Yesterday, I wrote how you could verify packages using GPG stored in DNS. You may wonder how you can store it in DNS?
Take the armored GPG keys. E.g., RPM-GPG-KEY-fedora-35-primary and you can copy it into this service. You will need to add the email associated with the key as well. Use: fedora-35-primary@fedoraproject.org
. Click Generate
, and you have your DNS record ready.
Hey, how should I know that email address? That is easy. Run:
$ gpg2 RPM-GPG-KEY-fedora-35-primary gpg: WARNING: no command supplied. Trying to guess what you mean ... pub rsa4096 2021-02-04 [SCE] 787EA6AE1147EEE56C40B30CDB4639719867C58F uid Fedora (35)
Hmm, I had to use the command-line anyway. Can I somehow generate it from the command-line, without using 3rd party service? Sure:
First, import the key:
$ gpg2 --import RPM-GPG-KEY-fedora-35-primary gpg: key DB4639719867C58F: public key "Fedora (35)" imported gpg: Total number processed: 1 gpg: imported: 1
And then export it:
$ gpg2 --export-options export-dane --export fedora-35-primary@fedoraproject.org $ORIGIN _openpgpkey.fedoraproject.org. ; 787EA6AE1147EEE56C40B30CDB4639719867C58F ; Fedora (35)e27f1efe21ae589b7796e61af3ac4a4c1c2428615daca70d8f1c9e96 TYPE61 \# 1172 ( 99020d04601c49ca011000cb7fc60791ecc9e9a765318c3b6861889496a5b7c2 63db1fc1d8afa121f22ec46b69563ede2d180353bea3693e69543e6614c277a6 47a7791fdc4e6aaa42437242c857da8417c04cd449bd4234c09f0868245fc436 cd992b21c0ab174436c2b29b95ab9d854fa255a9c00ec9b5f1812ab1be40537e ddb54accdd061d5a0f51f9788f7d5f112818d3d37bd504e74c4ac637f4b6829f a229d4ebe9f08128fc8784558d6a98238f01a2b46c91f7b9f8380ae7a4b3e4d2 c105937822f1b992fa38c5e838f2b0bcc41fc5b8355c3f2fb99d0ab63fdc347d b16aed319ac02ef472697a4bce3d1c65caab63c997eba1589e172a70660bd0c2 d9e733cfe0484bbf2554eb634e76984513ec271bef891c1c54c57cc9259e41bf d1f5380116b9d381f7c63d24b5b7b7bca70f5e83ceb8a055b074afd34506600c 8f7aecbef3b714fd812133b9374952a3e9e21983288c3b4c25d5818344a72e97 092cf40fae964835a136f8b37ce666f3f4ec6a13c56e368da2b9592f8d85979e f3ad17a1585b7352a94be8df6688ecac4b59f0f6d467e62f17c469add580ae31 db264d89a51280c53871b1002c0611b5d0bbb1d9668c0748362393dc31d27f72 a8e8d3c71cae3057ba2c56ae2e62bbd317a7ca93fdf4b3366b1d2209fcfea64a 8bc42e95fbbbeeeaa15bfc2dd9bb678ad811b2a8e1c4cba3614e196f8864b45f 21294fd75fbe36aa12f92b0011010001b4314665646f72612028333529203c66 65646f72612d33352d7072696d617279406665646f726170726f6a6563742e6f 72673e89024e041301080038162104787ea6ae1147eee56c40b30cdb46397198 67c58f0502601c49ca021b0f050b0908070206150a09080b020416020301021e 01021780000a0910db4639719867c58f8d600ffb058a609724806581e18f22a1 ffe7faccf7d5bdb1f6d04ab7908ece1413749cb5fe054d66baf4bea93b92dd62 eb0779b71ae96da4a44424a2ed9b9103d6b1b35c0a13d72a7d608f0b00374c08 23b28c08eca1653ced852e0befdb9e3ad3791d8b44e09fc8f0bbe96f7ce62395 9b94be6ec403c3b0b62eb95d00ce0c0eea326754a2b46699e0a40b56df9311ad 788ac6121828f3a3b3d8f15dc93a4e7482a5a0f3637f6e6d84cd2ed3f375840d bd65be3e0896fc6022a29e835d735d8c66ad849924909fbf37fe94d4babb1807 8f1fc9d32959d8b89b1abe86000c8ef545ab0194b048cd047234fcc040a7c644 83bb2aa65b056f3415ee10857c39edd83225357c937cb1dec3a6c171e4cf9776 7327412f87ae34cf283de65ab94076711385d615f23664a56843cacdfff7d78e 864d2b2e7cb48cdc246ae7ff894f0e73a5ef3248cb44c260e54f552b226e596b 73c179e330de5644506a2b8b19a2630c7ed6d31f5fb9c9b456fc0def05b6b145 6daded4ccd8dccde91264489a2cdf4bfc7709088475405f3af360dd025105f5d 93681089849001a689d09240cc7bd191124b2e02b66106221cd572daddc9c857 ecada9b9c1209639f84f788c8b053649beba4d94f6de7ec4fde7b4dfd81348ba 0cd9ac2e55c4348a919811875546bd22109c2cb3910cba114daa3e9896e7d1bf 84f21766b2a870adca2d2f7f8b32504d196d8cc0 )
And voilà, this your DNS record which you can copy'n'paste to your zone. In this case, to _openpgpkey.fedoraproject.org.
.
Remember, if the email associated with the GPG key is foo@bar.com
then the generated record has to go to _openpgpkey.bar.com.
zone.
And do not forget - all this has a sense only if your domain is signed using DNSSEC. Otherwise, anyone can falsify these records.