tech-security: Re: adding gpg to src/gnu/dist

Subject: Re: adding gpg to src/gnu/dist
To: Alistair Crooks <agc@pkgsrc.org>
From: Love <lha@stacken.kth.se>
List: tech-security
Date: 05/14/2004 21:14:11
--=-=-=


Alistair Crooks <agc@pkgsrc.org> writes:

> 1. gpg --recv-key 0x0123abcd
>
> 2. gpg --refresh-keys
>
> 3. gpg --sign-key 0x0123abcd
>
> 4. gpg --send-key 0x0123abcd

This all is key mangment, and openssl is not very userfriendly on that
point. Get yourself a friendly CA software, part of the problem is to
understand the lingo.

You should really just do like all us other sane people, get yourself
trusted fool to run the CA for you :)

> 5. gpg --encrypt

We need encrypt for pkgsrc ?

> 6. gpg --verify
> 7. gpg --sign

Sign and verify file hello "ASCII armoured files" (PEM) is used.

openssl smime -sign -noattr -binary -outform PEM -out hello.sp7 -in hello -signer /secure/lha/su/CA/lha.crt -certfile /secure/lha/su/CA/lha-chain -inkey /secure/lha/su/CA/lha.key

openssl smime -verify -inform PEM -in hello.sp7 -content hello -CAfile /secure/lha/su/CA/swupki-pca.crt -out /dev/null

Or, see <http://people.su.se/~lha/patches/netbsd/sign/>, all this wrapped
in a short program. I'll happy provide manpage and KNF the program if
needed.

: lha@nutcracker ; ./nbsvtool -h
nbsvtool usage
nbsvtool -k keyfile -c cert-chain [-f cert-chain] sign file
nbsvtool [-a x509-anchor-file] verify filename.sp7
nbsvtool [-a x509-anchor-file] verify filename otherfilename.sp7

> (6 and 7 have to deal with and without detached ASCII-armo(u)red files)
>
> I also need to be able to set a key server for each of these commands.
>  
> 8. gpg --list-keys

Why is this needed ?

> I'm quite serious about this - if it can be done with openssl

Yes, it can be done with OpenSSL.

Love


--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iQEVAwUAQKUahHW+NPVfDpmCAQL1CAgAoNedjYQPe8W0lXeULuG21hD/jlZTl0BK
xiA4/sDKo0QX5jgV0ewvpGmFQXzI+7BXBFKaU863qYGR9wdfUlhqAKjUn4odCG7X
S9RPAr7bZeOU/cG5FGFJtcqpVaOCg37kBzn0KCHTuP731V3SUTigeiDFtaLgmlpg
XiHu0UfxW5937b0HNr0K4WuCcwKnpoE257//5n4UvkyBgwl/kn4a237XpROgQ1lF
3Mw5SrQJAU4Lz1qn22AuTJGrsFeaS3h9xkjNGAzArJYvdYk0t1CSv2aeEOEayh4Q
sKFy2dEddtIQRNVqE+tBnbvfoCJCHNZMSR6CH5G4E9HS9TJfB2Mf+A==
=0BvK
-----END PGP SIGNATURE-----
--=-=-=--