3

I was going through the (seemingly intricate) procedures for getting a company's artifact on Maven Central. Then I got to the GPG signing part and entered a new world of confusion and conundrums. GPG has so many options, and it's not evident what a reasonable practice should be for signing company artifacts.

Let's say that Acme wants to publish an artifact org.example.acme:foobar:1.0.0 to Maven Central. What user ID should they use to sign it? What subkeys? How would that key be kept separate from the user's personal key?

Let me go through all the doubts to give you an idea of why it is confusing.

  • What email should I use for Acme? Should I use admin@acme.example.com? Should the identity be for Acme, or a division of Acme? Or should only individuals sign artifacts for publication on Maven?
  • What about the comment? One source said we should leave comments out altogether. Should I use "Acme (software) software@acme.example.com"? Or just "Acme acme@acme.example.com".
  • OK, so maybe you say it doesn't matter, and that all this is opinion based, and I can use whatever works for my company---fine. But then how do I keep my company and personal ID separate? Can I have a key for Acme and a separate key for John Doe on the same keyring on the same computer? How would I then distinguish them when publishing artifacts? All of the examples seem to assume you are using a single identity.
  • Should I be using subkeys? Should I create different subkeys for different departments? Or different identities for the same subkeys? Or what?
  • Should I make my keys expire? Or just the main key? Or just the subkey?

I could go on and on and on... Trying to summarize, all the examples seem to assume 1) the user only has one user ID installed on their keyring, and 2) everyone signing their artifacts are individuals, not companies.

What is the expected approach for signing the Maven artifact of an organization; and how does a user manage the organization's key separately from the user's individual key?

Garret Wilson
  • 18,219
  • 30
  • 144
  • 272

1 Answers1

5

What email should I use for Acme? Should I use admin@acme.example.com? Should the identity be for Acme, or a division of Acme? Or should only individuals sign artifacts for publication on Maven?

Use the one that is used for public communication of the group/department using the key. For a smaller company, I'd probably go for some generic address like info@acme.example.com.

Don't mix in persons. This is a company key, which identifies the company (or a specific function inside the company) and not an individual.

What about the comment? One source said we should leave comments out altogether. Should I use "Acme (software) software@acme.example.com"? Or just "Acme acme@acme.example.com".

Does the "software" comment add any relevant information? I don't think so, so leave it away as it just adds noise.

Often, something like "signing key" is added as a comment for such keys. I don't consider this necessary, as the usage is obvious. If you want to prevent others sending encrypted mail using that key, better limit key usage to signing only, which enforces this limitation (and does not just ask other users not to use the key for encryption).

OK, so maybe you say it doesn't matter, and that all this is opinion based, and I can use whatever works for my company---fine. But then how do I keep my company and personal ID private? Can I have a key for Acme and a separate key for John Doe on the same keyring on the same computer? How would I then distinguish them when publishing artifacts? All of the examples seem to assume you are using a single identity.

You can have an arbitrary number of keys on your computer, that's not an issue. Maven (and other software relying on GnuPG) can be configured to use a specific key. Usually, you can either put a user ID, mail address, key ID or fingerprint in there -- as this is a one-time-configuration, better use the most specific way, the fingerprint.

Should I be using subkeys? Should I create different subkeys for different departments? Or different identities for the same subkeys? Or...

Yes, you should. This is an important key. Keep the primary key offline (in a safe, ...; with very narrow access for others but the most important people/managers in the organization). Only hand out subkeys limited to signing: you either put such a key on a build server, or hand it to the employee who is pushing the builds. If you need to exchange a key, you don't have to change the primary key, but only the subkey (which is not a lot of effort, and especially does not involve telling your customers about the new key).

To mitigate employees leaving the company taking copies of the key, take advantage of OpenPGP smart cards (which might also be a YubiKey). The key cannot be fetched from the card, so theft of the key is equal to theft of the card (and can hardly go unnoticed).

Community
  • 1
  • 1
Jens Erat
  • 37,523
  • 16
  • 80
  • 96
  • Thanks especially for the link about specifying a particular key for Maven. About the subkey, which you say I should be using: if I follow the [Sonatype GPG instructions](http://central.sonatype.org/pages/working-with-pgp-signatures.html), will I wind up using a subkey or my primary key? The instructions are not clear on this at all. (I added one more set of questions above about expiration as well.) – Garret Wilson May 20 '16 at 13:50
  • One principle on Stack Overflow is keeping questions narrow. You're asking at least three completely different questions here, and added a fourth one (and adding unrelated follow-ups is even more discouraged, as it changes the scope of questions and answers). Furthermore, consider whether Stack Overflow really is the right place to ask; for interfacing GnuPG and Maven it is, but general questions (for example about key expiry) for sure aren't. Consider asking on the Security Stack Exchange or Super User instead (and anyway, key expiry was discussed more than once on each of them). – Jens Erat May 20 '16 at 15:28
  • Regarding subkeys: Reading through the Sonatype document, it seems there are some issues with subkeys and maven (but I didn't verify myself); so you might need to end up without a subkey at all. `gpg --expert --gen-key` allows you to create a primary key _without_ a subkey and restrict the key to signing (and certification, which is a capability you cannot disable). So subkeys definitely are best practice, but might not work out with Maven. – Jens Erat May 20 '16 at 15:30
  • Fair enough regarding your comment on narrow questions. On the other hand, it's such a big, interconnected topic (which no one has explained well even for such a simple use case as Maven signing) that it's hard to ask a single question without raising a host of others. But your responses have helped quite a bit, thanks. – Garret Wilson May 20 '16 at 15:32
  • So if as you say it's so important to use subkeys for signing, yet Maven forces us to use the primary key for signing, does that mean I should create a separate identity just for Maven signing? (This is all much more complicated than it appears on a casual reading.) – Garret Wilson May 20 '16 at 15:41
  • In this case, I'd indeed go for a dedicated (primary) signing key. This restriction of Maven is really annoying. – Jens Erat May 22 '16 at 08:54
  • But if it's really that important to have subkeys, and Maven doesn't let me, does that imply it's a good idea to a completely separate identity just for Maven signing? Or was your recommendation to use subkeys not really that important? – Garret Wilson May 22 '16 at 15:27
  • Subkeys make key escrow easier and are generally considered best practice. There is no security risk in proper usage of the primary key as signing key. If you use the key also for other operations, it is wise to generate an additional, separate signing key, so if you need to escrow the signing key, your key for "general usage" is not affected. – Jens Erat May 22 '16 at 15:31
  • I agree this question is overly-broad; it reflects how completely lost I was at the beginning. I think I've narrowed down the central doubt now, and I've posted it as http://stackoverflow.com/q/37401047/421049 . – Garret Wilson May 23 '16 at 21:54