You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@river.apache.org by Peter Firmstone <ji...@zeus.net.au> on 2010/01/01 08:59:08 UTC
Apache release signing on Solaris 10
I've been attempting to compile and install GnuPG 2.0.14 as per
http://www.apache.org/dev/openpgp.html#generate-key
Unfortunately GnuPG 2.0.14 depends upon libassuan-1.0.5 which uses
funopen or fopencookie calls that don't exist on Solaris 10. NB. I
succeeded getting GNU PThreads library version 2.0.7 compiled and
installed, which incidentally requested I email the author, to included
it the tested platforms (after passing all tests).
Other libraries required that I compiled and installed were:
libgcrypt
libksba
libgpg-error
I have GnuPG 1.4.10 installed, it can generate 4096 bit RSA keys.
Is there anything on Solaris 10 that is considered suitable for key
generation for Apache?
Cheers,
Peter.
Re: Apache release signing on Solaris 10
Posted by Peter Firmstone <ji...@zeus.net.au>.
Hi Robert,
This might be of interest to you as well:
bash-3.00$ gpg --version
gpg (GnuPG) 1.4.10
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
N.B. Good luck with your exams.
Thanks,
Peter.
Peter Firmstone wrote:
> Hi Robert,
>
> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2
> ZIP Uncompressed
>
> Set preference list to:
> Cipher: AES256, AES192, AES, CAST5, 3DES
> Digest: SHA512, SHA384, SHA256, SHA224, SHA1
> Compression: ZLIB, BZIP2, ZIP, Uncompressed
> Features: MDC, Keyserver no-modify
> Really update the preferences? (y/N) y
>
> You need a passphrase to unlock the secret key for
> user: "Peter Firmstone (Engineer) <pe...@zeus.net.au>"
> 4096-bit RSA key,
>
> gpg --list-secret-keys reports that both key's start with 4096R/KeyID
>
> And I've added to the end of my gpg.conf:
>
> personal-digest-preferences SHA512
> cert-digest-algo SHA512
> default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
> CAST5 ZLIB
> BZIP2 ZIP Uncompressed
>
> I edited gpg.conf after I had generated my keys.
>
> Is this ok?
>
> Cheers,
>
> Peter.
>
> Robert Burrell Donkin wrote:
>> On Mon, Jan 4, 2010 at 12:32 AM, Craig L Russell
>> <Cr...@sun.com> wrote:
>>
>>> Hi Peter,
>>>
>>> The only reason *not* to use 1.4.10 IMHO is if the generated artifacts
>>> somehow are incompatible with other GPG programs out there.
>>>
>>
>> unfortunately, some older programs are no longer secure after the
>> SHA-1 breakage. you need to check that SHA is set to 512 (or 256) for
>> signing and that both encrypt and sign keys are 4096 bit RSA (the
>> older versions did not use RSA for both keys).
>>
>> - robert
>>
>>
>
>
Re: Apache release signing on Solaris 10
Posted by Peter Firmstone <ji...@zeus.net.au>.
Hi Robert,
setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2
ZIP Uncompressed
Set preference list to:
Cipher: AES256, AES192, AES, CAST5, 3DES
Digest: SHA512, SHA384, SHA256, SHA224, SHA1
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
Really update the preferences? (y/N) y
You need a passphrase to unlock the secret key for
user: "Peter Firmstone (Engineer) <pe...@zeus.net.au>"
4096-bit RSA key,
gpg --list-secret-keys reports that both key's start with 4096R/KeyID
And I've added to the end of my gpg.conf:
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
CAST5 ZLIB
BZIP2 ZIP Uncompressed
I edited gpg.conf after I had generated my keys.
Is this ok?
Cheers,
Peter.
Robert Burrell Donkin wrote:
> On Mon, Jan 4, 2010 at 12:32 AM, Craig L Russell <Cr...@sun.com> wrote:
>
>> Hi Peter,
>>
>> The only reason *not* to use 1.4.10 IMHO is if the generated artifacts
>> somehow are incompatible with other GPG programs out there.
>>
>
> unfortunately, some older programs are no longer secure after the
> SHA-1 breakage. you need to check that SHA is set to 512 (or 256) for
> signing and that both encrypt and sign keys are 4096 bit RSA (the
> older versions did not use RSA for both keys).
>
> - robert
>
>
Re: Apache release signing on Solaris 10
Posted by Robert Burrell Donkin <ro...@gmail.com>.
