Elsewhere

FFW Agency: Great Examples Of Distributed Content Management In The Pharmaceutical Industry

Planet Drupal - Thu, 21/04/2016 - 02:00
Great Examples Of Distributed Content Management In The Pharmaceutical Industry hank.vanzile Thu, 04/21/2016 - 00:00

This is the third post in my series on Distributed Content Management.  In my first post I defined the term and used a few examples while doing so.  My second post, Great Examples of Distributed Content Management In Higher Education, expanded on the first example of a large university.  In today’s post we’ll explore the second example - a global pharmaceutical company - and once again discuss some great use cases for Distributed Content Management.

 

Setting The Scene

Pharmaceutical companies, more than companies in many other industries, must carefully consider all elements of their content lifecycle. Providing correct, approved content to both healthcare professionals and consumers is of utmost importance and, as such, web content in the pharmaceutical industry must undergo stringent regulatory review and control.  This requires consistent management across all digital properties and, for larger companies, that can be hundreds, or potentially even thousands, of websites and channels globally.

 

Use Case 1: Efficient Regulatory Review With Content Publishing Workflows

At first, the idea of Distributed Content Management may seem somewhat counterintuitive to how pharmaceutical companies work.  (In previous posts we’ve used it to explore empowering content creators and overcoming bottlenecks to content publishing - challenging concepts to tout for such a regulated industry.)  However, I’ve also opined that content approval and publishing workflows must be tailored to the specific use case.  

Consider a web publishing workflow that allows medical-legal reviews to take place within a Content Management System.  In some web systems this requires a multi-tiered platform wherein a “staging” version of the website - an exact copy of the real (“production”) website on which content changes have been staged - is made available for regulatory approval before the content is made available to the public.  While this is certainly more efficient than sharing offline documents, a deeper consideration of the technologies used can increase the efficiency and further control its risks.  

Some Content Management Systems, such as Drupal, allow content approval to take place on the production website, controlling the visibility and publishing of content through user authentication and roles instead of requiring  separate “staging” websites.  By mapping the appropriate roles to regulatory affairs, pharmaceutical companies using this approach can save costly and timely deployments of new content to the production site and free up the resources required to manage multiple copies of each website.

 

Use Case 2: Controlled, Single-Source Content Deployment

For some pharmaceutical content, decentralized content publishing may not be an appropriately-sized solution.  Some content is not only highly-regulated but also highly reused wherever products are marketed and is therefore best suited to be updated, approved, and disseminated from a central source.  Important Safety Information and Indications, for example, are types of content that a pharmaceutical company may choose to publish only through a centralized content repository.  

By establishing policies that all content editing must occur in the content repository, with individual websites disallowed from making changes locally, companies may avoid the need to have regulatory approval workflows on each of those sites and ensure that important information is updated in a timely and error-free way across numerous sites.  Content syndication is a fascinating opportunity for organizations considering Distributed Content Management and I’ll explore some of the available technologies, such as Acquia Content Hub, in later posts.

 

Use Case 3: Multichannel Brand Content

Single-source content syndication also provides an opportunity for pharmaceutical companies looking to promote their consumer products across multiple channels.  Let’s use e-commerce as an example.  Many companies choose to employ standalone, all-in-one e-commerce systems such as BigCommerce, Demandware and Magento rather than integrate e-commerce stores into each of their individual brand websites.  This makes a tremendous amount of sense: these systems can provide a number of compelling features such as gift cards, coupons, centralized inventory management, and opportunities for cross-selling other products among the company’s brands.  However, because these stores are independent of the main brand website, they too need to display content such as product descriptions, use and dosing information, ingredients, etc.  

By programmatically providing that content from a content repository to the e-commerce system, pharmaceutical companies can eliminate the risk of entering information directly into the store and potentially make use of the streamlined regulatory control processes they’ve already set up for the brand sites.

 

Use Case 4: Content Delivery To Validated Audiences

In addition to marketing content, pharmaceutical companies maintain large amounts of HCP content - information intended for healthcare professionals.  What content is available to these professionals, how they’ll access it, and how to validate the identity of a user seeking that information

is another key consideration for a pharma  company’s Distributed Content Management strategy.  A common approach is to segregate HCP content into regional “portals” - websites that require medical professionals to create accounts and login to see the information for their country or part of the world.  To overcome the challenge of validating these accounts, companies often integrate with an Identity Provider (IdP) such as DocCheck or Cegedim that specializes in maintaining national registries of healthcare professionals.  

