-
Notifications
You must be signed in to change notification settings - Fork 51
FAQ
How to sign a release using GPG?
How to use GPG to verify signed release?
Where can I create a ticket issue concerning the LF Edge infrastructure?
A good example of a release signature can be found on the link. However, 5 and 6 items are described separately.
gpg --full-generate-key
During the execution of this command, you will need to enter additional data:
- Please select what kind of key you want: 1
- What keysize do you want? (3072): 4096
- Please specify how long the key should be valid: 0
- Key is valid for? (0): 0
- Is this correct? (y/N): y
- Real name: LF Home Edge
- Email address: [email protected]
- Comment: Keys for edge-home-orchestration-go
In this case, the result will be the next
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: LF Home Edge
Email address: [email protected]
Comment: Keys for edge-home-orchestration-go
You selected this USER-ID:
"LF Home Edge (Keys for edge-home-orchestration-go) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key BE13B1D440E813F0 marked as ultimately trusted
gpg: revocation certificate stored as '/home/virtual-pc/.gnupg/openpgp-revocs.d/D3C7C06AC34BDA9A41388E76BE13B1D440E813F0.rev'
public and secret key created and signed.
pub rsa4096 2021-10-15 [SC]
D3C7C06AC34BDA9A41388E76BE13B1D440E813F0
uid LF Home Edge (Keys for edge-home-orchestration-go) <[email protected]>
sub rsa4096 2021-10-15 [E]
gpg --armor --detach-sign edge-home-orchestration-go-vx.x.x.tar.gz
If the gpg stores more than one key, you must specify the key that will be used by adding the option
-u <key-ID>
gpg --output edge-home-orchestration-go-public.pgp --armor --export [email protected]
gpg --output edge-home-orchestration-go-private.pgp --armor --export-secret-key [email protected]
It should be noted that only the signature file (
edge-home-orchestration-go-vx.x.x.tar.gz.asc
) and the public key (edge-home-orchestration-go-public.pgp
) must be loaded as an artifact to release.
For this need to download the private key (edge-home-orchestration-go-private.pgp
) by the next command:
gpg --import edge-home-orchestration-go-private.pgp
To perform the verification, you need the following:
- signed file – for example
edge-home-orchestration-go-vx.x.x.tar.gz
- signature file – accompanying file with “.asc” extension (Ex.
edge-home-orchestration-go-vx.x.x.tar.gz.asc
) - public key – for example
edge-home-orchestration-go-public.pgp
gpg --import <public key>
gpg --verify <signature file> <signed file>