On Mon, Jan 4, 2010 at 12:32 AM, Craig L Russell <Cr...@sun.com> wrote:
> Hi Peter,
>
> The only reason *not* to use 1.4.10 IMHO is if the generated artifacts
> somehow are incompatible with other GPG programs out there.
unfortunately, some older programs are no longer secure after the
SHA-1 breakage. you need to check that SHA is set to 512 (or 256) for
signing and that both encrypt and sign keys are 4096 bit RSA (the
older versions did not use RSA for both keys).
- robert
Re: Apache release signing on Solaris 10
Posted by Peter Firmstone <ji...@zeus.net.au>.
Robert Burrell Donkin wrote:
> On Mon, Jan 4, 2010 at 5:06 PM, Craig L Russell <Cr...@sun.com> wrote:
>
>> Hi Peter,
>>
>> From my perspective, you're good to go. The signature you made checks out.
>>
>> You'll need to put your public key into the svn repository associated with
>> the river project (if you need details after looking around, let me know --
>> I'm a little hazy on the details).
>>
>
> i haven't been tracking the progress made by infra so you might need
> to check the archives but AFAIK we're still just using a KEYS files.
> this consists of ASCII-exported public keys (IIRC this is covered in
> the documentation). a good way to start a file is by copying the
> template from an existing one.
>
>
>> And I guess you're still awaiting a response whether your key is good
>> enough. Robert, any feedback?
>>
>
> there are basically 3 things to check:
>
> 1. that both encryption and signing keys are 4096 RSA
> 2. that the keyring preferences are set to strong signing
> 3. that the key preferences are set to strong signing
>
> and AFAICT the key looks fine
>
> (probably need to find some time to update the documentation since the
> GnuPG team now seem to have set everything up okay by defaults for the
> new releases...)
>
The documentation was very helpful, SHA-1 was still the default first
preference, so I wouldn't go changing it just yet.
> - robert
>
>
Re: Apache release signing on Solaris 10
Posted by Robert Burrell Donkin <ro...@gmail.com>.
On Mon, Jan 4, 2010 at 5:06 PM, Craig L Russell <Cr...@sun.com> wrote:
> Hi Peter,
>
> From my perspective, you're good to go. The signature you made checks out.
>
> You'll need to put your public key into the svn repository associated with
> the river project (if you need details after looking around, let me know --
> I'm a little hazy on the details).
i haven't been tracking the progress made by infra so you might need
to check the archives but AFAIK we're still just using a KEYS files.
this consists of ASCII-exported public keys (IIRC this is covered in
the documentation). a good way to start a file is by copying the
template from an existing one.
> And I guess you're still awaiting a response whether your key is good
> enough. Robert, any feedback?
there are basically 3 things to check:
1. that both encryption and signing keys are 4096 RSA
2. that the keyring preferences are set to strong signing
3. that the key preferences are set to strong signing
and AFAICT the key looks fine
(probably need to find some time to update the documentation since the
GnuPG team now seem to have set everything up okay by defaults for the
new releases...)
- robert
Re: Apache release signing on Solaris 10
Posted by Craig L Russell <Cr...@Sun.COM>.
Hi Peter,
From my perspective, you're good to go. The signature you made checks
out.
You'll need to put your public key into the svn repository associated
with the river project (if you need details after looking around, let
me know -- I'm a little hazy on the details).
And I guess you're still awaiting a response whether your key is good
enough. Robert, any feedback?
clr% gpg --fingerprint 1CC8406F
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 69 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1 valid: 69 signed: 39 trust: 17-, 24q, 0n, 0m, 28f, 0u
gpg: depth: 2 valid: 20 signed: 20 trust: 7-, 11q, 0n, 0m, 2f, 0u
gpg: depth: 3 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2011-06-22
pub 4096R/1CC8406F 2010-01-01 [expires: 2012-01-01]
Key fingerprint = 316D 7FF5 D89E 3090 64E2 7BAA AE46 E725 1CC8
406F
uid Peter Firmstone (Engineer) <peter.firmstone@zeus.net.au
>
sub 4096R/DBF67B3D 2010-01-01 [expires: 2012-01-01]
[CraigRussell:~] clr% gpg --verify LICENSE.asc
gpg: Signature made Sun Jan 3 17:57:16 2010 PST using RSA key ID
1CC8406F
gpg: Good signature from "Peter Firmstone (Engineer) <peter.firmstone@zeus.net.au
>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 316D 7FF5 D89E 3090 64E2 7BAA AE46 E725 1CC8
406F
Craig
On Jan 3, 2010, at 11:11 PM, Peter Firmstone wrote:
> Oh yes of course, my apologies.
