Re: bug#67790: New signing key
On Fri, Dec 15, 2023 at 06:06:26AM +, John Kehayias wrote: > I suppose I should have been more specific than "something bad" :) I > merely meant this wasn't an actual security issue of losing control of > a private key, but merely moving to a new one for other reasons. The old key "expired" last summer. I had been faking the date for months to work around that. I did not feel motivated to change the expiration date or to remove the expiration date either :) It was easier to make a new key.
Re: bug#67790: New signing key
On Thu, Dec 14, 2023 at 11:16 AM, Leo Famulari wrote: > On Wed, Dec 13, 2023, at 22:17, John Kehayias wrote: >> And I assume all this was just to use a new key (did I see some >> mention of subkeys on #guix? that's what I use) and not because of >> something bad happening to the old one right? > > I don't know if anything bad happened to the old key. That's > fundamentally unknowable. But I decided to start using a new key. I suppose I should have been more specific than "something bad" :) I merely meant this wasn't an actual security issue of losing control of a private key, but merely moving to a new one for other reasons. In any event, this is a good reminder (to myself) to have backups of private keys somewhere safe!
Re: bug#67790: New signing key
On Wed, Dec 13, 2023, at 22:17, John Kehayias wrote: > And I assume all this was just to use a new key (did I see some > mention of subkeys on #guix? that's what I use) and not because of > something bad happening to the old one right? I don't know if anything bad happened to the old key. That's fundamentally unknowable. But I decided to start using a new key.
Re: bug#67790: New signing key
On Wed, Dec 13, 2023 at 09:10 PM, Leo Famulari wrote: > On Tue, Dec 12, 2023 at 12:02:33PM -0500, Maxim Cournoyer wrote: >> Note that I believe you can simply update to your new key yourself. >> You'll want to add your new key to the keyring branch, then adjust the >> .guix-authorizations file with its new keygrip. > > Thanks, I pushed to 'keyring' as > 935e3c9e93548a566cf3b3039b0822d4179974e4, and to 'master' as > 4c4222f32a2906b7bcab74fab70ff2c2f152e8eb. > Just saw, thanks for the update. And I assume all this was just to use a new key (did I see some mention of subkeys on #guix? that's what I use) and not because of something bad happening to the old one right? John
Re: bug#67790: New signing key
On Tue, Dec 12, 2023 at 12:02:33PM -0500, Maxim Cournoyer wrote: > Note that I believe you can simply update to your new key yourself. > You'll want to add your new key to the keyring branch, then adjust the > .guix-authorizations file with its new keygrip. Thanks, I pushed to 'keyring' as 935e3c9e93548a566cf3b3039b0822d4179974e4, and to 'master' as 4c4222f32a2906b7bcab74fab70ff2c2f152e8eb. signature.asc Description: PGP signature
Re: bug#67790: New signing key
Hi, Maxim Cournoyer writes: > Hi, > > Leo Famulari writes: > >> Hello, >> >> I'm changing my Guix signing key from >> B0515948F1E7D3C1B98038A02646FA30BACA7F08 to >> 68407224D3A64EE53EAC6AAC1963757F47FF. >> >> Patches to follow. Testing is appreciated! > > Thanks for the heads-up! Note that I believe you can simply update to your new key yourself. You'll want to add your new key to the keyring branch, then adjust the .guix-authorizations file with its new keygrip. Your new key will become mandated after your .guix-authorizations change is pushed. -- Thanks, Maxim
Re: New signing key
Hi, Leo Famulari writes: > Hello, > > I'm changing my Guix signing key from > B0515948F1E7D3C1B98038A02646FA30BACA7F08 to > 68407224D3A64EE53EAC6AAC1963757F47FF. > > Patches to follow. Testing is appreciated! Thanks for the heads-up! -- Thanks, Maxim
New signing key
Hello, I'm changing my Guix signing key from B0515948F1E7D3C1B98038A02646FA30BACA7F08 to 68407224D3A64EE53EAC6AAC1963757F47FF. Patches to follow. Testing is appreciated! Leo signature.asc Description: PGP signature
Re: New signing key
Hi Tobias, On Tue, 29 Jun 2021 at 16:40, Tobias Geerinckx-Rice wrote: > Question: I think committers should be trusted with discretion in > how they prefer to manage their keys, but how about briefly > documenting a suggested sane key-management strategy to new > committers, like we already describe some rando's editor set-up? > :-) Yes, it will be really helpful, I guess. :-) Cheers, simon
Re: New signing key
Hello, Tobias Geerinckx-Rice skribis: > Question: I think committers should be trusted with discretion in how > they prefer to manage their keys, but how about briefly documenting a > suggested sane key-management strategy to new committers, like we > already describe some rando's editor set-up? :-) I had missed this message, but I think it’s a good idea! Your message is already a good start at that. Thanks, Ludo’.
