Canonical Voices

Posts tagged with 'gpg'

Martin Pool

If you use gmail, you should now be able to send commands to Launchpad without gpg-signing.

gmail puts a DKIM cryptographic signature on outgoing mail, which is a cryptographic signature that proves that the mail was sent by gmail and that it was sent by the purported user. We verify the signature on Launchpad and treat that mail as trusted which means, for example, that you can triage bugs over mail or vote on merge proposals. Previously you needed to GPG-sign the mail which is a bit of a hassle for gmail.

(DKIM is signed by the sending domain, not by the user, so it doesn’t inherently prove that the purported sender is the actual one. People could intentionally or unintentionally set up a server that allows intra-domain impersonation, and it’s reported to be easy to misconfigure DKIM signers so that this happens. (Consider a simple SMTP server that accepts, signs and forwards everything from 192.168/16 with no authentication.) However, in cases like gmail we can reasonably assume Google don’t allow one user to impersonate another. We can add other trusted domains on request.)

If you have gmail configured to use some other address as your From address it will still work, as long as you verify both your gmail address and your other address.

You can use email commands to interact with both bugs and code merge proposals. For instance when Launchpad sends you mail about a new bug, you can just reply

  status confirmed
  importance medium

Thanks for letting us know!

We do this using the pydkim library.

Note that you do need at least one leading space before the commands.

If you hit any bugs, let us know.

Read more

In the Linaro Infrastructure team we have several shared credentials for external services used by one or more of the projects we maintain. Recently, Paul started a discussion about the best way to store those credentials securely while still making them accessible to everybody in the team. We agreed that one reasonable way to do so would be to store them in a gpg-encrypted file (with keys from each of us), stored in a private branch in Launchpad, so I cooked a small script which will decrypt a file, open it in your favorite editor and encrypt it again once you're done. I'm sharing it here as I figure it might be useful to somebody else.

In its current version you have to specify the name of the Launchpad team for which the file will be encrypted, but it'd be trivial to change it to either use just your own key or a set of keys you pass to it. Also, since it gets the list of people for which the file will be encrypted from Launchpad, it takes a few seconds to complete after you're done editing. Oh, and you'll be asked to confirm the keys belong to the people you want to share the file with, so do yourself a favor and double-check them before hitting 'y'.

Read more