>
> It should be available now on subkeys.pgp.net and keys.gnupg.net
>
> I'll upload it to my home directory on people.apache.org later too.
>
> Cool receiving assistance from someone who has contributed much.
>
> Thanks again,
>
> Peter.
>
>
>
> Craig L Russell wrote:
>> Hi Peter,
>>
>> Have you uploaded your public key?
>>
>> gpg --verify LICENSE.asc
>> gpg: Signature made Sun Jan 3 17:57:16 2010 PST using RSA key ID
>> 1CC8406F
>> gpg: Can't check signature: public key not found
>> [CraigRussell:~] clr% gpg --recv-keys 1CC8406F
>> gpg: requesting key 1CC8406F from hkp server subkeys.pgp.net
>> gpgkeys: key 1CC8406F not found on keyserver
>> gpg: no valid OpenPGP data found.
>> gpg: Total number processed: 0
>>
>> What we know is that you have a key and it made a signature file.
>> What we don't know is if the signature matches your key.
>>
>> Craig
>>
>> On Jan 3, 2010, at 6:04 PM, Peter Firmstone wrote:
>>
>>> Thanks Craig,
>>>
>>> LICENSE.asc of LICENSE in trunk of Apache River attached.
>>>
>>> Cheers,
>>>
>>> Peter.
>>>
>>> Craig L Russell wrote:
>>>> Hi Peter,
>>>>
>>>> The only reason *not* to use 1.4.10 IMHO is if the generated
>>>> artifacts somehow are incompatible with other GPG programs out
>>>> there.
>>>>
>>>> If you want to create an example .asc from some file that you
>>>> have in your public directory, I'd be happy to verify that it
>>>> works.
>>>>
>>>> Craig
>>>
>>
>> Craig L Russell
>> Architect, Sun Java Enterprise System http://db.apache.org/jdo
>> 408 276-5638 mailto:Craig.Russell@sun.com
>> P.S. A good JDO? O, Gasp!
>>
>>
>
Craig L Russell
Architect, Sun Java Enterprise System http://db.apache.org/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!
Re: Apache release signing on Solaris 10
Posted by Peter Firmstone <ji...@zeus.net.au>.
Oh yes of course, my apologies.
It should be available now on subkeys.pgp.net and keys.gnupg.net
I'll upload it to my home directory on people.apache.org later too.
Cool receiving assistance from someone who has contributed much.
Thanks again,
Peter.
Craig L Russell wrote:
> Hi Peter,
>
> Have you uploaded your public key?
>
> gpg --verify LICENSE.asc
> gpg: Signature made Sun Jan 3 17:57:16 2010 PST using RSA key ID
> 1CC8406F
> gpg: Can't check signature: public key not found
> [CraigRussell:~] clr% gpg --recv-keys 1CC8406F
> gpg: requesting key 1CC8406F from hkp server subkeys.pgp.net
> gpgkeys: key 1CC8406F not found on keyserver
> gpg: no valid OpenPGP data found.
> gpg: Total number processed: 0
>
> What we know is that you have a key and it made a signature file. What
> we don't know is if the signature matches your key.
>
> Craig
>
> On Jan 3, 2010, at 6:04 PM, Peter Firmstone wrote:
>
>> Thanks Craig,
>>
>> LICENSE.asc of LICENSE in trunk of Apache River attached.
>>
>> Cheers,
>>
>> Peter.
>>
>> Craig L Russell wrote:
>>> Hi Peter,
>>>
>>> The only reason *not* to use 1.4.10 IMHO is if the generated
>>> artifacts somehow are incompatible with other GPG programs out there.
>>>
>>> If you want to create an example .asc from some file that you have
>>> in your public directory, I'd be happy to verify that it works.
>>>
>>> Craig
>>
>
> Craig L Russell
> Architect, Sun Java Enterprise System http://db.apache.org/jdo
> 408 276-5638 mailto:Craig.Russell@sun.com
> P.S. A good JDO? O, Gasp!
>
>
Re: Apache release signing on Solaris 10
Posted by Craig L Russell <Cr...@Sun.COM>.
