Mercurial > p > roundup > code
changeset 8485:0fda84bc7584
docs: key from keyserver, check key before import to production
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 07 Dec 2025 17:30:41 -0500 |
| parents | 3a07e63ec7c7 |
| children | e2d0f36c525d |
| files | doc/admin_guide.txt |
| diffstat | 1 files changed, 19 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/doc/admin_guide.txt Sun Dec 07 16:28:08 2025 -0500 +++ b/doc/admin_guide.txt Sun Dec 07 17:30:41 2025 -0500 @@ -1935,9 +1935,28 @@ gpg --homedir /path/to/tracker/gpg --import user-public-key.asc +You may also be able to get it from a public keyserver using:: + + gpg --recv-keys KEYID + +where the ``KEYID`` is supplied by the roundup user. + While Roundup supports multiple addresses for each user, only the primary address supports PGP signed or encrypted messages. +You should verify that the public key is sane and has few signatures +attached. You can import a key into a throw away keystore:: + + mkdir throwaway + gpg --homedir throwaway -- import user-public-key.asc + gpg --homedir throwaway --list-sigs + +and verify that the number of sig lines is small (under 10 or so). If +it takes a long time to import you can kill the import without +affecting your production keystore. Large numbers of sig lines can +take a long time to import/access when compressed. See: +https://nvd.nist.gov/vuln/detail/CVE-2022-3219. + .. comment: Questions: