Creating the fingerprints file

Micah Lee edited this page Aug 31, 2016 · 1 revision

First you must generate an authority key. For higher security, I recommend that you store this key on an OpenPGP smart card such as a Yubikey. Here's an example authority key:

$ gpg2 --list-keys --fingerprint "GPG Sync Example Authority"
pub   rsa4096/980EA13A 2016-07-07 [SC] [expires: 2017-07-07]
      Key fingerprint = 2646 A274 C86C 618D 6DB9  23A1 F0B6 DC77 980E A13A
uid         [ultimate] GPG Sync Example Authority
sub   rsa4096/9484EB1D 2016-07-07 [E] [expires: 2017-07-07]

Now create a list of all of the fingerprints that your organization uses. I recommend that you manually compare each person's fingerprint before adding it to this list. And while this isn't required by GPG Sync, it's a good idea to sign each person's key with your authority key, and have them sign the authority key back, so you can build an internal web of trust.

Each fingerprint should have its own line. Spaces within fingerprints are optional. Comments (which start with # characters) and whitespace is ignored, so feel free to mark up your fingerprints file with notes. Here's my example fingerprints.txt.

# Micah Lee
927F 419D 7EC8 2C2F 149C  1BD1 403C 2657 CD99 4F73 # current
0B14 9192 9806 5962 5470  0155 FD72 0AD9 EBA3 4B1C # old, revoked

# TODO: add other keys

# First Look warrant canary key
91C0 C982 A41F 8D39 3953  1A71 FAB7 37F9 C5C1 CA80

Next, create a detached signature of your list of fingerprints using your authority key. Here's how I'm doing it in my example:

$ gpg2 -u 980EA13A --detach-sign fingerprints.txt

This creates a second file, fingerprints.txt.sig, which contains the signature.

Finally, upload fingerprints.txt and fingerprints.txt.sig to a website (if you'd like, you could maintain this file in a public git repository) and make a note of the URL, as well as the authority key fingerprint. You'll need to give the signing key fingerprint and the URL of fingerprints.txt to each member of your organization in order to configure GPG Sync on their computers.

Each time there is a key change in your organization, you need to add the new fingerprints to fingerprints.txt, re-sign it with your authority key, and re-upload it to the same URL.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.