However, having a number of disparate system integrations dependant on which country a website is intended to serve introduces both the overhead of managing multiple bundles of code - sometimes written in entirely different programming languages - and the opportunity for error in integrating the wrong code for the intended region.  Because of this, some global pharmaceutical companies may choose to build a more centralized approach to validation and registration using an integration platform such as Mulesoft Anypoint Platform to amalgamate the different Identity Provider code bundles and provide simultaneous access them all through a dedicated Identity Management system such as Janrain.

 

What’s Next?

We will continue exploring use cases for distributed content management for the next few posts before moving on to discussing some prerequisites for companies looking to implement Distributed Content Management.  Thoughts or questions?  Reach out in the comments below or tweet them to me at @HankVanZile.

 

 

Tagged with Comments
Categories: Elsewhere

Aten Design Group: Adding CSS Classes to Blocks in Drupal 8

Planet Drupal - Thu, 21/04/2016 - 00:25

This is an update to a previous post I wrote on adding classes to blocks in Drupal 7

As I've stated before, I'm a big fan of Modular CSS which requires the ability to easily manage classes on your markup. This was often a struggle in previous versions of Drupal. However, Drupal 8 makes this significantly easier to manage thanks to a number of improvements to the front-end developer experience (DX). In this post we'll look at how two of these DX improvements, the Twig template language and hook_theme_suggestions_HOOK_alter, and how they make adding classes to blocks much easier to manage.

Twig allows us to easily open up a template file and add our classes where we need them. There are two main approaches to adding classes to a template file. The first is simple: open the file, add the class directly to the tag, save the file and move on with your life.

block.html.twig <div class="block block--fancy"> {{ title_prefix }} {% if label %} <h2 class="block__title block__title--fancy">{{ label }}</h2> {% endif %} {{ title_suffix }} {% block content %} {{ content }} {% endblock %} </div>

This works in a lot of cases, but may not be flexible enough. The second approach utilizes the new attributes object – the successor to Drupal 7's attributes array. The attribute object encapsulates all the attributes for a given tag. It also includes a number of methods which enable you to add, remove and alter those attributes before printing. For now we'll just focus on the attributes.addClass() method. You can learn more about available methods in the official Drupal 8 documentation.

block.html.twig {% set classes = [ 'block', 'block--fancy' ] %}   {% set title_classes = [ 'block__title', 'block__title--fancy' ] %}   <div{{ attributes.addClass(classes) }}> {{ title_prefix }} {% if label %} <h2{{ title_attributes.addClass(title_classes) }}>{{ label }}</h2> {% endif %} {{ title_suffix }} {% block content %} {{ content }} {% endblock %} </div>

Alternatively, we can add our class directly to the class attribute with the existing classes from the attribute.class then print the remaining attributes. To prevent the class attribute from printing twice, we exclude it using the without Twig filter. Either way works.

block.html.twig <div class="block--fancy {{ attributes.class }}"{{attributes|without('class') }}> {{ title_prefix }} {% if label %} <h2 class="block--fancy {{ title_attributes.class }}" {{title_attributes|without('class') }}>{{ label }}</h2> {% endif %} {{ title_suffix }} {% block content %} {{ content }} {% endblock %} </div>

In any case, all our blocks on the site now look fancy as hell (assuming we've styled .block--fancy as such)

Template Suggestions

The above examples work. In reality if all our blocks look fancy, no blocks will look fancy. We need to apply this class only to our special blocks that truly deserve to be fancy. This introduces my second favorite DX improvement to Drupal 8 – hook_theme_suggestions_HOOK_alter.

If you wanted to make a custom template available for use to a certain block In Drupal 7, you had to do so in a preprocess function. Altering theme hook suggestions (the list of possible templates) in the Drupal 8 is delegated to its very own hook. The concept is pretty straight forward. Before Drupal renders an element, it looks at an array of possible template file names (a.k.a. suggestions) one-by-one. For each template file, it looks in the file system to see if that file exists in our theme, its base theme or core themes. Once it finds a match, it stops looking and renders the element using the matching template.

