-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eric Rostetter wrote: > * how do you know what packages to test (only with slocate was it > announced on the list, before that you had to know where to look, > remember to look, etc) [Jesse and others more in the know will hopefully chime in here, but since I'm replying to answer some of the gpg questions you have, I might as well take a stab at some of the others. If it saves someone else from having to type it up, that'll be great.] The Legacy Devel Tracker link on the home page points you where you want to start: http://www.fedora.us/LEGACY There you'll find the wonders up bugzilla and a list of all the current issues that need attention. > * If you don't know how to use the package, how do you know if it > works? (so I can't help test apt if I don't have any docs on how to > use it, etc) It's certainly difficult if you haven't a clue about an app. Usually though, you can take a peak at the man page and figure out the basic operations and test those. Ideally, someone that uses a package or is familiar with it will be more likely to get on doing QA for that package than you will. At least, that's the idea. So far, the apt package is proving that's not always how it works. :) > * Once I see it works, how do I report that it works? Follow along on some of the other bug reports and see how those are done. That helps. It's a new process for me, I'm trying to keep my eye's open and learn as much as possible from watching and reading. If you end up with a specific question, like, "I was looking at package fubar-1.1-1.legacy.src.rpm and it doesn't build right for me without package baz-devel, what should I do?" Just ask and someone will help out. > * How do I verify I'm testing the correct package (gnupg signature > checks, etc) The gpg check is the one I prefer to use. The Fedora.us wiki's suggest gpg signed md5 hash files to go along with the uploaded packages and most of the packages submitted so far for FL have done this, though I have to wonder what the point is. If you check the gpg signature of the md5 file and then use the md5 file to check the packages, you might as well just use gpg to check the packages directly. (Hope that didn't leave you more confused than you were before.) For example, say you're going to QA apt (cause everyone wants to), you'd find it in bugzilla and look at the entries there. You see that in Jason's latest comment there he's linked these two files: https://mail.codegrinder.com/www/apt4/md5sum.asc https://mail.codegrinder.com/www/apt4/apt-0.5.15cnc5-0.fdr.7.rh73.legacy.src.rpm Download them both. Then run rpm --checksig -v (or just -Kv if you're lazy like me) on the rpm file. Assuming you already have Jason's key (and you probably don't yet, but we'll get to that later), you should get output like this: $ rpm --checksig -v apt-0.5.15cnc5-0.fdr.7.rh73.legacy.src.rpm apt-0.5.15cnc5-0.fdr.7.rh73.legacy.src.rpm: MD5 sum OK: bbb702d9ed7f07f26be25f1f4099146c gpg: Signature made Thu 29 Jan 2004 12:49:32 AM EST using DSA key ID 9B643F0D gpg: Good signature from "Jason Rohwedder <rohwedde@xxxxxxxxxxxxxxx>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0AA1 6522 AD40 FB05 EFB3 2344 C364 0463 9B64 3F0D You could also use the md5sum file. To do that you'd check the gpg signature on it first: $ gpg --verify md5sum.asc gpg: Signature made Thu 29 Jan 2004 12:56:44 AM EST using DSA key ID 9B643F0D gpg: Good signature from "Jason Rohwedder <rohwedde@xxxxxxxxxxxxxxx>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0AA1 6522 AD40 FB05 EFB3 2344 C364 0463 9B64 3F0D If the gpg sig checks out, use the md5sum program to verify the md5 hash of the rpm you downloaded against the hash stored in the md5sum file: $ md5sum -c md5sum.asc apt-0.5.15cnc5-0.fdr.7.rh73.legacy.src.rpm: OK > * How do I get a gnupg signature? Do I need to register it > somewhere? how? Where? The signatures are what you'll find in the text of the bugzilla entries and in .asc files. These signatures are also embedded in rpm packages as well. Don't worry too much more about this part at the moment. > * How do I sign a message? What does cleartext sign mean? etc. To sign a message, you would save it as a file, say you call it slocate-QA. Then run: $ gpg --clearsign slocate-QA [you'll be prompted for your passphrase and then the file will be signed] You will now have another file, slocate.QA.asc. You would then copy the contents of that file and paste them into bugzilla. When you clearsign a message, it means that the message is still readable to others even without using the