主要根据 https://unix.stackexchange.com/questions/650225/step-by-step-instructions-to-abandon-a-debian-package-and-no-longer-be-its-maint 反向操作即可。
https://arnaudr.io/2016/10/01/publishing-a-debian-package-mentors-sponsorship/
这也是一个好的文章。
本文大部分根据 https://juejin.cn/post/7075615737015959566#heading-4 进行整理。
如果在开源社区进行交流的话,gpg加密文件是必须需要的。不然,就会造成巨大的乌龙事件。可以在本章的最后看下具体的应用场景。
vimer@debian-local:~$ gpg --list-keys [email protected]
pub rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2 # Fingerprint keys
uid [ 绝对 ] Bo YU <[email protected]>
sub rsa4096 2022-04-09 [E]
这里Fingerprint就是下面的keyid。
vimer@debian-local:~$ gpg --keyid-format LONG -k 0xE2521CB8175736A97052B2F8954E6A70100598A2
pub rsa4096/954E6A70100598A2 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ 绝对 ] Bo YU <[email protected]>
sub rsa4096/66681FECEFF9AC75 2022-04-09 [E]
pub后面的0x95开头就是long型的keyid。
short型的如下:
vimer@debian-local:~$ gpg --keyid-format SHORT -k 0xE2521CB8175736A97052B2F8954E6A70100598A2
pub rsa4096/100598A2 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ 绝对 ] Bo YU <[email protected]>
sub rsa4096/EFF9AC75 2022-04-09 [E]
我们一般就是使用LONG型的keyid。
~/gnupg/pubring.kbx文件中。
vimer@debian-local:~$ gpg --list-keys
/home/vimer/.gnupg/pubring.kbx
------------------------------
pub rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ 绝对 ] Bo YU <[email protected]>
sub rsa4096 2022-04-09 [E]
~/.gnupg/gpg.conf,可以作为gpg的配置文件。vimer@debian-local:~$ gpg -k --with-keygrip
/home/vimer/.gnupg/pubring.kbx
------------------------------
pub rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
Keygrip = DBE2A5E6810C9C3E58E34C385107C9EB6CDDC43B
uid [ 绝对 ] Bo YU <[email protected]>
sub rsa4096 2022-04-09 [E]
Keygrip = DBFC45BC6B077D5A7A5A3A58E7BF7F0965C8B058
Keygrip与Fingerprint的区别是 他可以唯一区别key。用户是删除masterkey. gpg --delete-secret-keys [master-keyid]会删除Master Key的同时问你是否删除Sub key,否则会删除失败。如果只想删除Master key,则可以只删除keygrip.
Master 和 Sub keys 前面已经介绍了master keys。二者之间的联系就是,通过 Binding Signature,master key对sub key进行签名,宣布对Subkey的owner身份;同时 Sub keys也对Masster Key进行签名,声明自己对Master Key的Member关系。
--sign, 对key加密使用--sign-key。因为需要上传Debian package,不得已需要一个GPG key。
请参考github生成gpg key
vimer@debian-local:~/git/git-multimail$ gpg --full-generate-key
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
请选择您要使用的密钥类型:
(1) RSA 和 RSA (默认)
(2) DSA 和 Elgamal
(3) DSA(仅用于签名)
(4) RSA(仅用于签名)
(14) Existing key from card
您的选择是?
RSA 密钥的长度应在 1024 位与 4096 位之间。
您想要使用的密钥长度?(3072) 4096 选4096
gpg --list-secret-keys --keyid-format=long
vimer@debian:~/build_test/jimtcl$ gpg --list-secret-keys --keyid-format=long
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/vimer/.gnupg/pubring.kbx
------------------------------
sec rsa4096/42A2928E26E21C2 2022-03-04 [SC]
DD7E8C65E3F5992F52AAA07A452A2928E26E21C2
uid [ultimate] vimer <[email protected]>
ssb rsa4096/3338B86BD4FCE12A 2022-03-04 [E]
我们这里需要注意的就是42A2928E26E21C2,也就是下面需要的id.
gpg --armor --export id
目前是一个pc(一个开发环境一个key),这样的方式有点笨拙。
可以参考这里解决这个问题。
vimer@dev:~/gpg_key/home-lod$ gpg -ao primary-secret-key.gpg --export-secret-keys 954E6A70100598A2!
vimer@dev:~/gpg_key/home-lod$ gpg -ao subkey-sign-key-secret-key.gpg --export-secret-keys F9154FDE143E4BAF!