Re: New signing key
Hi Tobias, On Tue, 2021-06-29 at 16:40 +0200, Tobias Geerinckx-Rice wrote: > Question: I think committers should be trusted with discretion in > how they prefer to manage their keys, but how about briefly > documenting a suggested sane key-management strategy to new > committers, like we already describe some rando's editor set-up? > :-) I think this would be very nice. Especially if it laid out some of the trade-offs as you did here. > > I don't think most people *insist* on their current one, it's just > what they know; and GPG is complex and gnarly. > ... > > I'm not aware of any authority on best practices that would claim > the opposite, but if you are, I'd be grateful to hear about it! > No, I definitely fall into the group who don't insist on a strategy and are just doing what they know :). I appreciate your feedback! And I'll probably be making some adjustments to my workflow. Thanks, `~Eric signature.asc Description: This is a digitally signed message part
Re: New signing key
Question: I think committers should be trusted with discretion in how they prefer to manage their keys, but how about briefly documenting a suggested sane key-management strategy to new committers, like we already describe some rando's editor set-up? :-) I don't think most people *insist* on their current one, it's just what they know; and GPG is complex and gnarly. Eric Bavier skribis: In this case, the old key had already expired. I think others here have reset the expiry date on their keys before? Limiting validity to 1…2y is considered good hygiene, as is simply extending the date whenever it's about to expire. It proves you still control the private key. It doesn't matter if you miss the deadline. It's what I'd suggest for Guix because it gives committers full control over renewal without the inherent risk of updating the keyring & .guix-authorizations each time. It also makes such commits less routine, which I think is good… I like the idea of honoring the expiration dates I set Excellent, but ^ this… and creating a new key. …doesn't imply ^ this. Signing your existing key with a new expiry date is just as honourable^Wsecure, and much less hassle. You would have avoided the delay you encountered here. Others would get a better error message (‘expired’ vs. now ‘unknown’). Etc. I'm not aware of any authority on best practices that would claim the opposite, but if you are, I'd be grateful to hear about it! Kind regards, T G-R signature.asc Description: PGP signature
Re: New signing key
Hi, Eric Bavier skribis: > On Wed, 2021-06-23 at 15:48 +0200, Ludovic Courtès wrote: [...] >> In >> d1d2bf3eb6ba74b058969756a97a30aec7e0c4d1 I added your new key and >> renamed the old one, but perhaps we can just remove the old one, if the >> old sub-key is still in the new one? > > I think the old key is still there, yes. I didn't remove it, just > added the new key. OK. I removed the former key file from the ‘keyring’ branch in commit 359ca340273213f7bafda455c9f89db55d69849c; I checked with ‘guix git authenticate’ that we can still authenticate former commits. >> In the future, unless you lose control of the key, it’s even better if >> you do it yourself: push a commit signed with the old key that >> introduces the new key. Otherwise we have to trust that you really are >> the one who uploaded the new key on Savannah. > > In this case, the old key had already expired. I think others here > have reset the expiry date on their keys before? I like the idea of > honoring the expiration dates I set, and creating a new key. But I'm > also willing to adopt whatever we decide is a best practice. I think either way is fine. I set an expiry date a few months in the future, and I change it a few weeks before it expires, the idea being that if I lose control of the key (e.g., laptop stolen) it’ll expire not too longer after that. Thanks, Ludo’.
