Skip to content

FAQ

Jump to bottom
Taras Drozdovskyi edited this page Oct 24, 2023 · 1 revision

Contents

How to sign a release using GPG?
How to use GPG to verify signed release?
How to use DCO via the command line

How to sign a release using GPG? (for maintainers)

A good example of a release signature can be found on the link. However, 5 and 6 items are described separately.

Creating a key pair

gpg --full-generate-key

During the execution of this command, you will need to enter additional data:

  • Please select what kind of key you want: 1
  • What keysize do you want? (3072): 4096
  • Please specify how long the key should be valid: 0
  • Key is valid for? (0): 0
  • Is this correct? (y/N): y
  • Real name: LPVS
  • Email address: o.kopysov@samsung.com
  • Comment: Keys for LPVS

In this case, the result will be the next

gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: LPVS
Email address: o.kopysov@samsung.com
Comment: Keys for LPVS
You selected this USER-ID:
    "LPVS (Keys for LPVS) <o.kopysov@samsung.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key BE13B1D440E813F0 marked as ultimately trusted
gpg: revocation certificate stored as '/home/virtual-pc/.gnupg/openpgp-revocs.d/D3C7C06AC34BDA9A41388E76BE13B1D440E813F0.rev'
public and secret key created and signed.

pub   rsa4096 2021-10-15 [SC]
      D3C7C06AC34BDA9A41388E76BE13B1D440E813F0
uid                      LPVS (Keys for LPVS) <o.kopysov@samsung.com>
sub   rsa4096 2021-10-15 [E]

Create and sign a tag with your created key

Set your GPG signing key in Git

git config --global user.signingkey <key-ID>

Create and sign the tag

git tag -s <tag>

Sign the release tarball with your created key

gpg --armor --detach-sign lpvs-vx.x.x.tar.gz

If you have multiple keys, you must specify the key that will be used by adding the option -u <key-ID>

Extraction a copy of a key pair from local gpg keyring

gpg --output lpvs-public.pgp --armor --export o.kopysov@samsung.com 
gpg --output lpvs-private.pgp --armor --export-secret-key o.kopysov@samsung.com

It should be noted that only the signature file (lpvs-vx.x.x.tar.gz.asc) and the public key (lpvs-public.pgp) must be loaded as an artifact to release.

To sign the release using another computer

For this need to download the private key (lpvs-private.pgp) by the next command:

gpg --import lpvs-private.pgp

How to use GPG to verify signed release?

To perform the verification, you need the following:

  • signed file – for example lpvs-vx.x.x.tar.gz
  • signature file – accompanying file with “.asc” extension (Ex. lpvs-vx.x.x.tar.gz.asc)
  • public key – for example lpvs-public.pgp

Import the public key to your keystore

gpg --import <public key>

Verification signed file

gpg --verify <signature file> <signed file>

If you have multiple keys, you must specify the key that will be used by adding the option -u <key-ID>

DCO via the command line

The most popular way to do DCO is to sign off your username and email address in the git command line.

First, configure your local git install.

$ git config --global user.name "John Doe" 
$ git config --global user.email johndoe@example.com

Obviously, you should use your own name and the email address associated with your GitHub user account.

Now, every time you commit new code in git, just add a signoff statement via the -s flag.

$ git commit -s -m "This is my commit message"

That’s it. Git adds your sign-off message in the commit message, and you contribution (commit) is now DCO compliant.

Community

  Code  

I - Starting

  1. Introducing
  2. LPVS Architecture
  3. Quick Start
  4. Roadmap 2023-2024
  5. R&R members

II - Development

  1. Contributing
  2. Code Style
  3. Testing
  4. Code review requirements
  5. Useful Utilities

III - References

  1. FAQ
Clone this wiki locally