vimer@dev:~/gpg_key/home-lod$ ls
primary-keys-revoke.gpg primary-public-key.txt primary-secret-key.gpg subkey-sign-key-secret-key.gpg vimer
只需把subkey的密钥import 其他pc上即可。
tar -czvf - secret-keys | openssl des3 -salt -k {passwd} -out gpg-backup.tar.gz
解压文件:
openssl des3 -d -k ${passwd} -salt -in gpg-backup.tar.gz | tar xzvf -
这个passwd 要保护好了。
gpg --delete-secret-keys linus # 删除私钥, UID 也可以替换成子密钥ID, 主密钥Key ID
gpg --delete-keys linus # 删除公钥
在Debian中, https://wiki.debian.org/Subkeys是分开使用的。master key自己默认会有一个 signing 和 encryption的key,那么,我们的subkeys可以把这两个功能给拆分开。
假设我们把所有的责任和希望寄托于master key上,其后果是非常严重的: 基于GPG key建立起来的信任链,如果被其他人利用的话,会对Debian社区造成非常大的危害,万一有人投毒的话,你所有的 reputation都被毁掉。所以,得想办法,杜绝自己的key被偷被盗。 在这个场景下,subkey的场景就凸显出来了。
如果使用 subkeys,则事情比较简单了: 创建一个 encryption(加密) key和 一个signing (签名)key,然后将subkeys上传到服务器,然后别人就可以像使用master (primary)key那样加密消息和验证你的信息签名,反过来,你也可以使用subkey进行解密和签名信息。
什么时候再一次使用你的master key或者primary key呢?
当时这样一操作你会发现,在这种模式下,原来的primary key的价值变得更加重要。也就是你的subkey可以丢失或者被偷,这个时候,你再使用你的primary把subkey进行更新或者撤销等。因为你的primary可以对subkey进行把绑定或者签名,所以,你的primary key积累的 reputation不会清0: 尽管你使用subkey,当时reputation是积累在primary key上的。
umask 077; tar -cf $HOME/gnupg-backup.tar $HOME .gnupg
vimer@debian-local:~$ gpg --list-keys [email protected]
pub rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ 绝对 ] Bo YU <[email protected]>
sub rsa4096 2022-04-09 [E]
gpg --edit-key YOURPRIMARYKEYIDadd subkey
>addkey
gpg> addkey
请选择您要使用的密钥类型:
(3) DSA(仅用于签名)
(4) RSA(仅用于签名)
(5) ElGamal(仅用于加密)
(6) RSA(仅用于加密)
(14) Existing key from card
您的选择是? 4
RSA 密钥的长度应在 1024 位与 4096 位之间。
您想要使用的密钥长度?(3072) 4096
请求的密钥长度是 4096 位
请设定这个密钥的有效期限。
0 = 密钥永不过期
<n> = 密钥在 n 天后过期
<n>w = 密钥在 n 周后过期
<n>m = 密钥在 n 月后过期
<n>y = 密钥在 n 年后过期
密钥的有效期限是?(0) 20220414T120000 #以 yyyymmddThhmmss的形式指定什么时候过期
密钥于 2022年04月14日 星期四 20时00分00秒 HKT 过期
这些内容正确吗? (y/N) y
真的要创建吗?(y/N) y
我们需要生成大量的随机字节。在质数生成期间做些其他操作(敲打键盘
、移动鼠标、读写硬盘之类的)将会是一个不错的主意;这会让随机数
发生器有更好的机会获得足够的熵。
^[[A # 敲击键盘
sd
sec rsa4096/954E6A70100598A2
创建于:2022-04-09 有效至:永不 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa4096/66681FECEFF9AC75
创建于:2022-04-09 有效至:永不 可用于:E
ssb rsa4096/656717DFA59353D0
创建于:2022-04-13 有效至:2022-04-14 可用于:S
[ 绝对 ] (1). Bo YU <[email protected]>
密钥的有效期限是?(0) 20220414T120000
密钥于 2022年04月14日 星期四 20时00分00秒 HKT 过期
这些内容正确吗? (y/N) y
真的要创建吗?(y/N)
gpg> save #保存退出即可
You can repeat this, and create an “RSA (encrypt only)” subkey as well, 对于debian来说,signing keys就够了。
保存目前的 .gnupg的目录: tar -zcvf gnugpg-primary-2022-04-13.tar.gz ~/.gnupg
一定要把目前的tar的保存在离线的U盘或者操作时在离线时进行,真的需要特别谨慎。
在另一台pc上,也就是你想引入subkey的pc上:
vimer@debian-local:~$ gpg --with-keygrip --list-keys [email protected]
pub rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
Keygrip = DBE2A5E6810C9C3E58E34C385107C9EB6CDDC43B
uid [ 绝对 ] Bo YU <[email protected]>
sub rsa4096 2022-04-09 [E]
Keygrip = DBFC45BC6B077D5A7A5A3A58E7BF7F0965C8B058
sub rsa4096 2022-04-13 [S] [有效至:2022-04-14]
Keygrip = DD49743E6A71BD63CF91387B2E998722F1CA8C01
上面的那个pub下面的keygrip就是primary key的keygrip,现在就可以使用前面的命令进行删除了。或者使用下面的命令强制删除也是可以的:
rm .gnupg/private-keys-v1.d/DBE2A5E6810C9C3E58E34C385107C9EB6CDDC43B.key
那么,如何验证删除keygrip成功了呢?
