Roo makes use of GnuPG (http://www.gnupg.org/) to sign add-ons. Signing of add-ons ensures that Roo users download and install only trusted add-ons. The add-on creator module of Roo signs the add-on with his secret PGP key and publishes the public PGP key to a public key server. A Roo user needs to tell Roo explicitly that it trusts an add-on by adding a public PGP key to Roo's key store. This allows Roo to download and install the add-on. If the public PGP key is not added to Roo's key store, the add-on will not be downloaded and installed.
In this recipe, we'll look at how to install GnuPG, create a key-pair (consisting of secret and public keys), and publish the public key to a public key server.
If you are using Windows or UNIX, download and install GnuPG from the following location: http://www.gnupg.org/download/. If you are using Mac, download and install GnuPG for Mac from the following location: http://macgpg.sourceforge.net/.
Installing GnuPG on Windows will create the following installation directory: C:Program
FilesGNUGnuPG
.
The following steps will demonstrate how to set up GnuPG:
list-secret-keys
command to view secret PGP keys that you may have created earlier:C:UsersAshish>gpg --list-secret-keys gpg: keyring 'C:/Users/Ashish/AppData/Roaming/gnupgsecring.gpg' created
The output shows that a secring.gpg
file is created if it is not found. The secring.gpg
file contains key information.
gen-key
command, as shown here:C:UsersAshish>gpg --gen-key ... Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 ...
Executing the gen-key
command asks multiple questions, such as for the e-mail ID, real name, kind and length of key, and so on. When asked to select what kind of key you want
, choose either option 1 (RSA
and
RSA
(default)
) or 2 (DSA
and
Elgamal
), as the key can be used for both encryption and decryption. In the end, you'll be asked to provide a passphrase to protect your secret PGP key. Remember the passphrase, as you'll need to provide it when building your custom add-ons.
list-secret-keys
command:C:UsersAshish>gpg --list-secret-keys C:/Users/Ashish/AppData/Roaming/gnupgsecring.gpg ------------------------------------------------- sec 2048R/BFB28A4D 2011-04-30 uid Ashish Sarin (This is my key) <[email protected]> ssb 2048R/9FCAFB76 2011-04-30
If you see the previous output, it means your key-pair has been successfully generated. The sec
key ID is BFB28A4D
, which represents the key ID of your public PGP key which you need to publish to a public key server.
send-keys
command, as shown here:gpg --send-keys --keyserver hkp://pgp.mit.edu <public-key-id>
Here, <public-key-id>
is the sec
key ID that was listed when you executed the list-secret-keys
command. In my case, <public-key-id>
is BFB28
A4D
.
18.216.117.191