setting-up-gpg.md

Setting up gpg

• Creating a PGP key for Releases
  • Installation
  • Create a key
  • Get Key ID
  • Publish Key
• Importing PMC Members' PGP keys

Creating a PGP key for Releases

• You need a PGP key to sign releases for Apache Cordova.
• GnuPG, short gpg is the Apache recommended client to create and manage these keys.
• PGP, GPG, GnuPG, OpenPGP can be confusing - read about the background

Installation

On a Mac:

brew install gpg

On Windows:

Download and install gpg4win

Create a key

Create a new key with

• email = [email protected]
• description = "CODE SIGNING KEY"

Use this command

gpg --gen-key

(more elaborate instructions at http://www.apache.org/dev/openpgp.html#generate-key + http://www.apache.org/dev/openpgp.html#generation-final-steps)

Get Key ID

Look at your keyring:

gpg --list-sigs --fingerprint

Example Output:

pub   4096R/8A496450 2014-02-27
      Key fingerprint = B998 A96C 4DAA 821A 9C3A  FA5C E28E 332A 8A49 6450
uid                  Andrew Grieve (CODE SIGNING KEY) <[email protected]>
sig 3        8A496450 2014-02-27  Andrew Grieve (CODE SIGNING KEY) <[email protected]>
sub   4096R/A59029E7 2014-02-27
sig          8A496450 2014-02-27  Andrew Grieve (CODE SIGNING KEY) <[email protected]>

In this example, 8A496450 is your key ID. Set it to a environment variable:

KEY_ID=8A496450

(Or on Windows: set KEY_ID=8A496450. Everywhere you see $KEY_ID from now on, use %KEY_ID% instead)

Publish Key

Publish to dist/KEYS:

# Clone `cordova-dist` if you don't have it already:
coho repo-clone -r dist

# Append your key to the KEYS file
gpg --armor --export $KEY_ID >> cordova-dist/KEYS

# Make sure that's the only change to the file
( cd cordova-dist && svn diff )

# Commit
( cd cordova-dist && svn commit -m "Added my signing PGP key to KEYS" )

See committer subversion access for information how to access SVN (TLDR: add --username=... to the svn commit command if needed).

Publish to keys.gnupg.net

gpg --keyserver hkp://keys.gnupg.net --send-keys $KEY_ID

Visit http://pgp.mit.edu/ and paste in result of:

// Mac
gpg --armor --export $KEY_ID | pbcopy
// Windows
gpg --armor --export $KEY_ID | clip

Copy to your Apache homedir:

gpg --armor --export $KEY_ID > $KEY_ID.asc
scp $KEY_ID.asc people.apache.org:

Fingerprint

Recommended to make it easier for other PMC members to check dist archives:

Here is a quick command to show your gpg key fingerprint:

gpg --fingerprint

Sign into: https://id.apache.org/ and add your fingerprint (not your KEY_ID). This will cause emails from Apache to you to be encrypted.

Importing PMC Members' PGP keys

curl "https://people.apache.org/keys/group/cordova.asc" | gpg --import

Import any extra committer's keys via:

curl "https://dist.apache.org/repos/dist/release/cordova/KEYS" | gpg --import

Further reading

• https://www.apache.org/dev/new-committers-guide.html#set-up-security-and-pgp-keys