vimer@debian-local:~$ gpg -K
/home/vimer/.gnupg/pubring.kbx
------------------------------
sec# rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ 绝对 ] Bo YU <[email protected]>
ssb rsa4096 2022-04-09 [E]
ssb rsa4096 2022-04-13 [S] [有效至:2022-04-14]
此时, sec由sec#所代替,代表确实删除keygrip成功了。
gpg --edit-key 954E6A70100598A2 passwd
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
私密子密钥可用。
pub rsa4096/954E6A70100598A2
创建于:2022-04-09 有效至:永不 可用于:SC
信任度:绝对 有效性:绝对
ssb rsa4096/66681FECEFF9AC75
创建于:2022-04-09 有效至:永不 可用于:E
ssb rsa4096/656717DFA59353D0
创建于:2022-04-13 有效至:2022-04-14 可用于:S
[ 绝对 ] (1). Bo YU <[email protected]>
gpg: 密钥 954E6A70100598A2/954E6A70100598A2:修改密码时出现错误:No secret key
这里首先输入的是Primary key的密码,也就是之前设置的,等认证成功后,这里再次确认的密码是新的 sub key的密码。
gpg --keyid-format SHORT -k 0xE2521CB8175736A97052B2F8954E6A70100598A2
pub rsa4096/100598A2 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ 绝对 ] Bo YU <[email protected]>
sub rsa4096/EFF9AC75 2022-04-09 [E]
sub rsa4096/A59353D0 2022-04-13 [S] [有效至:2022-04-14]
vimer@debian-local:~$ gpg -ao subkey-siging-EFF9AC75-private.gpg --export-secret-subkeys EFF9AC75
# 这里需要键入你刚才设置的密码 导出私钥
gpg -ao subkey-siging-EFF9AC75-pub.asc --export EFF9AC75
# 导出公钥
注意上面导出的是Encryption,而不是signing key.再次强调一下,debian社区中只使用signing key就可以解决问题。
我们以debian为例:首先导出subkey(我默认是在primary下删除keygrip导出subkey)
gpg -ao subkey-siging-A59353D0-private.gpg --export-secret-subkeys A59353D0
# 0xA59353D0是 subkey id,这个时候需要输入subkey的密码
gpg -ao subkey-siging-A59353D0-pub.asc --export A59353D0
# 导出0xA59353D0 (subkey)的公钥
然后将这个subkey导出来的 私钥 gpg文件发送到另一台pc上。根据这篇文章
You can’t. GnuPG does not currently support merging secret subkeys. To do it, you need to delete the secret key on the second machine and re-import the whole key.
下面就是删除所有的秘钥(第二台pc)
vimer@debian:~/git/jimtcl$ gpg -k --with-keygrip [email protected]
# 找出 秘钥
pub rsa4096 2022-03-04 [SC]
DD7E8C65E3F5992F52AAA07A452A2928E26E21C2
Keygrip = 6E45478330550567D65B4E4A2F44A25BD643F8B7
uid [ultimate] vimer <[email protected]>
sub rsa4096 2022-03-04 [E]
Keygrip = 8427BBA3FAC38FA9C6FCC29116CAECCCCFCCA048
vimer@debian:~/git/jimtcl$ gpg-connect-agent "DELETE_KEY 6E45478330550567D65B4E4A2F44A25BD643F8B7" /bye
# 删除
OK
vimer@debian:~/git/jimtcl$ gpg-connect-agent "DELETE_KEY 8427BBA3FAC38FA9C6FCC29116CAECCCCFCCA048" /bye
OK
其实还可以删除.gnugp目录下的key文件。接着在第二台pc上导入subkey的私钥:
vimer@debian:~$ gpg --import subkey-siging-A59353D0-private.gpg
gpg: key 954E6A70100598A2: public key "Bo YU <[email protected]>" imported
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key 954E6A70100598A2: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
通过以上的log我们知道,当前pc上primary还是存在的,虽然私钥不存在。import一个其他的primary key的subkey后,如下:
vimer@debian:~$ gpg -k
/home/vimer/.gnupg/pubring.kbx
------------------------------
pub rsa4096 2022-03-04 [SC]
DD7E8C65E3F5992F52AAA07A452A2928E26E21C2
uid [ultimate] vimer <[email protected]>
sub rsa4096 2022-03-04 [E]
pub rsa4096 2022-04-09 [SC] # 其实是第一台pc的primary
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ unknown] Bo YU <[email protected]>
sub rsa4096 2022-04-09 [E]
sub rsa4096 2022-04-13 [S] [expires: 2022-04-14]
假设我们在A上导出了subkey的公钥,在B上导入了A primary key下的subkey的私钥,然后在B上使用刚才引入的subkey id。 比如给文件sig之类的。已经试验验证了。
正如前面我们已经表明的态度,我们把 master 和 subkey分离以后,主要就是为了安全,安全,安全,重要的事情说三遍 下面记录如何操作使用备份的primary key再次生成subkeys,只有这样,整个gpg的闭环流程打通。
首先将原来的primary key tar文件解压,这个tar文件一定保护好,几次加密都不为过。一般的教程都是让你使用离线USB或者智能卡, 或者进行以下操作时,要把电脑断网,哈哈。
vimer@dev:~/gpg_key$ tar zxvf gnugpg-primary-2022-04-13.tar.gz
home/vimer/.gnupg/
home/vimer/.gnupg/random_seed
home/vimer/.gnupg/trustdb.gpg
home/vimer/.gnupg/openpgp-revocs.d/
home/vimer/.gnupg/openpgp-revocs.d/E2521CB8175736A97052B2F8954E6A70100598A2.rev
home/vimer/.gnupg/.#lk0x0000564a3684e210.debian-local.12373
home/vimer/.gnupg/private-keys-v1.d/
home/vimer/.gnupg/private-keys-v1.d/DBFC45BC6B077D5A7A5A3A58E7BF7F0965C8B058.key
home/vimer/.gnupg/private-keys-v1.d/DBE2A5E6810C9C3E58E34C385107C9EB6CDDC43B.key
home/vimer/.gnupg/private-keys-v1.d/DD49743E6A71BD63CF91387B2E998722F1CA8C01.key
home/vimer/.gnupg/tofu.db
home/vimer/.gnupg/pubring.kbx~
