Update documentation around generating GPG keys to sign releases

[carnage]

Q	A
Documentation	yes
Bugfix	no
BC Break	no
New Feature	no
RFC	no
QA	no

Description

Adding more detail to documentation to cover areas I didn't find clear/had to lookup elsewhere while attempting to use this in a project. Adding to this as I progress through the setup process.

[Ocramius]

Check also #32 - that's the process I went through, at least :D

[carnage]

I decided to go with a brand new GPG key as:

a) My master key is stored on an encrypted flash drive, in a safe, no where near my Laptop; so effort+++
b) I perceive GPG to be a very fragile thing so any change could break my current setup
c) Was "testing" the setup so didn't feel the need to use a "real" key
d) Using a per project release key seemed like a good idea anyway.

Given your comments on #32 I'll perhaps split this into it's own document and add the details on creating a new subkey as well.

I suspect that it would be possible to make it passwordless without deleting your key; simply set the password on the master key to empty; export the sub key and restore the password to it's previous value.

[Ocramius]

a) My master key is stored on an encrypted flash drive, in a safe, no where near my Laptop; so effort+++

My master key is not even at my home, so the effort is kinda normal, FWIW.

I guess multiple GPG keys are viable in github config (https://github.com/settings/keys)

c) Was "testing" the setup so didn't feel the need to use a "real" key

Yeah, but docs should be about the "real" key - the actual setup workflow is indeed in #32

I suspect that it would be possible to make it passwordless without deleting your key; simply set the password on the master key to empty; export the sub key and restore the password to it's previous value.

Probably feasible: didn't want to change any other pre-existing subkeys on my system

[carnage]

Made a few changes to this;

Pulled the GPG stuff into it's own section with sub sections for using a new key or an existing one. I used your steps from #32 as a basis for this but found a better way to remove a password from a subkey using a temp home dir so not to mess with the users current gpg setup.

Think it's ready for merge now.

[Ocramius]

Excellent, thanks!

[glensc]

@carnage what was your gpg version when you created these docs?

Asking as such choices are not available for me:

• Improve documentation for gpg subkey creation #102 (comment)

[Ocramius]

gpg (GnuPG) 2.2.4
libgcrypt 1.8.1

No idea if GnuPG is semver-compliant there.

[glensc]

Some 3 year time delta:

Version	Date	Announce
2.2.4	Wed Dec 20 16:36:34 CET 2017	https://lists.gnupg.org/pipermail/gnupg-announce/2017q4/000419.html
2.2.25	Mon Nov 23 19:00:22 CET 2020	https://lists.gnupg.org/pipermail/gnupg-announce/2020q4/000450.html

[Ocramius]

Yeah, I'm on Ubuntu 18.04 LTS, so it probably stuck to something ancient :-\