Different key pare for e-mail and signing code

Wiktor Kwapisiewicz wiktor at metacode.biz
Sat Jan 4 11:54:45 CET 2020


Hi John,

On 04.01.2020 09:53, john doe wrote:
> My goal is to sign code and sign/encrypt e-mail but I'm not sure what's
> the best way forward:
> - One key pare for e-mail (sign/encrypt) and an other key pare for
> signing code
> - Finding a way to do what I want with only one key pare (multiple
> signing subkeys and one encryption subkey)
> - Am I missing something/better approach

There is no single answer to this question. Some people use one keypair 
for signing e-mails and software because it's simpler (especially if 
people have or use Web of Trust to validate keys).

Apache, for example, recommends using separate keypair for code signing 
with specific guidelines (such as having UID comment "CODE SIGNING KEY" 
[0]). I guess this is due to the fact that one rarely signs code but 
when they do it they use a different hardware token thus avoiding the 
risk of misuse of their frequently used key (e-mail signing).

OpenPGP lacks extended key usage flags so if an object is signed, it's 
not clear what was the intention of the signer and it's theoretically 
possible to trick someone into signing an e-mail (via auto-reply or so) 
that then could be misinterpreted as software [1].

Kind regards,
Wiktor

[0]: https://www.apache.org/dev/release-signing.html#key-comment

[1]: https://stackoverflow.com/q/35840196

-- 
https://metacode.biz/@wiktor



More information about the Gnupg-users mailing list