home/vimer/.gnupg/.#lk0x0000558544ab6210.debian-local.8206
home/vimer/.gnupg/pubring.kbx
vimer@dev:~/gpg_key$ ls
gnugpg-primary-2022-04-13.tar.gz home
vimer@dev:~/gpg_key$ export GNUPGHOME=./home/vimer/.gnupg/
vimer@dev:~/gpg_key$ gpg -K
/home/vimer/gpg_key/./home/vimer/.gnupg/pubring.kbx
---------------------------------------------------
sec rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ultimate] Bo YU <[email protected]>
ssb rsa4096 2022-04-09 [E]
看到sec这个tag没有,也就是这里的primary key是生效的。 接下来,我们就是按照上面的方式添加一个signing 的subkey就可以了。不过为了方便,还是记录一下。
vimer@dev:~/gpg_key$ gpg --edit-key E2521CB8175736A97052B2F8954E6A70100598A2
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(14) Existing key from card
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2m
Key expires at Sat 18 Jun 2022 11:44:56 AM +08
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
ssb rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2022-06-18 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> save
注意,我在这里再次注册了一个为期2个月的signing 的subkey。看下面的log,我们尽管被提示说,有一个04-14过期的subkey,当时我还在想,在目前的情况下,我还在想需不需要通知原来的那份备份的primary去revoke。其实不用的,原因是你接着使用-k去打印:
vimer@dev:~/gpg_key$ gpg -K
/home/vimer/gpg_key/./home/vimer/.gnupg/pubring.kbx
---------------------------------------------------
sec rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ultimate] Bo YU <[email protected]>
ssb rsa4096 2022-04-09 [E]
ssb rsa4096 2022-04-19 [S] [expires: 2022-06-18]
看到没有,这样就解决了(这一章节基于04/19)。
这一个不太常见,但是肯定用得到。首先找到subkey的keyid(用 –keyid-format) 参考这里
vimer@dev:~/gpg_key/home-lod$ gpg --edit-key F9154FDE143E4BAF
gpg (GnuPG) 2.2.35; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
ssb rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2022-06-18 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> list
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
ssb rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2022-06-18 usage: S
[ultimate] (1). Bo YU <[email protected]>
首先进入 edit-keys的交互界面,然后使用list就可以看见所有的keys了。下面才是关键:
什么都不输入,直接回车是编辑 primary或者key n来选择你要expire的subkey。这里primary key是0,subkey是
从0依次加1的。
选中的标志是会在提示前带一个*号的。
gpg> key 3
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
ssb* rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2022-06-18 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> expire
Changing expiration time for a subkey.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Mon 22 May 2023 10:25:49 PM +08
Is this correct? (y/N) y
gpg> save
然后将这个变化上传到 服务器上(确定了,这里是subkey的KEY_ID):
gpg --keyserver keyserver.ubuntu.com --send-keys KEY_ID
注意,这个keyserver,最好是在 export GPG时将最新的primary key
上传。
vimer@dev:~/gpg_key/home-lod$ gpg --edit-key [email protected]
gpg (GnuPG) 2.2.35; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
ssb rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2023-05-22 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> list
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
ssb rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2023-05-22 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> key 2
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
ssb* rsa4096/656717DFA59353D0
created: 2022-04-13 expired: 2022-04-14 usage: S
ssb rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2023-05-22 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> revkey
Do you really want to revoke this subkey? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
Your decision? 3
Enter an optional description; end it with an empty line:
> revoke the key
>
Reason for revocation: Key is no longer used
revoke the key
Is this okay? (y/N) y
sec rsa4096/954E6A70100598A2
created: 2022-04-09 expires: never usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/66681FECEFF9AC75
created: 2022-04-09 expires: never usage: E
The following key was revoked on 2022-05-23 by RSA key 954E6A70100598A2 Bo YU <[email protected]>
ssb rsa4096/656717DFA59353D0
created: 2022-04-13 revoked: 2022-05-23 usage: S
ssb rsa4096/F9154FDE143E4BAF
created: 2022-04-19 expires: 2023-05-22 usage: S
[ultimate] (1). Bo YU <[email protected]>
gpg> save
使用 key {n}的方式选中subkey.