Hi Peter,
Have you uploaded your public key?
gpg --verify LICENSE.asc
gpg: Signature made Sun Jan 3 17:57:16 2010 PST using RSA key ID
1CC8406F
gpg: Can't check signature: public key not found
[CraigRussell:~] clr% gpg --recv-keys 1CC8406F
gpg: requesting key 1CC8406F from hkp server subkeys.pgp.net
gpgkeys: key 1CC8406F not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
What we know is that you have a key and it made a signature file. What
we don't know is if the signature matches your key.
Craig
On Jan 3, 2010, at 6:04 PM, Peter Firmstone wrote:
> Thanks Craig,
>
> LICENSE.asc of LICENSE in trunk of Apache River attached.
>
> Cheers,
>
> Peter.
>
> Craig L Russell wrote:
>> Hi Peter,
>>
>> The only reason *not* to use 1.4.10 IMHO is if the generated
>> artifacts somehow are incompatible with other GPG programs out there.
>>
>> If you want to create an example .asc from some file that you have
>> in your public directory, I'd be happy to verify that it works.
>>
>> Craig
>
Craig L Russell
Architect, Sun Java Enterprise System http://db.apache.org/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!
Re: Apache release signing on Solaris 10
Posted by Peter Firmstone <ji...@zeus.net.au>.
Thanks Craig,
LICENSE.asc of LICENSE in trunk of Apache River attached.
Cheers,
Peter.
Craig L Russell wrote:
> Hi Peter,
>
> The only reason *not* to use 1.4.10 IMHO is if the generated artifacts
> somehow are incompatible with other GPG programs out there.
>
> If you want to create an example .asc from some file that you have in
> your public directory, I'd be happy to verify that it works.
>
> Craig
>
> On Jan 3, 2010, at 3:42 PM, Peter Firmstone wrote:
>
>> Thanks Robert,
>>
>> GnuPG 1.4.10 has no trouble creating 4096 bit keys and it compiles
>> cleanly on Solaris, I have a set generated, I just wasn't sure if
>> there was some reason I should be using the later version. 1.4.10 is
>> still being maintained, its recommended for servers and embedded,
>> while 2.0.14 is preferred for desktops.
>>
>> If no one objects, I'd be happy to use the keys to sign the AR2 release.
>>
>> Cheers,
>>
>> Peter.
>>
>>
>> Robert Burrell Donkin wrote:
>>> On Fri, Jan 1, 2010 at 7:59 AM, Peter Firmstone <ji...@zeus.net.au>
>>> wrote:
>>>
>>>> I've been attempting to compile and install GnuPG 2.0.14 as per
>>>> http://www.apache.org/dev/openpgp.html#generate-key
>>>>
>>>> Unfortunately GnuPG 2.0.14 depends upon libassuan-1.0.5 which uses
>>>> funopen
>>>> or fopencookie calls that don't exist on Solaris 10. NB. I succeeded
>>>> getting GNU PThreads library version 2.0.7 compiled and installed,
>>>> which
>>>> incidentally requested I email the author, to included it the tested
>>>> platforms (after passing all tests).
>>>>
>>>> Other libraries required that I compiled and installed were:
>>>> libgcrypt
>>>> libksba
>>>> libgpg-error
>>>>
>>>> I have GnuPG 1.4.10 installed, it can generate 4096 bit RSA keys.
>>>>
>>>> Is there anything on Solaris 10 that is considered suitable for key
>>>> generation for Apache?
>>>>
>>>
>>> IIRC 1.4.10 has the required changes backported from the 2.x
>>> codestream but i haven't had time to verify that the keys are
>>> correctly generated or that the configuration instructions work (i may
>>> be able to find some time in Feb once my semester one exams are done).
>>> it is possible - with sufficient knowledge - to create secure keys
>>> using 1.4.9 or earlier but it's fiddly and error prone. i think - but
>>> haven't checked - that you should be able to follow the *full*
>>> instructions for 2.x using 1.4.10 and then verify that the signatures
>>> created by the new key are strong enough.
>>>
>>> - robert
>>>
>>>
>>
>
> Craig L Russell
> Architect, Sun Java Enterprise System http://db.apache.org/jdo
> 408 276-5638 mailto:Craig.Russell@sun.com
> P.S. A good JDO? O, Gasp!
