[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[debian-devel:10550] GPG migration
佐野@浜松です。
以前、devel@Org に流れていた GPG migration 関連から、
「GPG への移行手順」を抜き出してみました。
(手元に slink 上で rebuild した gnupg, gpg-rsa, gpg-idea が
あるんですが、Debian のほうにもありましたっけ ? もし他に
無くて、かつ需要があれば、 experimental-jp に送ろうかな、とか)
では、いきます。
--- --- --- --- --- --- --- --- --- --- --- --- ---
bma@debian.org (Brian Almeida) 著、devel@Org 編
「開発者向け GnuPG への移行手順 ... とっても簡単なミニ HOWTO」
---
# 必要なパッケージをインストール
# (US 国内の開発者は gpg-rsaref を gpg-rsa の代わりに使うこと)
apt-get install gnupg gpg-rsa gpg-idea
# とりあえず ~/.gnupg ディレクトリを作って skel ファイルを入れる
gpg --list-keys
### <訳者注>
既に ~/.pgp ディレクトリがあると、これだけでは ~/.gnupg が作られない、
という意見もあったが、私の環境ではこれだけで良かったような気が。
真相はどっちだ ? :)
ところで、gpg で新しいキーを作るのは gpg --gen-key ですね。
### </訳者注>
# 以下の行を ~/.gnupg/options に追加せよ
----- insert ~/.gnupg/options -----
load-extension rsa
load-extension idea
#
# gpg's keyrings
keyring ~/.gnupg/pubring.gpg
secret-keyring ~/.gnupg/secring.gpg
#
# your old pgp keyrings
keyring ~/.pgp/pubring.pgp
secret-keyring ~/.pgp/secring.pgp
# if you use the debian-keyring package
keyring /usr/share/keyrings/debian-keyring.pgp
keyring /usr/share/keyrings/debian-keyring.gpg
----- insert ~/.gnupg/options -----
パッケージを build する時は '[dpkg-buildpackage|debuild] -sgpg -pgpg' を
使うこと。
メールソフトに mutt を使っている場合、以下の設定を ~/.muttrc に入れると良い
set pgp_gpg="/usr/bin/gpg"
set pgp_default_version="gpg"
set pgp_receive_version="gpg"
set pgp_key_version="gpg"
set pgp_send_version="gpg"
ただし
set pgp_default_version="gpg"
だけで十分では ? という意見や
set pgp_autosign
set pgp_default_version=gpg
set pgp_replyencrypt
# set pgp_sign_as=0x50BDA0ED
# set pgp_sign_micalg=md5
set pgp_sign_as=0xDCF9DAB3
set pgp_sign_micalg=sha1
set pgp_strict_enc # use Q-P encoding when needed for PGP
という設定もあるよ、という意見もあった。このへんは mutt 使いの人に
解説をお願いしたいところ。
あと、mailcrypt で GPG を使うには
<URL:http://www.lothar.com/tech/crypto>
と見るといいとか、ここに mailcrypt の 3.5.4 と GPG 用の patch があるけど
http://www.nb.net/~lbudney/linux/software/mailcrypt.html
ftp://ftp.lothar.com/linux/mailcrypt-3.5.4-gpg1.mc-gpg.el.gz
ここにもあるよ、3.5.4-gpg1.mc-gpg.el は GPG と組み合わせて使えるよ、
といったフォローもありました。
# 以下、参考にした元メールです。
In article <19990912174321.A3655@debian.org>
bma@debian.org (Brian Almeida) writes:
> [1 <text/plain; us-ascii (quoted-printable)>]
> How to switch to GnuPG for developers..a very brief mini-HOWTO
> --------------------------------------------------------------
>
> # gpg-rsa instead of rsareffor non-us developers
> apt-get install gnupg gpg-rsaref gpg-idea
> # whips up a ~/.gnupg directory and populates with skel files
> gpg --list-keys
>
> # add these lines to ~/.gnupg/options
> # -------------------
> load-extension rsaref
> load-extension idea
> # if you use the debian-keyring package
> keyring /usr/share/keyrings/debian-keyring.pgp
> keyring /usr/share/keyrings/debian-keyring.gpg
> # gpg's keyrings
> keyring ~/.gnupg/pubring.gpg
> secret-keyring ~/.gnupg/secring.gpg
> # your old pgp keyrings
> keyring ~/.pgp/pubring.pgp
> secret-keyring ~/.pgp/secring.pgp
> # -------------------
>
> Build your packages with '[dpkg-buildpackage|debuild] -sgpg -pgpg', change
> your .muttrc (or whatever) to use gpg, and you're set!