echo "hello gpg" > hello.txt
vimer@debian-local:~$ gpg -o hello.txt.asc --encrypt --recipient [email protected] hello.txt
vimer@debian-local:~$ gpg -o decrypted-hello.txt --decrypt --recipient [email protected] hello.txt.asc
gpg: 由 4096 位的 RSA 密钥加密,标识为 66681FECEFF9AC75,生成于 2022-04-09
“Bo YU <[email protected]>”
vimer@debian-local:~$ cat decrypted-hello.txt
hello gpg
debsign jimtcl_0.81+dfsg0-1_amd64.changes // 还有一个source.changes
然后就需要输入密码了,一定不要忘记gpg的密码。
debsign的设置需要去看看tools的gpg使用方法。debsign的配置文件在 ~/.devscripts文件中,具体配置如下:
vimer@debian:~$ cat .devscripts
DEBSIGN_KEYID=$(subkey-id)
以reprepro为例:首先生成一个让外部用户的公钥:
gpg --export --armor ${keyID} > ${DEB_PATH}/gpg-public.key
其实这里${keyID}可以是subkey的。
distributions 的配置文件要指明你的subkey:
Origin: ubuntu
Suite: xenial
Label: ubuntu
Codename: xenial
Architectures: i386 amd64
# components 可以添加多个以空格风格,客户端系统可以根据实际需要添加
# 参考 source.list 里的写法
Components: main multiverse universe
Description: Apt repository for project x
# 使用哪个 gpg 钥匙进行签名,ID获取方法参考上面 GPG 钥匙部分
SignWith: ${keyID}
然后 reprepro export 就可以支持 release有release.gpg文件了。
然后需要用户使用 apt-key add gpg-public.key添加支持了.
最好不需要 global
1. git config --global user.signingkey "GPG key ID"
2. git config --global commit.gpgsign true
3. git config gpg.program gpg
最好每次执行这个环境变量:
export GPG_TTY=$(tty)
error: gpg failed to sign the data
fatal: failed to write commit object
https://gist.github.com/paolocarrasco/18ca8fe6e63490ae1be23e84a7039374?permalink_comment_id=3976510
如果还不行,需要执行这个命令去重新激活:
gpgconf --kill gpg-agent
更为详细的教程(包括如何为别人签名): https://viccuad.me/blog/Revisited-secure-yourself-part-1-airgapped-computer-and-gpg-smartcards
这里有很多debian的资源可以利用: https://lists.debian.org/debian-project/2017/08/msg00022.html
以下也是摘自ML:
I see no reason why the master key should ever be used for signatures in such a scenario, so it seems sensible to indicate that it is purely for certification.
Well, it can be useful. A SC master key (Sign and Certify) can be used to sign messages explaining to someone else the need for a new subkey when you had to revoke every subkey, when just adding the subkey itself is not enough, or when adding subkeys is subject to a delay.
Suppose you forget to renew/upload a new subkey in your Debian key set, and the current subkeys expire: it takes time for a new subkey upload to clear keyring maint. During that time, an SC master key can be used in an emergency to sign a vote or an upload.
Suppose you forget to renew/upload a new subkey in your Debian key set, and the current subkeys expire: it takes time for a new subkey upload to clear keyring maint. During that time, an SC master key can be used in an emergency to sign a vote or an upload.
I see this as a failure to manage the signing subkey correctly, and a certification only master key as helping to prevent the temptation to just make use of the master for signing (and potentially avoid jumping through all of the hoops required to use it securely).
(That said, I’m very conscious that a lot of crypto comes down to a set of tradeoffs and I’m all in favour of people who have strong informed opinions about how to do things differently doing those things if they want. But if you ask me for a base line set of advice to J. Random DD I’d still go with the certification only master.)
