Search code examples
pgpdigital-signaturersagnupg

Sharing master cert and verifying certs with that

I'm working on an application which has to download some files frequently. I thought signing files is a good idea.

So first thing I thought to do is to create a master cert and somehow distribute it in program and verify developers certs with that. So we don't need to update cert that we distribute with program when a new developer comes.

I think apt-key is using similar method. I read it has something to do with sharing keyring.

But I couldn't figure out how to do that with GnuPG. Can you help with that?

Solution

  • You create a new OpenPGP key pair with GnuPG, which consists of a public and a private key. You keep the private key private, but release the public key (for example, by uploading it to a key server). Signing is performed with the private key. Everybody else (that gets hold of the public key) can now verify the signature was really issued by the key.

    To enable others to verify the key was really issued by you, you should do

    • put the key or fingerprint (not only a short key ID) at least at some HTTPs-secured place, so other have some assurance it is the right one and
    • get your key signed, by going to key signing parties and/or Certificate Authorities, CAcert is a good start into the OpenPGP web of trust.

    If you ship keys with your software distribution, consider using another GnuPG home directory and not the user's one (so you don't depend on user specific configuration and data).

    I think apt-key is using similar method. I read it has something to do with sharing keyring.

    The apt infrastructure creates an internal keyring, which is originally shipped with your distribution. It contains all public keys of Debian (Ubuntu, ...; whatever Debian based distribution you chose) developers, so all packages can be verified.

    But I couldn't figure out how to do that with GPG. Can you help with that?

    All of those proposals require the "company key" to be imported in the verifying software's GnuPG keyring, and having ultimate trust issued to be able to verify against that key.

    1. If you only need one developer (or build machine) that will distribute files, just go for a single key pair and validate the file's signature against the key's fingerprint.

    2. Another solution would be to create signing subkeys per developer and issue a single signing subkey (plus all public (sub)keys of course) to each developer. Verification still works through the primary key, but you can easily revoke each developer's subkey in case he quits the company. But it is harder to connect individual developers to signatures, as it must be done manually through fingerprints if needed.

    3. More complex setups would include a system like Debian build around apt, or using the OpenPGP web of trust to verify your developer's keys, but this requires a deeper insight on the different categories of trust, how certifications work.

    So we don't need to update cert that we distribute with program when a new developer comes.

    You will still have to update it in all cases, but that's not that bad. Simply share the updated key(s) (consider using the key server network for updating it). Changes to the key will be merged automatically, and even if someone tries to send you a forged key, it will be a different one and not have the trust mentioned above.