>
>
Re: Apache release signing on Solaris 10
Posted by Craig L Russell <Cr...@Sun.COM>.
Hi Peter,
The only reason *not* to use 1.4.10 IMHO is if the generated artifacts
somehow are incompatible with other GPG programs out there.
If you want to create an example .asc from some file that you have in
your public directory, I'd be happy to verify that it works.
Craig
On Jan 3, 2010, at 3:42 PM, Peter Firmstone wrote:
> Thanks Robert,
>
> GnuPG 1.4.10 has no trouble creating 4096 bit keys and it compiles
> cleanly on Solaris, I have a set generated, I just wasn't sure if
> there was some reason I should be using the later version. 1.4.10
> is still being maintained, its recommended for servers and embedded,
> while 2.0.14 is preferred for desktops.
>
> If no one objects, I'd be happy to use the keys to sign the AR2
> release.
>
> Cheers,
>
> Peter.
>
>
> Robert Burrell Donkin wrote:
>> On Fri, Jan 1, 2010 at 7:59 AM, Peter Firmstone <ji...@zeus.net.au>
>> wrote:
>>
>>> I've been attempting to compile and install GnuPG 2.0.14 as per
>>> http://www.apache.org/dev/openpgp.html#generate-key
>>>
>>> Unfortunately GnuPG 2.0.14 depends upon libassuan-1.0.5 which uses
>>> funopen
>>> or fopencookie calls that don't exist on Solaris 10. NB. I
>>> succeeded
>>> getting GNU PThreads library version 2.0.7 compiled and installed,
>>> which
>>> incidentally requested I email the author, to included it the tested
>>> platforms (after passing all tests).
>>>
>>> Other libraries required that I compiled and installed were:
>>> libgcrypt
>>> libksba
>>> libgpg-error
>>>
>>> I have GnuPG 1.4.10 installed, it can generate 4096 bit RSA keys.
>>>
>>> Is there anything on Solaris 10 that is considered suitable for key
>>> generation for Apache?
>>>
>>
>> IIRC 1.4.10 has the required changes backported from the 2.x
>> codestream but i haven't had time to verify that the keys are
>> correctly generated or that the configuration instructions work (i
>> may
>> be able to find some time in Feb once my semester one exams are
>> done).
>> it is possible - with sufficient knowledge - to create secure keys
>> using 1.4.9 or earlier but it's fiddly and error prone. i think - but
>> haven't checked - that you should be able to follow the *full*
>> instructions for 2.x using 1.4.10 and then verify that the signatures
>> created by the new key are strong enough.
>>
>> - robert
>>
>>
>
Craig L Russell
Architect, Sun Java Enterprise System http://db.apache.org/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!
Re: Apache release signing on Solaris 10
Posted by Peter Firmstone <ji...@zeus.net.au>.
Robert,
How do I verify the generated keys are strong enough?
Cheers,
Peter.
Peter Firmstone wrote:
> Thanks Robert,
>
> GnuPG 1.4.10 has no trouble creating 4096 bit keys and it compiles
> cleanly on Solaris, I have a set generated, I just wasn't sure if
> there was some reason I should be using the later version. 1.4.10 is
> still being maintained, its recommended for servers and embedded,
> while 2.0.14 is preferred for desktops.
>
> If no one objects, I'd be happy to use the keys to sign the AR2 release.
>
> Cheers,
>
> Peter.
>
>
> Robert Burrell Donkin wrote:
>> On Fri, Jan 1, 2010 at 7:59 AM, Peter Firmstone <ji...@zeus.net.au>
>> wrote:
>>
>>> I've been attempting to compile and install GnuPG 2.0.14 as per
>>> http://www.apache.org/dev/openpgp.html#generate-key
>>>
>>> Unfortunately GnuPG 2.0.14 depends upon libassuan-1.0.5 which uses
>>> funopen
>>> or fopencookie calls that don't exist on Solaris 10. NB. I succeeded
>>> getting GNU PThreads library version 2.0.7 compiled and installed,
>>> which
>>> incidentally requested I email the author, to included it the tested
>>> platforms (after passing all tests).
>>>
>>> Other libraries required that I compiled and installed were:
>>> libgcrypt
>>> libksba
>>> libgpg-error
>>>
>>> I have GnuPG 1.4.10 installed, it can generate 4096 bit RSA keys.
>>>
>>> Is there anything on Solaris 10 that is considered suitable for key
>>> generation for Apache?