In article <19990912144731.R25749@xxxxxxxxxxx>
joey@xxxxxxxxxxx (Joey Hess) writes:
> Brian Almeida wrote:
> > # if you use the debian-keyring package
> > keyring /usr/share/keyrings/debian-keyring.pgp
> > keyring /usr/share/keyrings/debian-keyring.gpg
> > # gpg's keyrings
> > keyring ~/.gnupg/pubring.gpg
> > secret-keyring ~/.gnupg/secring.gpg
> > # your old pgp keyrings
> > keyring ~/.pgp/pubring.pgp
> > secret-keyring ~/.pgp/secring.pgp
> > # -------------------
>
> I've found that you should list your own keyrings first. When I had the
> debian-keyrings listed first and tried to sign a key, gpg tried to write to
> those files. Changing the order around let it write to my personal keyring
> instead.
>
> --
> see shy jo
In article <19990912182043.A4125@debian.org>
bma@debian.org (Brian Almeida) writes:
> On Sun, Sep 12, 1999 at 03:18:19PM -0700, Aaron Van Couwenberghe wrote:
> > On Sun, Sep 12, 1999 at 05:43:21PM -0400, Brian Almeida wrote:
> > [snip]
> > > Build your packages with '[dpkg-buildpackage|debuild] -sgpg -pgpg', change
> > > your .muttrc (or whatever) to use gpg, and you're set!
> >
> > It might stifle additional inquiries if you were to add exactly how exactly
> > to make mutt use gpg.
> Put in ~/.muttrc
>
> set pgp_gpg="/usr/bin/gpg"
> set pgp_default_version="gpg"
> set pgp_receive_version="gpg"
> set pgp_key_version="gpg"
> set pgp_send_version="gpg"
In article <19990912162843.D17319@xxxxxxxxxxxxxxxx>
knghtbrd@debian.org (Joseph Carter) writes:
> [1 <text/plain; us-ascii (quoted-printable)>]
> On Sun, Sep 12, 1999 at 06:35:45PM -0400, Daniel Burrows wrote:
> > On Sun, Sep 12, 1999 at 06:20:43PM -0400, Brian Almeida was heard to say:
> > > set pgp_gpg="/usr/bin/gpg"
> > > set pgp_default_version="gpg"
> > > set pgp_receive_version="gpg"
> > > set pgp_key_version="gpg"
> > > set pgp_send_version="gpg"
> >
> > Shouldn't just
> > set pgp_default_version="gpg"
> > be sufficient?
>
> set pgp_autosign
> set pgp_default_version=gpg
> set pgp_replyencrypt
> # set pgp_sign_as=0x50BDA0ED
> # set pgp_sign_micalg=md5
> set pgp_sign_as=0xDCF9DAB3
> set pgp_sign_micalg=sha1
> set pgp_strict_enc # use Q-P encoding when needed for PGP
>
> That more what you were expecting?
>
> --
> Joseph Carter <knghtbrd@debian.org> Debian GNU/Linux developer
> GnuPG: 2048g/3F9C2A43 - 20F6 2261 F185 7A3E 79FC 44F9 8FF7 D7A3 DCF9 DAB3
> PGP 2.6: 2048R/50BDA0ED - E8 D6 84 81 E3 A8 BB 77 8E E2 29 96 C9 44 5F BE
> --------------------------------------------------------------------------
> <Apple_IIe> anyone seen my 80 column card?
che@debian.org (Ben Gertzfield) writes:
> >>>>> "Brian" == Brian Almeida <bma@debian.org> writes:
>
> Brian> # whips up a ~/.gnupg directory and populates with skel files
> Brian> gpg --list-keys
>
> Note that if you have a ~/.pgp directory already, this will not create
> a ~/.gnupg directory..
>
> --
> Brought to you by the letters T and Z and the number 2.
> "Hoosh is a kind of soup."