gpg software to decode it. That's what you see when a message has BEGIN PGP SIGNED MESSAGE, BEGIN PGP SIGNATURE, and END PGP SIGNATURE. [One thing to be careful of here, bugzilla's text entry box will wrap text (I don't know at what width exactly) and if it does this, your gpg signature will be broken. That's one of the things about signatures, they really work. Any change to a message, no matter how slight, will invalidate the signature. So just wrap the text you plan to clearsign before you post it to bugzilla. Keeping it under 80 characters is sufficient as far as I can tell.] > But I don't have a gpg key. How do I get one? Simple enough. Use gpg to create one: $ gpg --gen-key and follow the prompts. The defaults should all be fine. Just put in your name and your email address and pick a good passphrase. At the end of the process, there will be some lines that look similar to this: pub 1024D/86182970 2004-02-06 Just A. Test <justa@xxxxxxxx> Key fingerprint = E467 045D 0180 8726 F917 74A7 CA78 2901 8618 2970 sub 1024g/76AC068B 2004-02-06 Take note of the string of letters and numbers after the pub 1024D. This is your keyid. In this case, that's 86182970. > Is there anything I need to know about getting a key (size, type, > content, etc)? You could spend a long time studying the OpenPGP spec and the pros and cons of the various algorithms, but you don't need to. The defaults will work just fine. > How should I protect it once I have it? The two main method's of protecting your key are your file system security and the passphrase. You want to keep anyone from stealing a copy of your secret key. If someone does manage such a thing, they still have to guess your passhphrase in order to use the key to do anything nasty. So keep your system secure and choose a strong passphrase. Also, it's best to generate a revocation certificate. This is something that can be used in case you ever lose your key, forget your passphrase, or find that someone has compromised your system and stolen your key. That's done by running: $ gpg --gen-revoke $USERID replacing $USERID with the keyid from when you generated your key. Follow the prompts, enter your passphrase, and save the output someplace safe, like on a CD. (Note that you can also specify $USERID using your email address, see the section titled "How to specify a user ID" in the gpg man page for more details about this if you;re curious.) Finally, you should upload your key to a keyserver. The Fedora.us docs suggest pgp.mit.edu, so we'll stick with that one: $ gpg --keyserver pgp.mit.edu --send-key $USERID To download the keys of other users, you can use: $ gpg --keyserver pgp.mit.edu --recv-keys $THEIR_KEYID When people post a self introduction to the list, it should include some information about their gpg key. The output of this command is what you want to send: $ gpg --fingerprint $USERID It looks like this: $ gpg --fingerprint 86182970 pub 1024D/86182970 2004-02-06 Just A. Test <justa@xxxxxxxx> Key fingerprint = E467 045D 0180 8726 F917 74A7 CA78 2901 8618 2970 sub 1024g/76AC068B 2004-02-06 Other sources of information that might prove useful to you are the gnupg.org website, the fine manual that comes with gpg, the Fedora.us Self Introduction wiki and the Fedora GPG mini-HOWTO, which is just post Warren made to the fedora-devel list a while back trying to get some documentation started. You'll notice since there isn't a handy HOWTO to send you to that this documentation has yet to be written, AFAIK. Sorry for the verbosity. It seems hard to even begin to cover gpg in such a short amount of space. I did a slightly more detailed, though still pretty minimal presentation for a local LUG a while back. That was mainly focused on using gpg for securing email, but a lot of it should be somewhat relevant to anyone just starting with gpg. A copy of that presentation is available at: http://pobox.com/~tmz/cplug/encryption-howto/siframes.html I hope this helps a little. I know that gpg can seem like a lot to take in at once. It's been an interest of mine for a long time, so that was at least one thing I didn't have to learn in order to get started trying to help out here. - -- Todd OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp ====================================================================== Those who have been intoxicated with power... can never willingly abandon it. -- Edmund Burke -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl. iD8DBQFAI1YZuv+09NZUB1oRAnBxAKC7f7rPB8v1gTvQjz822MhSOcZ40QCgkip4 EN6rNO84yH1gTlHknsrTM1s= =w3CU -----END PGP SIGNATURE-----
