{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 我命由我不由天 的问题《Is Maven artifact signing a legitimate use of GnuP》','https://www.manongdao.com/q-1008898.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm new to GPG signing and the intricacies are dizzying, as my other, overly-broad question indicates. So let me try to distill my current doubts into a simple question.
Let's say that a company Acme wants to sign some artifacts for publishing on Maven Central. From much research from various sources I glean the following best practices:
- Acme should have one single primary key, e.g. for
id@acme.example.com. - Acme should generate subkeys for general day-to-day use, such as signing Maven artifacts.
- There are hardly any legitimate uses for the "comment" portion of a GPG user ID, and this field should be left blank.
Unfortunately Maven tools do not work with signing using a subkey. So that means Maven is forcing Acme to change how they manage their central identity, id@acme.example.com! Acme can no longer follow best practices. Most problematic is that Acme risks compromise of its central identity (e.g. for signing financial statements) if it gives the development team access to the primary key in order to sign Maven artifacts.
So to simulate subkeys, Acme could create a key for a different email address, such as software@acme.example.com, and give that primary key to the development team for signing Maven artifacts. But then when listing keys on a public key server, a search for "Acme" would show up like this:
Acme <id@acme.example.com>
Acme <software@acme.example.com>
To me this seems confusing. I could therefore use the comment field "software" to indicate "this is the key we are using to sign software artifacts because Maven is so dense that it won't let us use subkeys of our main identity for this purpose". Thus the two Acme keys would be listed like so on a public key server:
Acme <id@acme.example.com>
Acme (software) <id@acme.example.com>
Because several writers are very adamant that most uses of the comment field are not legitimate, I ask: Is this sort of "key-purpose" designation a legitimate use of the comment of a GPG user ID? Or would it be more appropriate to use separate id@acme.example.com and software@acme.example.com keys? Or simply use one primary id@acme.example.com key and let the development team have access to it?
Comments in OpenPGP user IDs are not generally bad. They're meant for further specification of the user ID, which was not possible through using the name string and mail address. A restriction signing key might very well be such a use case.
Most people arguing against using comments is more about useless comments, which are often added because several OpenPGP implementations and user front ends seem to enforce one (just because of bad user interface design). This results in obviously superfluous comments like
none,John Doe's key,My first PGP keyand so on. Repeating your company name also seems unneeded, as user IDs likeJohn Doe (ACME inc.) <john@acme.example.org>` indicate.A user ID like
ACME Inc. (software signing key) <software@acme.example.com>adds relevant information about the user ID/key. One might well derive this from key usage flags, but not everybody knows about them and they're well hidden in most OpenPGP frontends. Bonus points if you additionally restrict the key usage flags to signing (and certification, which cannot be disabled) for the primary key at the same time.