[ClusterLabs Developers] [HA/ClusterLabs Summit] Key-Signing Party, 2017 Edition

Kristoffer Grönlund kgronlund at suse.com
Mon Jul 24 10:18:20 CEST 2017


Jan Pokorný <jpokorny at redhat.com> writes:

> [ Unknown signature status ]
> Hello cluster masters :-)
>
> as there's little less than 7 weeks left to "The Summit" meetup
> (<http://plan.alteeve.ca/>), it's about time to get the ball
> rolling so we can voluntarily augment the digital trust amongst
> us the attendees, on OpenGPG basis.
>
> Doing that, we'll actually establish a tradition since this will
> be the second time such event is being kicked off (unlike the birds
> of the feather gathering itself, was edu-feathered back then):
>
>   <https://people.redhat.com/jpokorny/keysigning/2015-ha/>
>   <http://lists.linux-ha.org/pipermail/linux-ha/2015-January/048507.html>
>
> If there are no objections, yours truly will conduct this undertaking.
> (As an aside, I am toying with an idea of optimizing the process
> a bit now that many keys are cross-signed already; I doubt there's
> a value of adding identical signatures just with different timestamps,
> unless, of course, the inscribed level of trust is going to change,
> presumably elevate -- any comments?)

Hi Jan,

No objections from me, thank you for taking charge of this!

Cheers,
Kristoffer


>
> * * *
>
> So, going to attend summit and want your key signed while reciprocally
> spreading the web of trust?
> Awesome, let's reuse the steps from the last time:
>
> Once you have a key pair (and provided that you are using GnuPG),
> please run the following sequence:
>
>     # figure out the key ID for the identity to be verified;
>     # IDENTITY is either your associated email address/your name
>     # if only single key ID matches, specific key otherwise
>     # (you can use "gpg -K" to select a desired ID at the "sec" line)
>     KEY=$(gpg --with-colons 'IDENTITY' | grep '^pub' | cut -d: -f5)
>
>     # export the public key to a file that is suitable for exchange
>     gpg --export -a -- $KEY > $KEY
>
>     # verify that you have an expected data to share
>     gpg --with-fingerprint -- $KEY
>
> with IDENTITY adjusted as per the instruction above, and send me the
> resulting $KEY file, preferably in a signed (or even encrypted[*]) email
> from an address associated with that very public key of yours.
>
> Timeline?
> Please, send me your public keys *by 2017-09-05*, off-list and
> best with [key-2017-ha] prefix in the subject.  I will then compile
> a list of the attendees together with their keys and publish it at
> <https://people.redhat.com/jpokorny/keysigning/2017-ha/>
> so it can be printed beforehand.
>
> [*] You can find my public key at public keyservers:
> <http://pool.sks-keyservers.net/pks/lookup?op=vindex&search=0x60BCBB4F5CD7F9EF>
> Indeed, the trust in this key should be ephemeral/one-off
> (e.g. using a temporary keyring, not a universal one before we
> proceed with the signing :)
>
> * * *
>
> Thanks for your cooperation, looking forward to this side stage
> (but nonetheless important if release or commit[1] signing is to get
> traction) happening and hope this will be beneficial to all involved.
>
> See you there!
>
>
> [1] for instance, see:
>     <https://github.com/blog/2144-gpg-signature-verification>
>     <https://pagure.io/pagure/issue/885>
>
> -- 
> Jan (Poki)
> _______________________________________________
> Developers mailing list
> Developers at clusterlabs.org
> http://lists.clusterlabs.org/mailman/listinfo/developers

-- 
// Kristoffer Grönlund
// kgronlund at suse.com



More information about the Developers mailing list