J.
pub rsa4096 2022-04-09 [SC]
E252 1CB8 1757 36A9 7052 B2F8 954E 6A70 1005 98A2
uid [ unknown] Bo YU <[email protected]>
sub rsa4096 2022-04-09 [E]
sub rsa4096 2022-04-19 [S] [expires: 2022-06-18]
首先引入整个gpg环境(说白了就是包含primary keys)的环境,如果你是新建立的primary key,则可以直接使用下面的方法。
vimer@dev:~/gpg_key/home-lod$ gpg --gen-revoke -ao primary-keys-revoke.gpg [email protected]
sec rsa4096/954E6A70100598A2 2022-04-09 Bo YU <[email protected]>
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
> simple revoke primary key
>
Reason for revocation: Key is no longer used
simple revoke primary key
Is this okay? (y/N) y
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
vimer@dev:~/gpg_key/home-lod$ ls
primary-keys-revoke.gpg vimer
这个primary-keys-revoke.gpg就是撤销凭证,一定要保存在很远的地方,远离网络环境。
生成的revoke.pgp就是撤销凭证, 有了这个撤销凭证,你可以在没有密码的情况下使一个公钥失效,所以一定要妥善保存,而且最好比主密钥多一份。
这里暂时不使用我的primary keys做实验。还是直接摘抄上文链接, 原理都应该是差不多的。
gpg --import gpg-linus.asc # 在一台新的电脑上导入你的公钥
gpg: key 99F583599B7E31F1: "linus <[email protected]>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg --import revoke # 导入你备份的撤销凭证,直接会导致密钥不可用
gpg: key 99F583599B7E31F1: "linus <[email protected]>" revocation certificate imported
gpg: Total number processed: 1
gpg: new key revocations: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2021-09-29
gpg -k # 查看密钥,已经revoke
pub rsa3072 2021-01-11 [SC] [revoked: 2021-01-11]
705358AB85366CAB05C0220F99F583599B7E31F1
uid [ revoked] linus <[email protected]>
https://keys.openpgp.org/upload
可以直接上传导出的文本,就是签名的pub,然后在浏览器里拖拽上传即可。
gpg --keyserver https://keys.openpgp.org --send-keys F9154FDE143E4BAF
gpg: sending key 954E6A70100598A2 to https://keys.openpgp.org
发布公钥的命令行像这样:
1 gpg –keyserver hkps://keyserver.ubuntu.com –send-keys 17AFB9B1
我的子秘钥到期后怎么通知呢?
目前,先把这个整理放在这里,等后面看上去差不多了再单独整理成一个page.
这个方式只能列出primary key的 keyid(fingerprint)
vimer@dev:~/gpg_key/home-lod$ gpg -k [email protected]
pub rsa4096 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ultimate] Bo YU <[email protected]>
sub rsa4096 2022-04-09 [E]
sub rsa4096 2022-04-19 [S] [expires: 2022-06-18]
如果想累出所有key的keyid,则可以进行如下的操作:
vimer@dev:~/gpg_key/home-lod$ gpg --keyid-format LONG -k 100598A2
pub rsa4096/954E6A70100598A2 2022-04-09 [SC]
E2521CB8175736A97052B2F8954E6A70100598A2
uid [ultimate] Bo YU <[email protected]>
sub rsa4096/66681FECEFF9AC75 2022-04-09 [E]
sub rsa4096/F9154FDE143E4BAF 2022-04-19 [S] [expires: 2022-06-18]
Debian软件众多,难免会出现有些没人维护的包。由此诞生了wnpp项目,旨在帮助维护这些 孤儿软件包。
这是另一个资料
To adopt, you don’t submit a new report, but retitle the existing one。 use “bts” from the devscripts package。 bts retitle 993599 ‘RFA: jimtcl – small-footprint implementation of Tcl named Jim’ , owner it ‘!’
从以上的文字我们可以看出,如果我们领养一个wnpp下的package,需要使用bts去告知。另外,我也发现一个有用的材料
我们先来看四个概念:
RFP Request for a package
RFA Request for adoption of a package
ITP Intent to package
ITA Intent to adopt a package
bts-retitle bug-number ITA
这是一个软件包: 用来报告bug的,可以直接使用apt install reportbug安装。
初次使用的话需要configure.
vimer@debian:~/maintain_packages/neomutt$ reportbug --email [email protected] wnpp
Warning: no reportbug configuration found. Proceeding in novice mode.
The MTA /usr/sbin/sendmail is not available; exiting.
Please run 'reportbug --configure' or specify a submission method on the command line.
初次配置:
vimer@debian:~/maintain_packages/neomutt$ reportbug --configure
Please choose the default operating mode for reportbug.
1 novice Offer simple prompts, bypassing technical questions.
2 standard Offer more extensive prompts, including asking about things that a moderately sophisticated user would be expected to know
about Debian.