We'll use this hook to add our new template file to the list of suggestions. In the case of blocks, the function we'll define is hook_theme_suggestions_block_alter. It takes two arguments, the first is the array of suggestions which are passed by reference (by prefixing the parameter with a & so we can alter them directly. The second is the variables from our element that we can use to determine which templates we want to include.

Lets assume we renamed one of our templates above to block--fancy.html.twig and saved it to our theme. We then add the following function to my_theme.theme where "my_theme" is the name of our theme.

my_theme.theme <?php   /** * Implements hook_theme_suggestions_HOOK_alter() for block templates. */ function my_theme_theme_suggestions_block_alter(array &$suggestions, array $variables) { $block_id = $variables['elements']['#id'];   /* Uncomment the line below to see variables you can use to target a block */ // print $block_id . '<br/>';   /* Add classes based on the block id. */ switch ($block_id) { /* Account Menu block */ case 'account_menu': $suggestions[] = 'block__fancy'; break; } }

Now the account menu block on our site will use block--fancy.html.twig as we can see from the output of twig debug

This is just one example of the improvements in D8 theming. I'm really excited for the clarity that the new Twig templates bring to Drupal 8 and the simplicity of managing template suggestions through hook_theme_suggestions_HOOK_alter.

Categories: Elsewhere

Jonathan Dowland: mount-on-demand backups

Planet Debian - Wed, 20/04/2016 - 22:49

Last week, someone posted a request for help on the popular Server Fault Q&A site: they had apparently accidentally deleted their entire web hosting business, and all their backups. The post (now itself deleted) was a reasonably obvious fake, but mainstream media reported on it anyway, and then life imitated art and 123-reg went and did actually delete all their hosted VMs, and their backups.

I was chatting to some friends from $job-2 and we had a brief smug moment that we had never done anything this bad, before moving on to incredulity that we had never done anything this bad in the 5 years or so we were running the University web servers. Some time later I realised that my personal backups were at risk from something like this because I have a permanently mounted /backup partition on my home NAS. I decided to fix it.

I already use Systemd to manage mounting the /backup partition (via a backup.mount file) and its dependencies. I'll skip the finer details of that for now.

I planned to define some new Systemd units for each backup job which was previously scheduled via Cron in order that I could mark them as depending on the /backup mount. I needed to adjust that mount definition by adding StopWhenUnneeded=true. This ensures that /backup will be unmounted when it is not in use by another job, and not at risk of a stray rm -rf.

The backup jobs are all simple shell scripts that convert quite easily into services. An example:

backup-home.service:

[Unit] Requires=backup.mount After=backup.mount [Service] User=backupuser Group=backupuser ExecStart=/home/backupuser/bin/phobos-backup-home

To schedule this, I also need to create a timer:

backup-home.timer:

[Timer] OnCalendar=*-*-* 04:01:00 [Install] WantedBy=timers.target

To enable the timer, you have to both enable and start it:

systemctl enable backup-home.timer
systemctl start backup-home.timer

I created service and timer units for each of my cron jobs.

The other big difference to driving these from Cron is that by default I won't get any emails if the jobs generate output - in particular, if they fail. I definitely do want mail if things fail. The Arch Wiki has an interesting proposed solution to this which I took a look at. It's a bit clunky, and my initial experiments with a derivation from this (using mail(1) not sendmail(1)) have not yet generated any mail.

Pros and Cons

The Systemd timespec is more intuitive than Cron's. It's a shame you need a minimum of three more lines of boilerplate for the simplest of timers. I think WantedBy=timers.target should probably be an implicit default for all .timer type units. Here I think clarity suffers in the name of consistency.

With timers, start doesn't kick-off the job, it really means "enable" in the context of timers, which is clumsy considering the existing enable verb, which seems almost superfluous, but is necessary for consistency, since Systemd units need to be enabled before they can be started As Simon points out in the comments, this is not true. Rather, "enable" is needed for the timer to be active upon subsequent boots, but won't enable it in the current boot. "Start" will enable it for the current boot, but not for subsequent ones.

Since I need a .service and a .unit file for each active line in my crontab, that's a lot of small files (twice as many as the number of jobs being defined) and they're all stored in system-wide folder because of the dependency on the necessarily system-level units defining the mount.

