This page describes how to create and get a GPG key signed for use by the SELinux open source project.This is only needed for SELinux maintainers. Derived from an email from Jason Zaman, one of the SELinux userspace maintainers.

For people that don't have keys yet, or have ancient (read DSA or <2048 etc) keys then here are some useful docs for how to make a good key:

• https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys
• https://keyring.debian.org/creating-key.html
• https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/

The important thing is that your .gnupg.conf file has: keyid-format 0xlong

My preference for keys is the master key (with Cert or Cert+Sign) is kept offline and insteadhave subkeys for Sign+Encrypt. It should look something like this:

sec#  rsa4096/0x7EF137EC935B0EAF 2014-03-26 [SC] [expires: 2022-09-07]      63191CE94183098689CAB8DB7EF137EC935B0EAFuid                   [ultimate] Jason Zaman <notmyrealemail AT test.com>ssb>  rsa4096/0x3C5B5F43DE9F01FC 2014-03-26 [E] [expires: 2022-09-07]ssb>  rsa4096/0x2BBED9CB1A68EF55 2014-09-23 [S] [expires: 2022-09-07]ssb>  rsa4096/0x47871DE1B8A30571 2019-05-14 [A] [expires: 2022-09-07]

The "sec#" means the private part of my master key is not available.

But pretty much all distros have quite similar requirements nowadays soif you have a key don't make a new one.

On the call we just need to verify everyone's fingerprint + ID. I willhave passport but anything with name + picture is fine since webasically all know each other already.

Before the call:

1. Make sure your key looks okay:

   gpg -k --fingerprint 0xMyKeyID

2. Make sure your key is on the keyservers:

   gpg --keyserver keyserver.ubuntu.com --send-keys 0xMyKeyID

During the call we take turns:

3. Show ID to the camera

4. Verbally read out own fingerprint. Everyone else must verifysomewhere that can't be changed. e.g. don't use the meeting chat as yoursource of truth, instead copy paste into a text file or writeon paper.

After the call:

5. You can sign using something like caff:https://wiki.debian.org/caff

6. If you do it manually, then make sure you specify the --ask-cert-level

This should be the rough steps to sign it manually. I dug them up frommy notes last time I did this because I keep forgetting.

gpg --keyserver keyserver.ubuntu.com --refresh-keysgpg -k --fingerprint 0xOtherKeyID  # this fingerprint must match the one from the callgpg --ask-cert-level --sign-key 0xOtherKeyIDgpg --list-sigs 0xOtherKeyID # This should now show a "sig3" line with your new siggpg --armor --export 0xOtherKeyID > 0xKeyID_signed.asc

Send gpg-encrypted email with 0xKeyID_signed.asc attached.

7. When you get your 0xKeyID_signed.asc from someone:

   gpg --import 0xKeyID_signed.ascgpg --list-sigs 0xMyKeyID

If all looks good:

gpg --keyserver keyserver.ubuntu.com --send-keys 0xMyKeyID

Best practice is to email the sig back to the owner so they can upload it themselvesbecause that also verifies the email address and that they can decryptemails correctly, but it is a lot more work so if y'all want we couldjust upload directly instead of emailing.

It is also a good idea to add the signed GPG key to your GitHub account underSettings so that others can download it from github.com/yourusername.gpg.