> Debian GNU/Linux maintainer of Gimp and GTK+ -- http://www.debian.org/
In article <19990912172006.E17319@xxxxxxxxxxxxxxxx>
knghtbrd@debian.org (Joseph Carter) writes:
> [1 <text/plain; us-ascii (quoted-printable)>]
> On Sun, Sep 12, 1999 at 05:43:21PM -0400, Brian Almeida wrote:
> > How to switch to GnuPG for developers..a very brief mini-HOWTO
>
> Thank you very much for this bma, I'm working on a much more comprehensive
> HOWTO but then again it should have been done weeks ago and the
> information at least needs to get out there.
>
> To help give another example of settings, here's what I have in my
> ~/.gnupg/options:
>
> # Options for GnuPG
> #
> # Unless you you specify which option file to use (with the
> # commandline option "--options filename"), GnuPG uses the
> # file ~/.gnupg/options by default.
> #
> # An option file can contain all long options which are
> # available in GnuPG. If the first non white space character of
> # a line is a '#', this line is ignored. Empty lines are also
> # ignored.
> #
> # See the man page for a list of options.
>
> ## Default keyid selection
> # default-key 0x3F9C2A43 # ElGammal encrypt
> default-key 0xDCF9DAB3 # DSA sign
> # default-key 0x50BDA0ED # RSA sign/encrypt
>
> # Anyone know how to set default to
> # 0x3F9C2A43 _and_ 0xDCF9DAB3 depending
> # on what I'm doing?
>
> ## Compatibility options
> # PGPv2/5 compatibility
> # force-v3-sigs
> # rfc1991
> # digest-algo md5
> # Screw PGP, let's be RFC compatible =>
> openpgp
>
> ## These extensions have patents or other issues
> load-extension rsaref
> # Not for use in the States
> #load-extension rsa
> # Patented in much of Europe
> load-extension idea
>
> ## Other fun options
> escape-from-lines
> lock-once
> no-verbose
> no-greeting
> comment The default gpg comment sucks! ;>
> # Well it does!
>
>
> ## Keyrings
> secret-keyring secring.gpg
> secret-keyring secring.pgp
> keyring pubring.gpg
> keyring pubring.pgp
> keyring /usr/share/keyrings/debian-keyring.pgp
> keyring /usr/share/keyrings/debian-keyring.gpg
>
>
> and the relevant part of my .muttrc (which I just edited a little to
> explain a few things):
>
> set pgp_autosign
> set pgp_default_version=gpg
> set pgp_replyencrypt
> # set pgp_sign_as=0x50BDA0ED # old RSA key
> # set pgp_sign_micalg=md5
> set pgp_sign_as=0xDCF9DAB3 # DSA key
> set pgp_sign_micalg=sha1
> set pgp_strict_enc # use Q-P encoding when needed for PGP
>
> --
> Joseph Carter <knghtbrd@debian.org> Debian GNU/Linux developer
> GnuPG: 2048g/3F9C2A43 - 20F6 2261 F185 7A3E 79FC 44F9 8FF7 D7A3 DCF9 DAB3
> PGP 2.6: 2048R/50BDA0ED - E8 D6 84 81 E3 A8 BB 77 8E E2 29 96 C9 44 5F BE
> --------------------------------------------------------------------------
> <Mercury> alexsh: Be /VERY/ cairful, you could, if your unlucky, fry your
> motherboards..
>
> <Knghtbrd> Mercury - sounds like fun
In article <19990914083841L.1000@xxxxxxxxxxx>
sen_ml@xxxxxxxxxxx writes:
> james> Ben Gertzfield <che@debian.org> writes:
>
> james> > As a followup to the GPG thread, does GPG work with Mailcrypt as-is?
> james> > What do I need to do to get Mailcrypt and GPG to work together?
>
> james> <URL:http://www.lothar.com/tech/crypto>
>
> i have found that 3.5.4 works better w/ gpg when a patch is applied
> to it -- both 3.5.4 and the patch are mentioned at the url mentioned
> above, but here they are anyway:
>
> http://www.nb.net/~lbudney/linux/software/mailcrypt.html
> ftp://ftp.lothar.com/linux/mailcrypt-3.5.4-gpg1.mc-gpg.el.gz
P.S.
これ、まとめて Debian の Web (devel/ 以下あたり) に置きたいですね。
誰か debian-www (もちろん @Org) に投げてくれないかな。
--
# 11/13 に何かが起きる? > "http://www.szlug.factory.to";
# (わたしのおうちは浜松市、「夜のお菓子」で有名さ。)
<xlj06203@xxxxxxxxxxx> : Taketoshi Sano (佐野 武俊)