Using GPG with the RADB
Table of contents
Notes - Limitations
In addition to supporting PGP-based authentication we now offer limited support of GPG-based signatures.
It is limited because ElGamel encryption cannot currently be affirmed as supported due to interoperability issues with PGP.
Some previous GPG versions (v1.*) offer ElGamal (sign and encrypt) as an option.
Using this encryption option is not recommended due to these compatibility concerns.
Creating Key-Cert
This document takes you step-by-step through the process of creating a key-cert object, including generation of a GPG key and GPG-signing your DB submissions.
GPG key
The example below uses GPG version 2.2.4 but the process is applicable to other versions.
The key generation takes some time to complete as it manages entropy for key generation.
%gpg --full-generate-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory '/home/etbru/.gnupg' created
gpg: keybox '/home/etbru/.gnupg/pubring.kbx' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)
Requested keysize is 3072 bits
Please specify how long the key should be valid.
0 = key does not expire
< n > = key expires in n days
< n > w = key expires in n weeks
< n > m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Etienne Brule
Email address: [email protected]
Comment:
You selected this USER-ID:
"Etienne Brule <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
A dialog box should now appear asking you to create a passphrase.
Enter something unique and secure that phrase.
Please enter the passphrase to
protect your new key
Passphrase: ThisIsAnExampleOnly
Press the Tab key to "OK" and then press ENTER
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/etbru/.gnupg/trustdb.gpg: trustdb created
gpg: key 748C195F7F507482 marked as ultimately trusted
gpg: directory '/home/etbru/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as
'/home/etbru/.gnupg/openpgp-revocs.d/F5AF118927CCEE9BA0AF2EBE748C195F7F507482.rev'
public and secret key created and signed.
pub rsa3072 2020-01-06 [SC]
F5AF118927CCEE9BA0AF2EBE748C195F7F507482
uid Etienne Brule <[email protected]>
sub rsa3072 2020-01-06 [E]
Hex ID
% gpg --list-keys --keyid-format short
/home/etbru/.gnupg/pubring.kbx
----------------------------------
pub rsa3072/7F507482 2020-01-06 [SC]
F5AF118927CCEE9BA0AF2EBE748C195F7F507482
uid [ultimate] Etienne Brule <[email protected]>
sub rsa3072/D3091FD2 2020-01-06 [E]
Now note your hex ID. The hex ID here is '7F507482'.
This is required to create the key-cert object.
Extract key
Key block shortened for demonstration
% gpg --export -a -o /tmp/mykeys.txt --export 7F507482
% cat /tmp/mykeys.txt
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQGNBF4TdToBDADTUt7gV9IdsTznHKjAauPZ08+U/sOZsx0LYtttIofk/wDQTDpf
1B0+2qcbSDgRQHNWLEFPjcahc2GDcrwRMtnqp7XjtQgnANyGdVK/CectULfqoWcU
Fc09GR3Ls0pFdnx5v9qlzkbSk5izACjZkfZmgGl/CC9Yg9UroSon5s2x2vst08nE
