Subject: Re: Sign 0.7.14, PLEASE
rms@greymalkin.yi.org
Date: Fri Mar 30 2001 - 20:18:45 CST
Hello,
This is a revision of my instructions, since Vlad pointed me to a bug in them. Only part 3 has been changed. Sorry for the inconvinience, rms.
Here are some instructions for package builders to sign their builds for release 0.7.14 (take them with a grain of salt, specially if you're not in a unix box)
You may use a valid personal certificate from a valid, well known and safe Certification Authority (Verisign is too lax in security but is usually ok), or a pgp signature.
I'll dwell only through pgp (and, in itself, gpg) software for the instructions:
1 create a signature (if you have one already jump to 2)
1.1 gpg --gen-key (twice, since the first time it creates some config)
1.2 choose your favorit cipher
1.3 choose your keysize (the bigger the better)
1.4 define a validity period
1.5 type your real name as in: Full Name
1.6 type your email as in: fname@names.tld
1.7 type a comment, if it pleases you
1.8 type O if ok, otherwise, check options provided
1.9 type your passphrase (do not forget this phrase)
1.10 type it again! (do not forget this phrase, I MEAN IT)
1.11 it should be complete now :)
2 make the package (.tar.gz, x86.rpm, sun package, whatever)
3 sign the package:
3.1 md5sum package.ext > package.ext.md5
3.1 (opt) if you use rpm, you can do: rpm --sign --rebuild, but just
gpg is fine by me :)
3.2 gpg --sign package.ext.md5
Announce your build to the list, alongside with you public key, so everyone elese can verify it.
You can get your key with:
gpg --armor --export stringThatMatchesYou
For instance, on my computer, the result of 'gpg --armor --export rms' is my public key, which you can import into your public keys ring with: gpg --import filenamewithapublickey
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBDrFFnARBACL+tnWXOsby4wTHA/wxN1c40Ay7XKf8gKXegZfIRQy/0NPES5w
KbJR8wqIAOpa6r+2tvAK5kb0inOtvPGXNIW4K/dZY4tCqWvmhR012HPlMDaJybM0
Eeg9SPdwwdfGX6PSpTBDNpICo9Vc/iOzDgBA78IEeWMxsqToVn/Z6Et3YwCgiKe7
2FVQRfifU3j5+PCLBEE+WTcEAIIVTnQe3iooJ99c/Z5VKWA9ZTUsNu+5aAKP+1ML
OMDKzJWX5vdoO5hdx4UqqKmKtuApeqdgfPFuFwG3ipS5yIP1NQPpuTPyqYMl+SZ1
U8YlnUYuLxxjgV+SywiiiR+DnHprsimTa+IODTWlqr4INXpawv76UczQr0QAKguN
JxNZA/0XGnCq0UHDsyXX+EYukOARBlUIaDafoK+GIjJ9H0AnWxRKgjkfOL5iKqjS
8p0k68mt6wlUT6uNHM+PfhJKU5f+z+cGV7FFxYfyrRNg9KV648lug2w/xfxpgtzO
6B6kSEpPsruEilGzqfRPuvk3KYFOSzFwWjWngGekLPABp3OkkbQrUnVpIE0uIFNp
bHZhIFNlYWJyYSA8cm1zQGdyZXltYWxraW4ueWkub3JnPohXBBMRAgAXBQI6xRZw
BQsHCgMEAxUDAgMWAgECF4AACgkQUqEONOtcU5x0wgCfYaXCSydk5w7XpfJcBnGr
RM61bjMAn1F9UBEgmk5SJB1eRDW28v/PvFWYuQINBDrFFpwQCACBU7RhECryQPL7
qfW5LK+sXTogq4m4w44a8Wa2vv5eqAnoKFkIsWDJPTIe6zBQ/6M1AUOtaCGBmrte
bYg7HfD5SUKanuXtbZnLzGbb/iOig24i3h7TXenox/8F5Mfw1ssJkuRI6vnJE4c5
hTrCMhq0YtJ7AUDltSLDro9/Qv/SJarSxe6b2OeVo9hPxgDuJ7CA4VT6TJMEldFu
R1aMZjQ9OgxBmT8Kh7UHc9Ap6BstU8etYd4EaoN7JUYDqAeT/E8mGAAIJfKKNISn
4Jzyl3ZjLhC+0srwVl8NIV/Sr7qGZJGGFVkhA55N5dbGZ6xY4onCW4CJ9TAEo8Lj
9oAteCunAAQLB/9ke1Mh7c2F/Evpy5Z6R6yC7RzEZPBFEkbvd7l+grN+KPIN3FCV
5CICNk0L4pt5Fjzq/QKcud3VHIxbFPKLmzPSl/3TQgjmkqM8CpXQFyfEOOxLaBtK
JJeIUAZjx33uEYc+B67XbYt+RlBWSI9V96NlPF++2+OeY/xsSKwJab3mkD83dtZg
aIriIFJtf1dSXPX9wbTI79LqoW/aUY01avsmt4ZyKvo+QPLWapz51ow9EtP39oI3
MIQpWcX+0BPbJkImjLiagVAVfyQwiYOMeqg1WGW9PRStQhvGhiql2PVULxBFroKT
kWp4cq+V7xHkzydNdR9EA9jAS0Otb0fzd+OGiEYEGBECAAYFAjrFFpwACgkQUqEO
NOtcU5y7bACfQmCcB0+N7YXZXqD4ggYRFoa4HdQAnjt+jFWqNjKLJwZs2qdTkXhw
t1/b
=tA9u
-----END PGP PUBLIC KEY BLOCK-----
btw, this is a 2048 bit key, it took some time making it, which I had since I lost my secret key file :(
hugs, rms
ps: my problem, I don't know if Vlad's done his key the same way I did (ie, 2048 bits) may be related to my key size, I don't know. It should only do the signing of an hash of the package, and not the full package. weird.
This archive was generated by hypermail 2b25 : Fri Mar 30 2001 - 21:14:07 CST