It's easy to forget the After= line for the backup services. On the one hand, it's a shame that After= doesn't imply Require=, so you don't need both; or alternatively there was a convenience option that did both. On the other hand, there are already too many Systemd options and adding more conjoined ones would just make it even more complicated.

It's a shame I couldn't use user-level units to achieve this, but they could not depend on the system-level ones, nor activate /backup. This is a sensible default, since you don't want any user to be able to start any service on-demand, but some way of enabling it for these situations would be good. I ruled out systemd.automount because a stray rm -rf would trigger the mount which defeats the whole exercise. Apparently this might be something you solve with Polkit, as the Arch Wiki explains, which looks like it has XML disease.

I need to get mail-on-error working reliably.

Categories: Elsewhere

Ben Hutchings: Experiments with signed kernels and modules in Debian

Planet Debian - Wed, 20/04/2016 - 20:53

I've lately been working on support for Secure Boot in Debian, mostly in the packages maintained by the kernel team.

My instructions for setting up UEFI Secure Boot are based on OVMF running on KVM/QEMU. All 'Designed for Windows' PCs should allow reconfiguration of SB, but it may not be easy to do so. They also assume that the firmware includes an EFI shell.

Updated: Robert Edmonds pointed out that the 'Designed for Windows' requirements changed with Windows 10:

@benhutchingsuk "Hardware can be Designed for Windows 10 and can offer no way to opt out of the Secure Boot" https://t.co/lQVdPYtMwx

— Robert Edmonds (@rsedmonds) April 20, 2016

The ability to reconfigure SB is indeed now optional for devices which are designed to always boot with a specific Secure Boot configuration. I also noticed that the requirements say that OEMs should not sign an EFI shell binary. Therefore I've revised the instructions to use efibootmgr instead.

Background

UEFI Secure Boot, when configured and enabled (which it is on most new PCs) requires that whatever it loads is signed with a trusted key. The one common trusted key for PCs is held by Microsoft, and while they will sign other people's code for a nominal fee, they require that it also validates the code it loads, i.e. the kernel or next stage boot loader. The kernel in turn is responsible for validating any code that could compromise its integrity (kernel modules, kexec images).

Currently there are no such signed boot loaders in Debian, though the shim and grub-signed packages included in many other distributions should be usable. However it's possible to load an appropriately configured Linux kernel directly from the UEFI firmware (typically through the shell) which is what I'm doing at the moment.

Packaging signed kernels

Signing keys obviously need to be protected against disclosure; the private keys can't be included in a source package. We also won't install them on buildds separately, and generating signatures at build time would of course be unreproducible. So I've created a new source package, linux-signed, which contains detached signatures prepared offline.

Currently the binary packages built from linux-signed also contain only detached signatures, which are applied as necessary at installation time. The signed kernel image (only on x86 for now) is named /boot/vmlinuz-kversion.efi.signed. However, since packages must not modify files owned by another package and I didn't want to dpkg-divert thousands of modules, the module signatures remain detached. Detached module signatures are a new invention of mine, and require changes in kmod and various other packages to support them. (An alternate might be to put signed modules under a different directory and drop a configuration file in /lib/depmod.d to make them higher priority. But then we end up with two copies of every module installed, which can be a substantial waste of space.)

Preparation

The packages you need to repeat the experiment:

  • linux-image-4.5.0-1-flavour version 4.5.1-1 from unstable (only 686, 686-pae or amd64 flavours have signed kernels; most flavours have signed modules)
  • linux-image-4.5.0-1-flavour-signed version 1~exp3 from experimental
  • initramfs-tools version 0.125 from unstable
  • kmod and libkmod2 unofficial version 22-1.2 from people.debian.org

For Secure Boot, you'll then need to copy the signed kernel and the initrd onto the EFI system partition, normally mounted at /boot/efi.

SB requires a Platform Key (PK) which will already be installed on a real PC. You can replace it but you don't need to. If you're using OVMF, there are no persistent keys so you do need to generate your own:

openssl req -new -x509 -newkey rsa:2048 -keyout pk.key -out pk.crt \ -outform der -nodes

You'll also need to install the certificate for my kernel image signing key, which is under debian/certs in the linux-signed package. OVMF requires this in DER format:

openssl x509 -in linux-signed-1~exp3/debian/certs/linux-image-benh@debian.org.cert.pem \ -out linux.crt -outform der

You'll need to copy the certificate(s) to a FAT-formatted partition such as the EFI system partition, so that the firmware can read it.