3 advanced Like standard, but assumes you know a bit more about Debian, including "incoming".
4 expert Bypass most handholding measures and preliminary triage routines. This mode should not be used by people unfamiliar with
Debian's policies and operating procedures.
Select mode: [novice]
后面接着配置2:
Will reportbug often have direct Internet access? (You should answer yes to this question unless you know what you are doing and plan to
check whether duplicate reports have been filed via some other channel.) [Y|n|q|?]? y
What real name should be used for sending bug reports?
> neomutt
Which of your email addresses should be used when sending bug reports? (Note that this address will be visible in the bug tracking
system, so you may want to use a webmail address or another address with good spam filtering capabilities.)
[vimer@debian]> [email protected]
Do you have a "mail transport agent" (MTA) like Exim, Postfix or SSMTP configured on this computer to send mail to the Internet
[y|N|q|?]? N
Please enter the name of your SMTP host. Usually it's called something like "mail.example.org" or "smtp.example.org". If you need to use
a different port than default, use the <host>:<port> alternative format. Just press ENTER if you don't have one or don't know, and so a
Debian SMTP host will be used.
> smtp.gmail.com:587
If you need to use a user name to send email via "smtp.gmail.com:587" on your computer, please enter that user name. Just press ENTER if
you don't need a user name.
>
Do you want to encrypt the SMTP connection with TLS (only available if the SMTP host supports STARTTLS) [y|N|q|?]? y
Please enter the name of your proxy server. It should only use this parameter if you are behind a firewall. The PROXY argument should be
formatted as a valid HTTP URL, including (if necessary) a port number; for example, http://192.168.1.1:3128/. Just press ENTER if you
don't have one or don't know.
>
Default preferences file written. To reconfigure, re-run reportbug with the "--configure" option.
其实就行文档中:
Run reportbug –configure as your normal user. This creates a ~/.reportbugrc file that stores all the configurations.
Follow the instructions and when asked Do you have a ‘mail transport agent’ (MTA) configured, choose No
Then enter the SMTP host for gmail: smtp.gmail.com:587
For the user name enter:
For the question Does your SMTP host require TLS authentication?, choose Yes
这里你可以简单的自己修改~/.reportbugrc文件以适应自己的配置。
我们再一次实验:
入口:
reportbug --email [email protected] wnpp
log 如下:
vimer@debian:~/maintain_packages/neomutt$ reportbug --email [email protected] wnpp
*** Welcome to reportbug. Use ? for help at prompts. ***
Note: bug reports are publicly archived (including the email address of the submitter).
Detected character set: UTF-8
Please change your locale if this is incorrect.
Using 'vimer <[email protected]>' as your from address.
Will send report to Debian (per lsb_release).
What sort of request is this? (If none of these things mean anything to you, or you are trying to report a bug in an existing package,
please press Enter to exit reportbug.)
1 ITP This is an `Intent To Package'. Please submit a package description along with copyright and URL in such a report.
2 O The package has been `Orphaned'. It needs a new maintainer as soon as possible.
3 RFA This is a `Request for Adoption'. Due to lack of time, resources, interest or something similar, the current maintainer is asking
for someone else to maintain this package. They will maintain it in the meantime, but perhaps not in the best possible way. In
short: the package needs a new maintainer.
4 RFH This is a `Request For Help'. The current maintainer wants to continue to maintain this package, but they need some help to do
this because their time is limited or the package is quite big and needs several maintainers.
5 RFP This is a `Request For Package'. You have found an interesting piece of software and would like someone else to maintain it for
Debian. Please submit a package description along with copyright and URL in such a report.
有一篇简易的教程
这里有太多的资料可供参考。
由于历史的原因,Debian本身具有很多打包的命令与工具,各不相同。为了简化我们的操作或者顺应大势,我们首先考虑的是延续git的用法。
主要是参考这篇文章
sudo apt install git-buildpackage
在我们使用apt命令进行相关操作时,首先应该也会想到,放在FTP上的是一个deb包。同理,我们打包deb包的根源,也就是upstream以什么样的形式存在呢? 一种是tarball文件的方式,另一种自然就是git了(比如说在github上)。
我们今天先不实验tarball的形式,先探究git的方式(upstream)。
资料 The debmake command is the helper script for the Debian packaging.
*It always sets most of the obvious option states and values to reasonable defaults.
*It generates the upstream tarball and its required symlink if they are missing.
*It doesn’t overwrite the existing configuration files in the debian/ directory.
*It supports the multiarch package.