Re: New signing key
On Wed, 2021-06-23 at 15:48 +0200, Ludovic Courtès wrote: > Hi, > > Apologies for the delay! > > Eric Bavier skribis: > > > I've updated my GPG key on Savannah with a new signing subkey and uid. > > Done in 3694c0d4fee0f7faf130ecd9386ea45932a19543. Thank you Thank you! > In > d1d2bf3eb6ba74b058969756a97a30aec7e0c4d1 I added your new key and > renamed the old one, but perhaps we can just remove the old one, if the > old sub-key is still in the new one? I think the old key is still there, yes. I didn't remove it, just added the new key. > > Anyway, you should be able to push to ‘master’ now. Please double-check > with ‘guix git authenticate’ (and the pre-push hook) that everything’s > fine. Will do. > > > Could a maintainer do the necessary repo updates? > > Note that any committer who’s checked that all is fine can do this, but > I guess everyone was busy hacking (or reviewing!). ;-) I completely understand. I didn't trust myself to know how to check that all is fine. :) > > In the future, unless you lose control of the key, it’s even better if > you do it yourself: push a commit signed with the old key that > introduces the new key. Otherwise we have to trust that you really are > the one who uploaded the new key on Savannah. In this case, the old key had already expired. I think others here have reset the expiry date on their keys before? I like the idea of honoring the expiration dates I set, and creating a new key. But I'm also willing to adopt whatever we decide is a best practice. Thanks again, `~Eric signature.asc Description: This is a digitally signed message part
Re: New signing key
Hi, Apologies for the delay! Eric Bavier skribis: > I've updated my GPG key on Savannah with a new signing subkey and uid. Done in 3694c0d4fee0f7faf130ecd9386ea45932a19543. In d1d2bf3eb6ba74b058969756a97a30aec7e0c4d1 I added your new key and renamed the old one, but perhaps we can just remove the old one, if the old sub-key is still in the new one? Anyway, you should be able to push to ‘master’ now. Please double-check with ‘guix git authenticate’ (and the pre-push hook) that everything’s fine. > Could a maintainer do the necessary repo updates? Note that any committer who’s checked that all is fine can do this, but I guess everyone was busy hacking (or reviewing!). ;-) In the future, unless you lose control of the key, it’s even better if you do it yourself: push a commit signed with the old key that introduces the new key. Otherwise we have to trust that you really are the one who uploaded the new key on Savannah. Thanks, Ludo’. signature.asc Description: PGP signature
Re: New signing key
On Tue, 2021-06-15 at 03:05 +, Eric Bavier wrote: > Hello Guix, > > I've updated my GPG key on Savannah with a new signing subkey and uid. > Could a maintainer do the necessary repo updates? Ping? > > Thanks, > `~Eric signature.asc Description: This is a digitally signed message part
New signing key
Hello Guix, I've updated my GPG key on Savannah with a new signing subkey and uid. Could a maintainer do the necessary repo updates? Thanks, `~Eric signature.asc Description: This is a digitally signed message part
Re: New Signing Key
Guix, Brett Gilio 写道: As per my email a few days ago, I have lost control of my signing key. I have, as per instructions, refreshed the key on Savannah and am signing this email. I've authorised Brett in commit ba1d9680d61d3b06d9b81a81863448f494d654a7. Kind regards, T G-R signature.asc Description: PGP signature
New Signing Key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hey all, As per my email a few days ago, I have lost control of my signing key. I have, as per instructions, refreshed the key on Savannah and am signing this email. I have familiarized myself with the changes to the contribution process, and am looking forward to getting back into the groove! Thanks a bunch for those who reached out, and those who kept in touch with me during my hiatus. Brett Gilio -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEE6CrAJpXW/wJDyh5c9sUt0bony4cFAl8Q5rIACgkQ9sUt0bon y4c4aggAr0/x2mhwJRRljrDmO0UC/jEV0VwH8TKBMZz60w8MLiJJYwiFyTSL4cJx sE/Eo/b5B7kEw+nyPNvuw7qXAy8ie80S6frZ9/QrI3Q6ViEV274qex5YeCQfdnbf oM+1ALAQsbG2wGh6TutdKFEx7vtbCefx/0QxHfj2dYD8nZ+SwoBma8jvogDcubxy 4mGhTqjEuoucJgGN5FwUFf2IimwgSN7O708rIPpcf3QTV0QM3t3bxIGQDnHJr8pb xQTDsFySBzmZnGyHJVtDSUr+3TE1w11ZMVHd0dcX78STjJkEV3BcGcICOLVszJ2m bBrUt82L6JU/Dgwjl6KYr3ZezRrHCQ== =CU3q -END PGP SIGNATURE-
Re: New signing key