Use efibootmgr to add a boot entry for the kernel, for example:

efibootmgr -c -d /dev/sda -L linux-signed -l '\vmlinuz.efi' -u 'initrd=initrd.img root=/dev/sda2 ro quiet'

You should use the same kernel parameters as usual, except that you also need to specify the initrd filename using the initrd= parameter. The EFI stub code at the beginning of the kernel will load the initrd using EFI boot services.

Enabling Secure Boot
  1. Reboot the system and enter UEFI setup
  2. Find the menu entry for Secure Boot customisation (in OVMF, it's under 'Device Manager' for some reason)
  3. In OVMF, enrol the PK from pk.crt
  4. Add linux.crt to the DB (whitelist database)
  5. Ensure that Secure Boot is enabled and in 'User Mode'
Booting the kernel in Secure Boot

If all went well, Linux will boot as normal. You can confirm that Secure Boot was enabled by reading /sys/kernel/security/securelevel, which will contain 1 if it was.

Module signature validation

Module signatures are now always checked and unsigned modules will be given the 'E' taint flag. If Secure Boot is used or you add the kernel parameter module.sig_enforce=1, unsigned modules will be rejected. You can also turn on signature enforcement and turn off various other methods of modifying kernel code (such as kexec) by writing 1 to /sys/kernel/security/securelevel.

Categories: Elsewhere

Reproducible builds folks: Reproducible builds: week 51 in Stretch cycle

Planet Debian - Wed, 20/04/2016 - 20:47

What happened in the reproducible builds effort between April 10th and April 16th 2016:

Toolchain fixes
  • Roland Rosenfeld uploaded transfig/1:3.2.5.e-6 which honors SOURCE_DATE_EPOCH. Original patch by Alexis Bienvenüe.
  • Bill Allombert uploaded gap/4r8p3-2 which makes convert.pl honor SOURCE_DATE_EPOCH. Original patch by Jerome Benoit, duplicate patch by Dhole.
  • Emmanuel Bourg uploaded ant/1.9.7-1 which makes the Javadoc task use UTF-8 as the default encoding if none was specified and SOURCE_DATE_EPOCH is set.

Antoine Beaupré suggested that gitpkg stops recording timestamps when creating upstream archives. Antoine Beaupré also pointed out that git-buildpackage diverges from the default gzip settings which is a problem for reproducibly recreating released tarballs which were made using the defaults.

Alexis Bienvenüe submitted a patch extending sphinx SOURCE_DATE_EPOCH support to copyright year.

Packages fixed

The following packages have become reproducible due to changes in their build dependencies: atinject-jsr330, avis, brailleutils, charactermanaj, classycle, commons-io, commons-javaflow, commons-jci, gap-radiroot, jebl2, jetty, libcommons-el-java, libcommons-jxpath-java, libjackson-json-java, libjogl2-java, libmicroba-java, libproxool-java, libregexp-java, mobile-atlas-creator, octave-econometrics, octave-linear-algebra, octave-odepkg, octave-optiminterp, rapidsvn, remotetea, ruby-rinku, tachyon, xhtmlrenderer.

The following packages became reproducible after getting fixed:

Some uploads fixed some reproducibility issues, but not all of them:

Patches submitted which have not made their way to the archive yet:

  • #820603 on viking by Alexis Bienvenüe: fix icon headers inclusion order.
  • #820661 on nullmailer by Alexis Bienvenüe: fix the order in which files are included in the static archive.
  • #820668 on sawfish by Alexis Bienvenüe: fix file ordering in theme archives, strip hostname and username from the config.h file, and honour SOURCE_DATE_EPOCH when creating the config.h file.
  • #820740 on bless by Alexis Bienvenüe: always use /bin/sh as shell.
  • #820742 on gmic by Alexis Bienvenüe: strip the build date from help messages.
  • #820809 on wsdl4j by Alexis Bienvenüe: use a plain text representation of the copyright character.
  • #820815 on freefem++ by Alexis Bienvenüe: fix the order in which files are included in the .edp files, and honour SOURCE_DATE_EPOCH when using the build date.
  • #820869 on pyexiv2 by Alexis Bienvenüe: honour the SOURCE_DATE_EPOCH environment variable through the ustrftime function, to get a reproducible copyright year.
  • #820932 on fim by Alexis Bienvenüe: fix the order in which files are joined in header files, strip the build date from fim binary, make the embeded vim2html script honour SOURCE_DATE_EPOCH variable when building the documentation, and force language to be English when using bison to make a grammar that is going to be parsed using English keywords.
  • #820990 on grib-api by Santiago Vila: always call dh-buildinfo.
diffoscope development

