PGP – Setting Up Your Launchpad Key 07/09/09

Granted, Launchpad might not be something newer Ubuntu users or less experienced users consider joining? However, I recently checked out the site and created my account. When I’m ready to create a couple packages, I can upload them to launchpad, where I or anyone in the community can access and use them, from anywhere. Additionally, part of the motivation is to give back to the community. When I started using Linux in earnest, I received a lot of community help, as such, this blog and the future Launchpad packages are a way of passing that help on.

On thing I noted was that Lauchpad uses PGP keys to help confirm that you really are you. That is, communications, agreements, etc. are really from you, the individual who signed up for the account. While I have not played with PGP in some time, I did manage to muddle my way through creating my key, adding it to the Ubuntu keyring and validating the fingerprint on Launchpad.

For those considering, here’s a quick refresher. For those who are new, here’s a “how to”.

Creating and Using Your PGP Key / Fingerprint for Launchpad

If you don’t already have it, you’ll need to install GPA (Gnu Privacy Assistant):

sudo aptitude install gpa or use the Firefox APT link: apt:gpa

The install is very basic, now we’ll need to generate a key:

gpg –gen-key

You’ll see some options, but select the first one that says “(1) DSA and Elgamal

Note: Make sure you select That first DSA option, if memory serves me correctly, that’s the one to encrypt and decrypt. The other options will not.

Next you’ll select a keysize, I chose 4096 (bits).
How long will your new key be valid for? I chose “0″ (which means the key does not expire, unless I revoke the key).

After the confirmation prompt where you say “y” no confirm that your selections are correct, enter your real name, email address and a comment (the comment is not required and I didn’t enter one). After entering the information, type “O” for “Okay”.

Now you’ll need to enter a passphrase:

to see a world in a grain of sand and a heaven in a wild flower hold infinity in the palm of your hand and eternity in an hour

Use your own phrase, I’m just showing an example of a similar, easy to remember phrase I use, long and difficult to catch).

Now use your PC a bit so that it will gain enough entropy to create your key. In other words, go and work on something else, using your PC, until the generation is complete. If not, you’ll see a message that says:

“Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 195 more bytes)
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.”

Once the process is finished, you’ll receive some out put similar to the message below:

gpg: key 1726B455 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/1726B455 2009-07-04
Key fingerprint = 668D C965 B4EA 2D77 A9AD  9C2B 9472 EB27 1625 D459
uid                  Roger Wheatley <
xxxxxxxxxx@xxxxxxxxxx.com>
sub   4096g/D284B31A 2009-07-04

The key ID is 1726B455 as seen above, now let’s export it as the default key:

export gpgkey=1726B455

Restart GPG and bashrc so they key gets used as the default for your system:

killall -q gpg-agent && eval $(gpg-agent –daemon) && source ~/.bashrc

Note: bashrc refers to files that are related to your shell account, which include configuration directives, logging of user actions and so on.

Now let’s create the revocation certificate, if you ever need it (if someone were to gain access to you private key, for example):

gpg –output revoke.asc –gen-revoke 1726B455

Save the revocation certificate in a SAFE AND SECURE location. Make sure NOBODY can access it, if they do, they will have the ability to revoke your key.

Now we need to add the key to Ubuntu’s keyserver at keyserver.ubuntu.com (as specified by launchpad.net)

gpg –send-keys –keyserver keyserver.ubuntu.com 1726B455

Finally, launchpad requests the key fingerprint (make sure you’re logged into launchpad.net for this part), to obtain your fingerprint:

gpg –fingerprint

Which outputs something like:

roger@tinman:~$ gpg –fingerprint
/home/roger/.gnupg/pubring.gpg
——————————
pub   1024D/1726B455 2009-07-04
Key fingerprint = 668D C965 B4EA 2D77 A9AD  9C2B 9472 EB27 1625 D459
uid                  Roger Wheatley <xxxxxxxxxx@
xxxxxxxxxx.com>
sub   4096g/D284B31A 2009-07-04

In my case the fingerprint is:

668D C965 B4EA 2D77 A9AD  9C2B 9472 EB27 1625 D459

Paste that into the appropriate field and click “Import key“. After this launchpad will display a message like:

“A message has been sent to xxxxxxxxxx@xxxxxxxxxx.com, encrypted with the key 1024D/1726B455. To confirm the key is yours, decrypt the message and follow the link inside.”

Oh, oh… I need to decrypt the message to get the link.

Copy the encrypted content of the email and save it as a file. Copy from where is says “—–BEGIN PGP MESSAGE—–” to “—–END PGP MESSAGE—–”. Include the “begin” and “end” directives. I saved the encrypted content as the file name “message” in /home/roger/launchpad (You’ll save it to a different location on your PC).

In a terminal:
cd /home/roger/launchpad (Use your own path here).

Issue the command:

gpg –decrypt message

and it will ask for your passphrase. After entering the passphrase correctly, I could read the message and the confirmation URL. Follow the instructions provided by that decrypted message (visit the URL). And your done!

Sharing is loving!


You can leave a response, or trackback from your own site.

One Responses to this article

 
bob dobbs July 10, 2009 Reply

Thanks. I recently started working out the kinks in my own keyring with Enigmail for Thunderbird. Gpa looks similar to Seahorse which is where you can create/sign/etc keys also.

Leave a Reply

close comment popup

Leave A Reply