Setting up GnuPG for add-on development

Roo makes use of GnuPG (http://www.gnupg.org/) to sign add-ons. Signing of add-ons ensures that Roo users download and install only trusted add-ons. The add-on creator module of Roo signs the add-on with his secret PGP key and publishes the public PGP key to a public key server. A Roo user needs to tell Roo explicitly that it trusts an add-on by adding a public PGP key to Roo's key store. This allows Roo to download and install the add-on. If the public PGP key is not added to Roo's key store, the add-on will not be downloaded and installed.

In this recipe, we'll look at how to install GnuPG, create a key-pair (consisting of secret and public keys), and publish the public key to a public key server.

Getting ready

If you are using Windows or UNIX, download and install GnuPG from the following location: http://www.gnupg.org/download/. If you are using Mac, download and install GnuPG for Mac from the following location: http://macgpg.sourceforge.net/.

Installing GnuPG on Windows will create the following installation directory: C:Program FilesGNUGnuPG.

How to do it...

The following steps will demonstrate how to set up GnuPG:

  1. Open the command prompt and execute the following GnuPG list-secret-keys command to view secret PGP keys that you may have created earlier:
    C:UsersAshish>gpg --list-secret-keys
gpg: keyring 'C:/Users/Ashish/AppData/Roaming/gnupgsecring.gpg' created

    The output shows that a secring.gpg file is created if it is not found. The secring.gpg file contains key information.

  2. Create a new key-pair consisting of a secret PGP key and public PGP key using GnuPG's gen-key command, as shown here:
    C:UsersAshish>gpg --gen-key
...
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
...

    Executing the gen-key command asks multiple questions, such as for the e-mail ID, real name, kind and length of key, and so on. When asked to select what kind of key you want, choose either option 1 (RSA and RSA (default)) or 2 (DSA and Elgamal), as the key can be used for both encryption and decryption. In the end, you'll be asked to provide a passphrase to protect your secret PGP key. Remember the passphrase, as you'll need to provide it when building your custom add-ons.

  3. To verify that the key-pair has been successfully created, execute GnuPG's list-secret-keys command:
    C:UsersAshish>gpg --list-secret-keys

C:/Users/Ashish/AppData/Roaming/gnupgsecring.gpg
-------------------------------------------------
sec   2048R/BFB28A4D 2011-04-30
uid                  Ashish Sarin (This is my key) <[email protected]>
ssb   2048R/9FCAFB76 2011-04-30

    If you see the previous output, it means your key-pair has been successfully generated. The sec key ID is BFB28A4D, which represents the key ID of your public PGP key which you need to publish to a public key server.

  4. Now, publish the public key using GnuPG's send-keys command, as shown here:
    gpg --send-keys --keyserver hkp://pgp.mit.edu <public-key-id>

    Here, <public-key-id> is the sec key ID that was listed when you executed the list-secret-keys command. In my case, <public-key-id> is BFB28 A4D.

How it works...

We saw that GnuPG is used to create a key-pair and publish the public PGP key to a public key server. As most public key servers share keys, you don't need to send keys to all public key servers.

See also

  • Refer to the Installing an installable add-on recipe to see how to install add-ons
  • Refer to the Developing a simple add-on recipe to see how Spring Roo signs custom add-ons using your secret key
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.216.117.191