Zbigniew Jędrzejewski-Szmek noted in #820631 that diffoscope doesn't work properly when a file contains several cpio archives.

Package reviews

21 reviews have been added, 14 updated and 22 removed in this week.

New issue found: timestamps_in_htm_by_gap.

Chris Lamb reported 10 new FTBFS issues.

Misc.

The video and the slides from the talk "Reproducible builds ecosystem" at LibrePlanet 2016 have been published now.

This week's edition was written by Lunar and Holger Levsen. h01ger automated the maintenance and publishing of this weekly newsletter via git.

Categories: Elsewhere

Mediacurrent: New eBook: Intranets the Drupal Way

Planet Drupal - Wed, 20/04/2016 - 20:14

The Intranet has entered a new era where 78% of companies are running on open source software. Now, options for corporate Intranets are no longer confined to proprietary platforms.

Categories: Elsewhere

myDropWizard.com: Drupal 6 security update for Views!

Planet Drupal - Wed, 20/04/2016 - 19:40

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for Views to fix an Access Bypass vulnerability.

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.

The module doesn't sufficiently check handler access when returning the list of handlers fromview_plugin_display::get_handlers(). The most critical code (access plugins and field output) is unaffected - only area handlers, theget_field_labels()method, token replacement, and some relationship handling are susceptible.

Download the patch for Views 6.x-2.x or Views 6.x-3.x!

If you have a Drupal 6 site using the Views module (probably most sites), we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Categories: Elsewhere

OSTraining: Drupal 8.1 and What It Means for Drupal's Future

Planet Drupal - Wed, 20/04/2016 - 17:32

Today, Drupal 8.1 was officially released.

All the way back in 2014, we talked about the changes coming to Drupal and how the release cycle would allow for changes to be progressively added to Drupal.

At that time, it was estimated that a new version with new features could be released every 6 months. Keeping to that schedule for Drupal 8 has been problematic due to the size and scope of what they wanted to achieve, but they made it! 

Categories: Elsewhere

Wim Leers: Drupal 8.1: BigPipe as an experimental module

Planet Drupal - Wed, 20/04/2016 - 13:09

Today, Drupal 8.1 has been released and it includes BigPipe as an experimental module.

Six months ago, on the day of the release of Drupal 8, the BigPipe contrib module was released.

So BigPipe was first prototyped in contrib, then moved into core as an experimental module.

Experimental module?

Quoting d.o/core/experimental:

Experimental modules allow core contributors to iterate quickly on functionality that may be supported in an upcoming minor release and receive feedback, without needing to conform to the rigorous requirements for production versions of Drupal core.

Experimental modules allow site builders and contributed project authors to test out functionality that might eventually be included as a stable part of Drupal core.

With your help (in other words: by testing), we can help BigPipe “graduate” as a stable module in Drupal 8.2. This is the sort of module that needs wider testing because it changes how pages are delivered, so before it can be considered stable, it must be tested in as many circumstances as possible, including the most exotic ones.

(If your site offers personalization to end users, you are encouraged to enable BigPipe and report issues. There is zero risk of data loss. And when the environment — i.e. web server or (reverse) proxy — doesn’t support streaming, then BigPipe-delivered responses behave as if BigPipe was not installed. Nothing breaks, you just go back to the same perceived performance as before.)

About 500 sites are currently using the contrib module. With the release of Drupal 8.1, hopefully thousands of sites will test it.12

Please report any issues you encounter! Hopefully there won’t be many. I’d be very grateful to hear about success stories too — feel free to share those as issues too!

Documentation

Of course, documentation is ready too:

What about the contrib module?

