Different key pare for e-mail and signing code
Wiktor Kwapisiewicz
wiktor at metacode.biz
Sat Jan 4 11:54:45 CET 2020
Hi John,
On 04.01.2020 09:53, john doe wrote:
> My goal is to sign code and sign/encrypt e-mail but I'm not sure what's
> the best way forward:
> - One key pare for e-mail (sign/encrypt) and an other key pare for
> signing code
> - Finding a way to do what I want with only one key pare (multiple
> signing subkeys and one encryption subkey)
> - Am I missing something/better approach
There is no single answer to this question. Some people use one keypair
for signing e-mails and software because it's simpler (especially if
people have or use Web of Trust to validate keys).
Apache, for example, recommends using separate keypair for code signing
with specific guidelines (such as having UID comment "CODE SIGNING KEY"
[0]). I guess this is due to the fact that one rarely signs code but
when they do it they use a different hardware token thus avoiding the
risk of misuse of their frequently used key (e-mail signing).
OpenPGP lacks extended key usage flags so if an object is signed, it's
not clear what was the intention of the signer and it's theoretically
possible to trick someone into signing an e-mail (via auto-reply or so)
that then could be misinterpreted as software [1].
Kind regards,
Wiktor
[0]: https://www.apache.org/dev/release-signing.html#key-comment
[1]: https://stackoverflow.com/q/35840196
--
https://metacode.biz/@wiktor
More information about the Gnupg-users
mailing list