>>>
>>
>> IIRC 1.4.10 has the required changes backported from the 2.x
>> codestream but i haven't had time to verify that the keys are
>> correctly generated or that the configuration instructions work (i may
>> be able to find some time in Feb once my semester one exams are done).
>> it is possible - with sufficient knowledge - to create secure keys
>> using 1.4.9 or earlier but it's fiddly and error prone. i think - but
>> haven't checked - that you should be able to follow the *full*
>> instructions for 2.x using 1.4.10 and then verify that the signatures
>> created by the new key are strong enough.
>>
>> - robert
>>
>>
>
>
Re: Apache release signing on Solaris 10
Posted by Peter Firmstone <ji...@zeus.net.au>.
Thanks Robert,
GnuPG 1.4.10 has no trouble creating 4096 bit keys and it compiles
cleanly on Solaris, I have a set generated, I just wasn't sure if there
was some reason I should be using the later version. 1.4.10 is still
being maintained, its recommended for servers and embedded, while 2.0.14
is preferred for desktops.
If no one objects, I'd be happy to use the keys to sign the AR2 release.
Cheers,
Peter.
Robert Burrell Donkin wrote:
> On Fri, Jan 1, 2010 at 7:59 AM, Peter Firmstone <ji...@zeus.net.au> wrote:
>
>> I've been attempting to compile and install GnuPG 2.0.14 as per
>> http://www.apache.org/dev/openpgp.html#generate-key
>>
>> Unfortunately GnuPG 2.0.14 depends upon libassuan-1.0.5 which uses funopen
>> or fopencookie calls that don't exist on Solaris 10. NB. I succeeded
>> getting GNU PThreads library version 2.0.7 compiled and installed, which
>> incidentally requested I email the author, to included it the tested
>> platforms (after passing all tests).
>>
>> Other libraries required that I compiled and installed were:
>> libgcrypt
>> libksba
>> libgpg-error
>>
>> I have GnuPG 1.4.10 installed, it can generate 4096 bit RSA keys.
>>
>> Is there anything on Solaris 10 that is considered suitable for key
>> generation for Apache?
>>
>
> IIRC 1.4.10 has the required changes backported from the 2.x
> codestream but i haven't had time to verify that the keys are
> correctly generated or that the configuration instructions work (i may
> be able to find some time in Feb once my semester one exams are done).
> it is possible - with sufficient knowledge - to create secure keys
> using 1.4.9 or earlier but it's fiddly and error prone. i think - but
> haven't checked - that you should be able to follow the *full*
> instructions for 2.x using 1.4.10 and then verify that the signatures
> created by the new key are strong enough.
>
> - robert
>
>
Re: Apache release signing on Solaris 10
Posted by Robert Burrell Donkin <ro...@gmail.com>.
On Fri, Jan 1, 2010 at 7:59 AM, Peter Firmstone <ji...@zeus.net.au> wrote:
> I've been attempting to compile and install GnuPG 2.0.14 as per
> http://www.apache.org/dev/openpgp.html#generate-key
>
> Unfortunately GnuPG 2.0.14 depends upon libassuan-1.0.5 which uses funopen
> or fopencookie calls that don't exist on Solaris 10. NB. I succeeded
> getting GNU PThreads library version 2.0.7 compiled and installed, which
> incidentally requested I email the author, to included it the tested
> platforms (after passing all tests).
>
> Other libraries required that I compiled and installed were:
> libgcrypt
> libksba
> libgpg-error
>
> I have GnuPG 1.4.10 installed, it can generate 4096 bit RSA keys.
>
> Is there anything on Solaris 10 that is considered suitable for key
> generation for Apache?
IIRC 1.4.10 has the required changes backported from the 2.x
codestream but i haven't had time to verify that the keys are
correctly generated or that the configuration instructions work (i may
be able to find some time in Feb once my semester one exams are done).
it is possible - with sufficient knowledge - to create secure keys
using 1.4.9 or earlier but it's fiddly and error prone. i think - but
haven't checked - that you should be able to follow the *full*
instructions for 2.x using 1.4.10 and then verify that the signatures
created by the new key are strong enough.
- robert
AR2 Release PGP Signing
Posted by Peter Firmstone <ji...@zeus.net.au>.
Anyone else able to add their pgp key to the KEYS file in trunk?
Cheers,
Peter.