Add walkthrough for setting up gpg keys

This commit is contained in:
Charlie O'Keefe 2018-03-22 09:38:15 -06:00
parent 2bd40ddd3c
commit c79381aae2
1 changed files with 55 additions and 0 deletions

View File

@ -43,6 +43,61 @@ Make sure GNU privacy guard is installed.
Also make sure it is callable using the command 'gpg2' (not just 'gpg'). You may need a workaround Also make sure it is callable using the command 'gpg2' (not just 'gpg'). You may need a workaround
here, e.g. creating a symlink from gpg2 to gpg. here, e.g. creating a symlink from gpg2 to gpg.
## Decide on a gpg keypair to use for gitian
You'll be asked to (optionally) refer to a gpg key in gitian.yml.
You can generate a keypair specifically for zcash gitian builds with a command like the one below.
$ gpg2 --quick-generate-key --batch --passphrase '' "Harry Potter (zcash gitian) <hpotter@hogwarts.wiz>"
gpg: directory '/Users/hpotter/.gnupg' created
gpg: keybox '/Users/hpotter/.gnupg/pubring.kbx' created
gpg: /Users/hpotter/.gnupg/trustdb.gpg: trustdb created
gpg: key 5B52696EF083A700 marked as ultimately trusted
gpg: directory '/Users/hpotter/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/Users/hpotter/.gnupg/openpgp-revocs.d/564CDA5C132B8CAB54B7BDE65B52696EF083A700.rev'
This will generate a primary key and subkey without passphrases, and set default values for
algorithm, key length, usage, and expiration time which should be fine.
Some explanation of the arguments used in the above example:
--quick-generate-key --batch This combination of options allows options to be given on the command
line. Other key generation options use interative prompts.
--passphrase '' Passphrase for the generated key. An empty string as shown here means
save the private key unencrypted.
"Name (Comment) <Email>" The user id (also called uid) to associate with the generated keys.
Concatenating a name, an optional comment, and an email address using
this format is a gpg convention.
You can check that the key was generated and added to your local gpg key database, and see its
fingerprint value, like this:
$ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2020-03-13
/Users/hpotter/.gnupg/pubring.kbx
-----------------------------------
pub rsa2048 2018-03-14 [SC] [expires: 2020-03-13]
564CDA5C132B8CAB54B7BDE65B52696EF083A700
uid [ultimate] Harry Potter (zcash gitian) <hpotter@hogwarts.wiz>
sub rsa2048 2018-03-14 [E]
We'll use two values from the above output in our gitian.yml file:
- For gpg_key_id we'll use the fingerprint for the 'pub' key.
- For gpg_key_name we'll use the the part before the @ symbol of the associated email address.
Continuing the above example, we would set the two fields in gitian.yml as follows:
gpg_key_id: 564CDA5C132B8CAB54B7BDE65B52696EF083A700
gpg_key_name: hpotter
How to get started How to get started
------------------ ------------------