This series updates the guide to match terminology used in the upstream
"protecting code integrity" guide and brings the documentation in line
with the latest developments in the GnuPG world:
- uses "Certify key" instead of "master key" terms to remove common
confusion that the "Certify key" is somehow able to restore lost
private subkeys
- removes keyserver instructions because keyservers have largely gone
semi-extinct due to GDPR enforcement and just general neglect
- adds a link to the kernel.org PGP keyring documentation
- updates information about ECC curve support among the devices the
guide talks about (Yubikeys are able to use ED25519 curves with the
latest firmware updates)
- adds a section on using PGP-signed patches with b4 and patatt
Link: https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md
Signed-off-by: Konstantin Ryabitsev <[email protected]>
---
Changes in v2:
- Rebase on v5.19.
- Small wording changes based on feedback.
- Link to v1: https://lore.kernel.org/r/[email protected]
---
Konstantin Ryabitsev (5):
maintainer-pgp-guide: use key terminology consistent with upstream
maintainer-pgp-guide: remove keyserver instructions
maintainer-pgp-guide: update ECC support information
maintainer-pgp-guide: add a section on PGP-signed patches
maintainer-pgp-guide: minor wording tweaks
Documentation/process/maintainer-pgp-guide.rst | 286 ++++++++++++-------------
1 file changed, 142 insertions(+), 144 deletions(-)
---
base-commit: 3d7cb6b04c3f3115719235cc6866b10326de34cd
change-id: 20220727-docs-pgp-guide-1dfc91614c0f
Best regards,
--
Konstantin Ryabitsev <[email protected]>
Update ECC sections with the latest details, now that Yubikeys are able
to support ED25519 curves. Tweak a few links to smartcard devices to
reflect the latest URL changes.
Signed-off-by: Konstantin Ryabitsev <[email protected]>
diff --git a/Documentation/process/maintainer-pgp-guide.rst b/Documentation/process/maintainer-pgp-guide.rst
index ead5bc815017..bf288925973e 100644
--- a/Documentation/process/maintainer-pgp-guide.rst
+++ b/Documentation/process/maintainer-pgp-guide.rst
@@ -228,11 +228,9 @@ separate signing subkey::
recommend that you create an ECC signing subkey for your kernel
work.
- If for some reason you prefer to stay with RSA subkeys, just replace
- "ed25519" with "rsa2048" in the above command. Additionally, if you
- plan to use a hardware device that does not support ED25519 ECC
- keys, like Nitrokey Pro or a Yubikey, then you should use
- "nistp256" instead or "ed25519."
+ Note, that if you plan to use a hardware device that does not
+ support ED25519 ECC keys, you should choose "nistp256" instead or
+ "ed25519."
Back up your Certify key for disaster recovery
@@ -438,7 +436,8 @@ functionality. There are several options available:
- `Yubikey 5`_: proprietary hardware and software, but cheaper than
Nitrokey Pro and comes available in the USB-C form that is more useful
with newer laptops. Offers additional security features such as FIDO
- U2F, among others, and now finally supports ECC keys (NISTP).
+ U2F, among others, and now finally supports NISTP and ED25519 ECC
+ keys.
`LWN has a good review`_ of some of the above models, as well as several
others. Your choice will depend on cost, shipping availability in your
@@ -451,7 +450,7 @@ geographical region, and open/proprietary hardware considerations.
Foundation.
.. _`Nitrokey Start`: https://shop.nitrokey.com/shop/product/nitrokey-start-6
-.. _`Nitrokey Pro 2`: https://shop.nitrokey.com/shop/product/nitrokey-pro-2-3
+.. _`Nitrokey Pro 2`: https://shop.nitrokey.com/shop/product/nkpr2-nitrokey-pro-2-3
.. _`Yubikey 5`: https://www.yubico.com/products/yubikey-5-overview/
.. _Gnuk: https://www.fsij.org/doc-gnuk/
.. _`LWN has a good review`: https://lwn.net/Articles/736231/
--
b4 0.10.0-dev-fe10a
Konstantin Ryabitsev <[email protected]> writes:
> This series updates the guide to match terminology used in the upstream
> "protecting code integrity" guide and brings the documentation in line
> with the latest developments in the GnuPG world:
>
> - uses "Certify key" instead of "master key" terms to remove common
> confusion that the "Certify key" is somehow able to restore lost
> private subkeys
> - removes keyserver instructions because keyservers have largely gone
> semi-extinct due to GDPR enforcement and just general neglect
> - adds a link to the kernel.org PGP keyring documentation
> - updates information about ECC curve support among the devices the
> guide talks about (Yubikeys are able to use ED25519 curves with the
> latest firmware updates)
> - adds a section on using PGP-signed patches with b4 and patatt
>
> Link: https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md
> Signed-off-by: Konstantin Ryabitsev <[email protected]>
>
> ---
> Changes in v2:
> - Rebase on v5.19.
> - Small wording changes based on feedback.
> - Link to v1: https://lore.kernel.org/r/[email protected]
I've applied the set, thanks.
jon