d1/3WhDLb6TLxYwX9mjMaJHvNgX6aNj0MciHj/p3DwMzwXEA/pxp/sv6DiA1HUQq
JvewPs/st852IJDl1Qgl5yBNZdNqmeSuzf7GDMz5RMqZxFELutue/gSRg1ImSBBf
xdFKcKq0qFHmRLpBNWb+cNA0CD4OjsP/UsnUL5f16d+tndmGuwyY5t1oDaP/i0MC
tkB4teSDql8F9LviVMPIgs7XkEYuj916cA4BDnqnOWG8BUsN7sv7kCGWe5t9RK54
vheh8B8SKnl0NS3+5RT1+WybcvaMeo8Z8Uodx7vbVkI2cp5T+m0y8+VuAPWQ4Wap
YG4Lee/zZX8FXU6fHIw4EsCQias+xesb5to99vKgKpAZmI3wCFJhEgijlEPMHsF8
w6R5sqZL9CD2oLUyczW+08ictIom2TyqZo1I2rmPP+r9qsPDrghXvbF5HTCN6PDp
zr88trvF+8XJ4HtoGxjBRLsYfxb/fcRG+JieSbwRP04JJULSUIYylBQtGf7c09LS
pd/o0ErJs2xNQNm7dpaXHOQRfPWPz6OADoSROrlb3graC74VWL8oPGda/aqNN9i1
t85aghh5SqUqIKw3SylRRta3md/fLiyOFwu5pRpbV/EQ4KXMYi3Rvm7JAudwnfkA
EQEAAYkBtgQYAQoAIBYhBPWvEYknzO6boK8uvnSMGV9/UHSCBQJeE3U6AhsMAAoJ
EHSMGV9/UHSCM1IL/jlcsxAt6K4Y9D641JYCism1954aAaUfOkGnPaJlv/Lqpe1j
1Prq15+gtaALscjEG/kwrGBNfxQhITkdG21EDgkHHOshHzH9KSG+EtVeWVP60pXm
voUlfMBhvQtLUueY6kun/o+enpfEfJpXLXZxJfjqyOgBC+PPEpU/Kp1bcjEHpoYR
3I0/En0U2EQPfoXTi+jxPoieA161/wU/S1CWzZpbHYmY4LMiaIfFYZWnxaTdHgUp
CvgvYMgvbeNp0PYz6REl3r4InJNxcrgADwYAI3qdkMrdjKjJng28rIpnWZu/9ABK
3RqlvxFY1wyDrZ1mJDD6ZzjgFD4/0z8SDoFx0AZOpIkBUAZO75MHidv/aR9MhAAN
osp0yq8lQtzFCDL3Dt8JzRGdKdSezfDES3XyPd3eYH7r83uN1J1G3PmB2trV1X+I
k18NufOgOuXc0Y9O1OxmdqYQtXvxuETLO7k8LtAiBLYf5O0Bvvz/5/5iGNJFhM1w
dMysOe1K0Bw5vdKKLw==
=TSDH
-----END PGP PUBLIC KEY BLOCK-----
Create key-cert
Now use your favorite editor to create your key-cert object.
Be sure to note the '+' signs that begin each line of the certif attribute you are required to add them in the object.
Note that the 'method:', 'owner:' and 'fingerpr:' attributes have not been specified.
These attributes are auto-generated by the IRRd software and so they are intentionally omitted.
% vi /tmp/mykeys.txt
key-cert: PGPKEY-7F507482
certif:
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQGNBF4TdToBDADTUt7gV9IdsTznHKjAauPZ08+U/sOZsx0LYtttIofk/wDQTDpf
+1B0+2qcbSDgRQHNWLEFPjcahc2GDcrwRMtnqp7XjtQgnANyGdVK/CectULfqoWcU
+Fc09GR3Ls0pFdnx5v9qlzkbSk5izACjZkfZmgGl/CC9Yg9UroSon5s2x2vst08nE
+d1/3WhDLb6TLxYwX9mjMaJHvNgX6aNj0MciHj/p3DwMzwXEA/pxp/sv6DiA1HUQq
+JvewPs/st852IJDl1Qgl5yBNZdNqmeSuzf7GDMz5RMqZxFELutue/gSRg1ImSBBf
+xdFKcKq0qFHmRLpBNWb+cNA0CD4OjsP/UsnUL5f16d+tndmGuwyY5t1oDaP/i0MC
+tkB4teSDql8F9LviVMPIgs7XkEYuj916cA4BDnqnOWG8BUsN7sv7kCGWe5t9RK54
+vheh8B8SKnl0NS3+5RT1+WybcvaMeo8Z8Uodx7vbVkI2cp5T+m0y8+VuAPWQ4Wap
+YG4Lee/zZX8FXU6fHIw4EsCQias+xesb5to99vKgKpAZmI3wCFJhEgijlEPMHsF8
+w6R5sqZL9CD2oLUyczW+08ictIom2TyqZo1I2rmPP+r9qsPDrghXvbF5HTCN6PDp
+zr88trvF+8XJ4HtoGxjBRLsYfxb/fcRG+JieSbwRP04JJULSUIYylBQtGf7c09LS
+pd/o0ErJs2xNQNm7dpaXHOQRfPWPz6OADoSROrlb3graC74VWL8oPGda/aqNN9i1
+t85aghh5SqUqIKw3SylRRta3md/fLiyOFwu5pRpbV/EQ4KXMYi3Rvm7JAudwnfkA
+EQEAAYkBtgQYAQoAIBYhBPWvEYknzO6boK8uvnSMGV9/UHSCBQJeE3U6AhsMAAoJ
+EHSMGV9/UHSCM1IL/jlcsxAt6K4Y9D641JYCism1954aAaUfOkGnPaJlv/Lqpe1j
+1Prq15+gtaALscjEG/kwrGBNfxQhITkdG21EDgkHHOshHzH9KSG+EtVeWVP60pXm
+voUlfMBhvQtLUueY6kun/o+enpfEfJpXLXZxJfjqyOgBC+PPEpU/Kp1bcjEHpoYR