Roel, Roel Janssen 写道: I am trying to find the revocation key (printed) to revoke the old key as reassurance that I am still me, and no malice is going on. As I moved twice since printing and securely storing the revocation key, this will take some time. Thanks for taking the time to do that! It is appreciated. Is there perhaps a key-signing party for GNU Guix maintainers to build a better trust in the future? We should do something like that at FOSDEM next year. I hope you'll be able to attend. Kind regards, T G-R signature.asc Description: PGP signature
Re: New signing key
Hello Ludo’ and Guix, I lost the password of the old key. I updated my OpenPGP key on Savannah to the new one (F556FD94FB8F8B8779E36832CBD0CD5138C19AFC). I am trying to find the revocation key (printed) to revoke the old key as reassurance that I am still me, and no malice is going on. As I moved twice since printing and securely storing the revocation key, this will take some time. Is there perhaps a key-signing party for GNU Guix maintainers to build a better trust in the future? Kind regards, Roel Janssen On Thu, 2020-03-05 at 18:13 +0100, Ludovic Courtès wrote: > Hello Roel, > > You signed commit cc51c03ff867d4633505354819c6d88af88bf919 and its > parent with OpenPGP key F556FD94FB8F8B8779E36832CBD0CD5138C19AFC, > which > differs from the one registered in ‘build-aux/git-authenticate.scm’ > (17CB 2812 EB63 3DFF 2C7F 0452 C3EC 1DCA 8430 72E1) that you used > previously. > > Could you please reply to this message signed with the old key, > stating > that the new key is the right one? > > As a last resort, if you lost control of the old key, could you > ensure > your Savannah account contains the new key and send a reply signed > with > the new key? > > Thanks in advance, > Ludo’. signature.asc Description: This is a digitally signed message part
New signing key
Hello Roel, You signed commit cc51c03ff867d4633505354819c6d88af88bf919 and its parent with OpenPGP key F556FD94FB8F8B8779E36832CBD0CD5138C19AFC, which differs from the one registered in ‘build-aux/git-authenticate.scm’ (17CB 2812 EB63 3DFF 2C7F 0452 C3EC 1DCA 8430 72E1) that you used previously. Could you please reply to this message signed with the old key, stating that the new key is the right one? As a last resort, if you lost control of the old key, could you ensure your Savannah account contains the new key and send a reply signed with the new key? Thanks in advance, Ludo’. signature.asc Description: PGP signature
Re: My new signing key
On Wed, Dec 05, 2018 at 03:49:42AM +0300, Oleg Pykhalov wrote: > Hello Guix, > > Recently I've changed my signing subkey, here is it: > > 7238 7123 8EAC EB63 4548 5857 167F 8EA5 001A FA9C Thanks for letting us know. Please remember to update the key on your Savannah user page: https://savannah.gnu.org/users/wigust signature.asc Description: PGP signature
My new signing key
Hello Guix, Recently I've changed my signing subkey, here is it: 7238 7123 8EAC EB63 4548 5857 167F 8EA5 001A FA9C Oleg. signature.asc Description: PGP signature
New signing key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi! Just to clarify that I lost the key I've been using to sign commits the past year and didn't have a backup: pub rsa4096 2017-06-09 [SC] DB34 CB51 D25C 9408 156F CDD6 A12F 8797 8D70 1B99 uid [ full ] Jan Nieuwenhuizen (janneke) sub rsa4096 2017-06-09 [E] So I created a new key pub rsa4096 2018-04-08 [SC] 1A85 8392 E331 EAFD B8C2 7FFB F3C1 A0D9 C1D6 5273 uid [ultimate] Jan (janneke) Nieuwenhuizen sub rsa4096 2018-04-08 [E] and uploaded its armour to savannah. Greetings, janneke - -- Jan Nieuwenhuizen | GNU LilyPond http://lilypond.org Freelance IT http://JoyofSource.com | Avatar® http://AvatarAcademy.com -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEGoWDkuMx6v24wn/788Gg2cHWUnMFAlreI/MACgkQ88Gg2cHW UnNW0w//f63ct1LigPfphei7JyT1I7aa513K0Xb4Wp+T8D6FCpvGg/jjcTR4jpFc l/fv72ExDtqmamE9jDGFiwWbL2a5m99hIRhEuTV6VtonTD1CJUZOfV1ReCyH32rh NOUPIzZ4L57DL5OVNrKTbrMI3z9TzLmuwzLw5z13SaabSTW/ZO4yEv+9RauOB1GJ cV8ic1qiRpNqiG6xu0BGZp16D0teaqUDko1MLd/mxxJXp3PvKrIIDa4fu0YNuoSj rLXy2aoXwfjttt8cLS303Co0YM0Si6FcVlumqdAROBnJue2QpwQvSAv8RHKgpqPP 8h0sZeibdmIpKolnmFR9iq84TwDrj8Bx6fDHPlMRmGZdSZgZO9AhfKwPef83ThZw cs4gvcldy0fEnT0JwQmEmde5gHUFr2rKEjA2NxbQO8NcpEFQAvsiGPSZiLnJZ5lU 2WNVy6kNLhkDEQZeDMfNBI4XpGg3LzjtEZIB7TAjNODPVT9GXEzCAUDvMc4Dn4Bu zQQxaZVgPGodIx+r49ZtKObzxX2/MQWI1bLxKpiuxTQebfgTq0PVm+4IfsXd4lrt ZXqt15VHT5wBSVUdvhp0+Xs1RaSMmCNWVu9Div6Rs8G+LODTx4svLA6gd1ohye7e G1paCcDQil5PKXmizX3nmUbPzdHkrq2PZ5zqk1BF4jEcGj0Ovrk= =TgAQ -END PGP SIGNATURE-