long options which are
> # available in GnuPG. If the first non white space character of
> # a line is a '#', this line is ignored.  Empty lines are also
> # ignored.
> #
> # See the man page for a list of options.
> 
> ## Default keyid selection
> # default-key 0x3F9C2A43	# ElGammal encrypt
> default-key 0xDCF9DAB3		# DSA sign
> # default-key 0x50BDA0ED	# RSA sign/encrypt
> 
> 				# Anyone know how to set default to
> 				# 0x3F9C2A43 _and_ 0xDCF9DAB3 depending
> 				# on what I'm doing?
> 
> ## Compatibility options
> 				# PGPv2/5 compatibility
> # force-v3-sigs
> # rfc1991
> # digest-algo md5
> 				# Screw PGP, let's be RFC compatible  =>
> openpgp
> 
> ## These extensions have patents or other issues
> load-extension rsaref
> 				# Not for use in the States
> #load-extension rsa
> 				# Patented in much of Europe
> load-extension idea
> 
> ## Other fun options
> escape-from-lines
> lock-once
> no-verbose
> no-greeting
> comment The default gpg comment sucks!  ;>
> 				# Well it does!
> 
> 
> ## Keyrings
> secret-keyring secring.gpg
> secret-keyring secring.pgp
> keyring pubring.gpg
> keyring pubring.pgp
> keyring /usr/share/keyrings/debian-keyring.pgp
> keyring /usr/share/keyrings/debian-keyring.gpg
> 
> 
> and the relevant part of my .muttrc (which I just edited a little to
> explain a few things):
> 
> set pgp_autosign
> set pgp_default_version=gpg
> set pgp_replyencrypt
> # set pgp_sign_as=0x50BDA0ED    # old RSA key
> # set pgp_sign_micalg=md5
> set pgp_sign_as=0xDCF9DAB3      # DSA key
> set pgp_sign_micalg=sha1
> set pgp_strict_enc              # use Q-P encoding when needed for PGP
> 
> -- 
> Joseph Carter <knghtbrd@debian.org>             Debian GNU/Linux developer
> GnuPG: 2048g/3F9C2A43 - 20F6 2261 F185 7A3E 79FC  44F9 8FF7 D7A3 DCF9 DAB3
> PGP 2.6: 2048R/50BDA0ED - E8 D6 84 81 E3 A8 BB 77  8E E2 29 96 C9 44 5F BE
> --------------------------------------------------------------------------
> <Mercury> alexsh: Be /VERY/ cairful, you could, if your unlucky, fry your
>           motherboards..
> 
> <Knghtbrd> Mercury - sounds like fun

In article <19990914083841L.1000@xxxxxxxxxxx>
 sen_ml@xxxxxxxxxxx writes:

> james> Ben Gertzfield <che@debian.org> writes:
> 
> james> > As a followup to the GPG thread, does GPG work with Mailcrypt as-is?
> james> > What do I need to do to get Mailcrypt and GPG to work together?
> 
> james> <URL:http://www.lothar.com/tech/crypto>
> 
> i have found that 3.5.4 works better w/ gpg when a patch is applied
> to it -- both 3.5.4 and the patch are mentioned at the url mentioned
> above, but here they are anyway:
> 
> http://www.nb.net/~lbudney/linux/software/mailcrypt.html
> ftp://ftp.lothar.com/linux/mailcrypt-3.5.4-gpg1.mc-gpg.el.gz

P.S.

 これ、まとめて Debian の Web (devel/ 以下あたり) に置きたいですね。
 誰か debian-www (もちろん @Org) に投げてくれないかな。

--
     # 11/13 に何かが起きる? > "http://www.szlug.factory.to";
     # (わたしのおうちは浜松市、「夜のお菓子」で有名さ。)
    <xlj06203@xxxxxxxxxxx> : Taketoshi Sano (佐野 武俊)