+3I0/En0U2EQPfoXTi+jxPoieA161/wU/S1CWzZpbHYmY4LMiaIfFYZWnxaTdHgUp
+CvgvYMgvbeNp0PYz6REl3r4InJNxcrgADwYAI3qdkMrdjKjJng28rIpnWZu/9ABK
+3RqlvxFY1wyDrZ1mJDD6ZzjgFD4/0z8SDoFx0AZOpIkBUAZO75MHidv/aR9MhAAN
+osp0yq8lQtzFCDL3Dt8JzRGdKdSezfDES3XyPd3eYH7r83uN1J1G3PmB2trV1X+I
+k18NufOgOuXc0Y9O1OxmdqYQtXvxuETLO7k8LtAiBLYf5O0Bvvz/5/5iGNJFhM1w
+dMysOe1K0Bw5vdKKLw==
+=TSDH
+-----END PGP PUBLIC KEY BLOCK-----
mnt-by: MAINT-ETBRU
changed: [email protected]
source: RADB
Mail the object
Depending on your mail executable version, one of these mail agent calls should serve you.
% mail [email protected] < /tmp/mykeys.txt
% # or
% mail -t [email protected] < /tmp/mykeys.txt
If everything is ok you will receive mail acknowledgement form [email protected] with the following:
ADD OK: [key-cert] PGPKEY-7F507482
Else you will get a response with syntax errors.
The errors are denoted in the response message with '?' characters.
Update maintainer
Make sure your key has been added successfully before updating your maintainer to use the key.
At this point lets add in the new 'auth:' attribute.
To make full use of the security GPG provides be sure to delete references to the 'MAIL-FROM' and 'CRYPT-PW' else your maintainer is just as insecure as it was before since these mechanisms can still be used.
BEFORE GPG
mntner: MAINT-ETBRU
descr: Maintainer without GPG
admin-c: ETBRU
tech-c: ETBRU
upd-to: [email protected]
auth: MAIL-FROM [email protected]
auth: CRYPT-PW pfRRVg599QpLw
mnt-by: MAINT-ETBRU
changed: [email protected] 20190130
source: RADB
WITH GPG
mntner: MAINT-ETBRU
descr: New maintainer with GPG authentication
admin-c: ETBRU
tech-c: ETBRU
upd-to: [email protected]
auth: PGPKEY-7F507482
mnt-by: MAINT-ETBRU
changed: [email protected] 20200106
source: RADB
GPG authentication
- Following instructions for creating, modifying or deleting an object, but omit the step to mail [email protected].
- Assume the object is in a filed named 'db-submission.txt'.
Since GPG defaults its output to a file named *.asc, in our example the GPG-signed submission will be in a file called db-submission.txt.asc.
The 'passphrase' is the value you supplied to GPG when you created your key from step in the previous section "Create a GPG key."
% gpg --clearsign db-submission.txt</span>
You need a passphrase to unlock the secret key for
user: "Etienne Brule <[email protected]>"
3072-bit RSA key, ID 7F507482, created 2020-01-06
- Send your GPG signed submission to [email protected].
Depending on your mail executable version, one of these mail agent calls should serve you.
% mail [email protected] < /tmp/db-submission.txt.asc
% # or
% mail -t [email protected] < /tmp/db-submission.txt.asc
- DONE! You have successfully used a GPG-signed message to update an entry in the RADB.
Need Assistance?
If you have technical questions or need help related to Merit RADb, please contact RADb Support.