The BigPipe contrib module is still available for Drupal 8.0, and will remain available.

  • 1.0-beta1 was released on the same day as Drupal 8.0.0
  • 1.0-beta2 was released on the same day as Drupal 8.0.1, and made it feature-complete
  • 1.0-beta3 contained only improved documentation
  • 1.0-rc1 brought comprehensive test coverage, which was the last thing necessary for BigPipe to become a core-worthy module — the same day as the work continued on the core issue: https://www.drupal.org/node/2469431#comment-10899308
  • 1.0 was tagged today, on the same day as Drupal 8.1.0

Going forward, I’ll make sure to tag releases of the BigPipe contrib module matching Drupal 8.1 patch releases, if they contain BigPipe fixes/improvements. So, when Drupal 8.1.3 is released, BigPipe 1.3 for Drupal 8.0 will be released also. That makes it easy to keep things in sync.

Upgrading?

When you upgrade from Drupal 8.0 to Drupal 8.1, and you were using the BigPipe module on your 8.0 site, then follow the instructions in the 8.1.0 release notes:

If you previously installed the BigPipe contributed module, you must uninstall and remove it before upgrading from Drupal 8.0.x to 8.1.x.

  1. Note there is also the BigPipe demo module (d.o/project/big_pipe_demo), which makes it easy to simulate the impact of BigPipe on your particular site. 

  2. There’s also a live demo: http://bigpipe.demo.wimleers.com/ 

  • Acquia
  • Drupal
  • WPO
  • performance
Categories: Elsewhere

Michal &#268;iha&#345;: Testing Sphinx documentation with Jenkins

Planet Debian - Wed, 20/04/2016 - 12:00

While reviewing comments on phpMyAdmin wiki (which we're shrinking down to developer documentation and moving end user documentation to proper documentation) I've noticed that people complained there on broken links in our documentation. Indeed there was quite some of them as this is something nobody really checks. It seems like obvious task to automate.

It seemed to me as obvious as somebody had to do it already. Unfortunately I have not found much, but at least there was Using Jenkins to parse sphinx warnings. This helps with the build warnings, but unfortunately I found no integration for the linkcheck builder. Fortunately it's quite easy with the Jenkins Warnings plugin to write custom parsers and to parse linkcheck output as well.

The Sphinx output parser based on above link can be configured like:

Regular Expression:

^(.*):(\d+): \((.*)\) (.*)

Mapping Script:

import hudson.plugins.warnings.parser.Warning String fileName = matcher.group(1) String lineNumber = matcher.group(2) String category = matcher.group(3) String message = matcher.group(4) return new Warning(fileName, Integer.parseInt(lineNumber), "sphinx", category, message);

Example Log Message:

Percona-Server-1.0.2-3.rst:67: (WARNING/2) Inline literal start-string without end-string.

The Sphinx linkcheck output is quite similar:

Regular Expression:

^(.*):(\d+): \[([^\]]*)\] (.*)

Mapping Script:

import hudson.plugins.warnings.parser.Warning String fileName = matcher.group(1) String lineNumber = matcher.group(2) String category = matcher.group(3) String message = matcher.group(4) return new Warning(fileName, Integer.parseInt(lineNumber), "sphinx-linkcheck", category, message);

Example Log Message:

faq.rst:793: [broken] http://www.hardened-php.net/: <urlopen error [Errno -3] Temporary failure in name resolution>

All you need to do now is to enable these in your Jenkins project, let the Sphinx parse output and the Sphinx linkcheck one file generated by linkcheck (usually _build/linkcheck/output.txt). The result can be found on the phpMyAdmin CI server.

Filed under: English phpMyAdmin | 0 comments

Categories: Elsewhere

Dries Buytaert: Applaud the Drupal maintainers

Planet Drupal - Wed, 20/04/2016 - 11:38

Today is another big day for Drupal as we just released Drupal 8.1.0. Drupal 8.1.0 is an important milestone as it is a departure from the Drupal 7 release schedule where we couldn't add significant new features until Drupal 8. Drupal 8.1.0 balances maintenance with innovation.