*It creates good template files such as the debian/copyright file compliant with DEP-5.
vimer@debian:~/maintain_packages/yubo_port/spa-1.0$ debmake -T
I: set parameters
I: sanity check of parameters
I: pkg="spa", ver="1.0", rev="1"
I: *** start packaging in "spa-1.0". ***
I: provide spa_1.0.orig.tar.gz for non-native Debian package
I: pwd = "/home/vimer/maintain_packages/yubo_port"
I: $ ln -sf spa-1.0.tar.gz spa_1.0.orig.tar.gz
I: pwd = "/home/vimer/maintain_packages/yubo_port/spa-1.0"
I: parse binary package settings:
I: binary package=spa Type=bin / Arch=any M-A=foreign
I: analyze the source tree
I: build_type = QMake
I: scan source for copyright+license text and file extensions
I: 44 %, ext = media
I: 11 %, ext = c
I: 7 %, ext = sh
I: 7 %, ext = text
I: 6 %, ext = md
I: 6 %, ext = ts
I: 4 %, ext = yml
I: 3 %, ext = qss
I: 2 %, ext = pro
I: 2 %, ext = qrc
I: 1 %, ext = gitignore
I: 1 %, ext = keystore
I: 1 %, ext = desktop
I: 1 %, ext = Debian
I: 1 %, ext = source
I: 1 %, ext = bak
I: 1 %, ext = ui
I: 1 %, ext = rc
I: 1 %, ext = nsi
I: make debian/* template files
I: found "debian/control"
I: debmake -x "0" ...
I: skipping :: debian/control (file exists)
I: skipping :: debian/copyright (file exists)
I: substituting => /usr/share/debmake/extra0/rules
I: skipping :: debian/rules (file exists)
I: substituting => /usr/share/debmake/extra0/changelog
I: creating => debian/changelog
I: run "debmake -x1" to get more template files
I: $ wrap-and-sort
正如前面所言,debmake是一个帮助命令,可以让你省去很多手写debian目录下文件的烦恼,上面log中显示的,skipping等字样,是因为我选择的这个github,之前已经有了相应的文件,这一点需要注意。
https://unix.stackexchange.com/questions/650225/step-by-step-instructions-to-abandon-a-debian-package-and-no-longer-be-its-maint
反向操作就是如何维护一个pkg。
这里有一个值得注意的地方就是: dch -i用来改变changelog文件。
https://wiki.debian.org/BuildingTutorial
Resolve conflicting values in Debian package
dpkg-source: error: can’t build with source format ‘3.0 (native)’: native package version may not have a revision dpkg-source: error: can’t build with source format ‘3.0 (native)’: native package version may not have a revision
最权威的莫过于这个页面.
还可以参考这个. control-server
简而言之就是, 给 [email protected] 可以直接使用各种tag, 给具体的 bug 发送指令时,需要 Control:
当我们比如说,在FTBFS(https://udd.debian.org/cgi-bin/ftbfs.cgi?arch=riscv64)发现一个build fail时,我们想进一步跟进这个fix。那么,可以首先看一下这个 issue number(以yubiserver为例):
我们单击链接进去之后,会在 Debian Package Auto-Building这个页面上看到顶层有这个几个链接:
Tracker 这个是有关pkg(package)一个完整的概括,涉及到了该pkg的方方面面:维护者、action、bugs、link等等。如果你想了解另一个package的基本情况,可以在该页面的右上角进行搜索。
Changelog
这个数据就是从软件包中的 debian目录中的Changelog文件得来的,基本可以清楚的了解到这个package的一个完整的life。
bugs 这里我们可以看到目前该包的一些bugs情况,当然,这里我们也是可以看见有开发者对build失败做了patch了,那我们就进行测试或者push这个patch往下发展就行了。#1002079 yubiserver fails to port with riscv
这里有很多意外的情况,之所以意外是因为,在一般的社区里,我们提交了patch后会有maintainer进行merge或者review建议什么的,但是在这种Debian(非营利性社区)没有利益的OS发行版里面,肯定会有大量的packages没有人进行维护。也就是有些包没人维护了,成了孤儿了。当然,对于这种情况,我也看到了有一种选择是NMU(non-maintain-upload),这个后面我们再说。
还有一种就是MIA,当然今天我们的篇幅不是聚焦在这里,这里暂且记录一下后面再新开一篇进行补充。
packages.d.o
我们在使用apt source命令进行下载代码的任务时,你会发现他其实第一步是下载的.dsc文件,那么这个dsc文件在哪里呢?
答案就是这里,我们可以点进去发现,有一个dsc文件,有一个orig的源代码文件,还有一个debian tar文件,后面我们会说这些文件是怎么来的以及怎么用。
source 可以查看在Debian org上的 code。
以上这几个就是我们常见的有关package的资源。
通过以上的分析,不知道大家有没有注意到一个现象: 目前的Debian bug有很多都没有及时推进,其实很可能就是陷入了上面第三条提到的MIA(Missing in action),这个问题比较棘手。假设你想拯救一个package的话,首先得成为一名DM,所以,还是最快的速度upload自己维护的pkg,让社区开始接受你。