Mercurial Repository: p/roundup/code: doc/admin

docs: key from keyserver, check key before import to production

author	John Rouillard <rouilj@ieee.org>
date	Sun, 07 Dec 2025 17:30:41 -0500
parents	ed4ef394d5d6
children	7142740e6547

comparison

equal deleted inserted replaced

-:3a07e63ec7c7
+:0fda84bc7584
 do this, obtain the user's public key for their primary email address
 and import it using::
 gpg --homedir /path/to/tracker/gpg --import user-public-key.asc
+You may also be able to get it from a public keyserver using::
+gpg --recv-keys KEYID
+where the ``KEYID`` is supplied by the roundup user.
 While Roundup supports multiple addresses for each user, only the
 primary address supports PGP signed or encrypted messages.
+You should verify that the public key is sane and has few signatures
+attached. You can import a key into a throw away keystore::
+mkdir throwaway
+gpg --homedir throwaway -- import user-public-key.asc
+gpg --homedir throwaway --list-sigs
+and verify that the number of sig lines is small (under 10 or so). If
+it takes a long time to import you can kill the import without
+affecting your production keystore. Large numbers of sig lines can
+take a long time to import/access when compressed. See:
+https://nvd.nist.gov/vuln/detail/CVE-2022-3219.
 .. comment:
 Questions:
 Can roundup send signed emails? (looks like no, why??)

Mercurial > p > roundup > code