Differences

This shows you the differences between two versions of the page.

--- infra:hackerpass [2024/03/23 18:00] – kfh
+++ infra:hackerpass [2025/11/22 20:58] (current) – atluxity_idp.hackeriet.no
@@ Line 53: / Line 53: @@
 ===== Adding a new user =====
-After you have the new users' PGP key in your keyring, reencrypt the whole repository adding the new key:
+==== 1. Verify identity (lightweight, but not anonymous) ====
-<code>
+Make sure the person in front of you is the one who controls the key.
-hackerpass init $(<~/.hackeriet_pass/.gpg-id) <PGP key signature>
-</code>
-And then push it:
+This does not require formal ID checks.
-<code>
+Avoid adding keys you only know from random electronic contact with no real-world context.
-hackerpass git push
-</code>
-If you get the error message
+You should at least have met them or otherwise have a non-trivial trust path.
-<code>
+==== 2. Import the public key ====
-gpg: <PGP key signature>: There is no assurance this key belongs to the named user
-gpg: [stdin]: encryption failed: Unusable public key
-</code>
-then do:
+If you received a file (for example ''userkey.asc''):
-<code>
+<code bash> gpg --import userkey.asc </code>
-gpg --lsign-key <PGP key signature>
-</code>
-or if you don't have your certification key available, you can set the tofu policy for the keys:
+==== 3. Inspect and confirm the key ID ====
-<code>
+Avoid listing all keys. Query only the specific key, using an identifier such as email:
-gpg --tofu-policy good $(cat .hackeriet_pass/.gpg_id)
-</code>
+<code bash>
+gpg --list-keys --keyid-format LONG user@example.org
+gpg --fingerprint user@example.org </code>
+Example output:
+<code> pub rsa4096/499377E001102050 2025-02-08 [SC] F99B7D88CEBE2D692788216B499377E001102050 uid [marginal] Example User <user@example.org> </code>
+Use the full fingerprint (for example: ''F99B7D88CEBE2D692788216B499377E001102050'') as the ''<PGP_KEY_ID>'':
+==== 4. Set trust on the key ====
+Mark the key as trusted locally, so GnuPG will actually use it for encryption:
+<code bash> gpg --lsign-key <PGP_KEY_ID> </code>
+This avoids errors like:
+<code> gpg: <PGP_KEY_ID>: There is no assurance this key belongs to the named user gpg: [stdin]: encryption failed: Unusable public key </code>
+==== 5. Re-encrypt the store including the new user ====
+Reinitialise the password store with all existing recipients plus the new key:
+<code bash> hackerpass init $(<~/.hackeriet_pass/.gpg-id) <PGP_KEY_ID> </code>
+Then push the updated encryption:
+<code bash> hackerpass git push </code>
+==== Alternative: TOFU trust model ====
+If you cannot or do not want to sign the key with your certification key, you can use GnuPG’s TOFU trust:
+<code bash> gpg --tofu-policy good <PGP_KEY_ID> </code>
+Then repeat the re-encryption step:
+<code bash> hackerpass init $(<~/.hackeriet_pass/.gpg-id) <PGP_KEY_ID> hackerpass git push </code>
+===== Notes =====
+Every password change creates a Git commit in the repository.
+File names and directory structure are not encrypted.
+Always run ''hackerpass git pull'' before adding or changing entries to avoid merge conflicts.