On my blog and in presentations, I often talk about the future of Drupal and where we need to innovate. I highlight important developments in the Drupal community, and push my own ideas to disrupt the status quo. People, myself included, like to talk about the shiny innovations, but it is crucial to understand that innovation is only a piece of how we grow Drupal's success. What can't be forgotten is the maintenance, the bug fixing, the work on Drupal.org and our test infrastructure, the documentation writing, the ongoing coordination and the processes that allow us to crank out stable releases.

We often recognize those who help Drupal innovate or introduce novel things, but today, I'd like us to praise those who maintain and improve what already exists and that was innovated years ago. So much of what makes Drupal successful is the "daily upkeep". The seemingly mundane and unglamorous effort that goes into maintaining Drupal has a tremendous impact on the daily life of hundreds of thousands of Drupal developers, millions of Drupal content managers, and billions of people that visit Drupal sites. Without that maintenance, there would be no stability, and without stability, no room for innovation.

Categories: Elsewhere

Jim Birch: Midcamp 2016 Recap - Where the Drupal community comes together!

Planet Drupal - Wed, 20/04/2016 - 11:20

MidCamp 2016, the Midwest Drupal Camp was a roaring success.  We had 36 Sessions and 1 keynote were spread across the University of Chicago Student Center West,.  All of the sessions were successfully recorded by our amazing AV team and shared within hours on the Midcamp YouTube channel.  Our sponsor tables were busy; our Birds of a Feather discussions were many; and our socials were social!

This was my second time attending, and my first time being a volunteer organizer.  If you attended, I hope that I got to greet you on the way in.  Attending my first year, I was so awestruck by the amount of knowledge and talent at MidCamp, I couldn't help but get involved.  After volunteering to help, I am still in awe of the dedication of the volunteers, and the effort it takes to put on a camp like this.  Thanks to all of the volunteers for the countless hours put in throughout the year to make this event happen.

Please indulge me a moment while I call out a few individuals specifically for their incredible effort and dedication put forth to MidCamp 2016.

Read more

Categories: Elsewhere

Drupal Console: Drupal Console and Beer - Enzo join us from Chongqing

Planet Drupal - Wed, 20/04/2016 - 10:33
This time, enzo join us from Chongqing to talk about upcoming presentations on his enzotour 2016. We also talk about lates added features in the 0.11.3 release our very last one before the 1.0.0-alpha1 release. The next upcoming release will be tagged once Drupal 8.1.0 got release.
Categories: Elsewhere

Drupal Blog: Drupal 8.1.0 is now available

Planet Drupal - Wed, 20/04/2016 - 09:48

Drupal 8.1.0, the first minor release of Drupal 8, is now available. With Drupal 8, we made significant changes in our release process, adopting semantic versioning and scheduled feature releases. This allows us to make extensive improvements to Drupal 8 in a timely fashion while still providing backwards compatibility. Drupal 8.1.0 is the first such update.

What's new in Drupal 8.1.x?

Drupal 8.1.0 comes with numerous improvements, including CKEditor WYSIWYG enhancements, added APIs, an improved help page, and two new experimental modules. (Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.)

Download Drupal-8.1.0 Experimental UI for migrations from Drupal 6 and 7

Drupal 8.1.0 now includes the Migrate Drupal UI module, which provides a user interface for Drupal core migrations. Use it to migrate Drupal 6 or 7 sites to Drupal 8. The user guide on migrating from Drupal 6 or 7 to Drupal 8 has full documentation. Note that the Drupal 8 Migrate module suite is still experimental and has known issues. Read below for specific information on migrating Drupal 6 and Drupal 7 sites with 8.1.0. (Always back up your data before performing a migration and review the results carefully.)

BigPipe for perceived performance

The Drupal 8 BigPipe module provides an advanced implementation of Facebook's BigPipe page rendering strategy, leading to greatly improved perceived performance for pages with dynamic, personalized, or uncacheable content. See the BigPipe documentation.

CKEditor WYSIWYG spellchecking and language button

Drupal 8.0.0 included the CKEditor module (a WYSIWYG editor), but it was not previously possible to use your browser's built-in spell checker with it to check the text. With Drupal 8.1.0, spellchecking is now enabled within CKEditor as well.

Another great improvement is the addition of the optional language markup button in CKEditor. When configured to appear in your editing toolbar, it allows you to assign language information to parts of the text, which is useful for accessibility and machine processing.

Improved help page with tours

Drupal 8.0.0 included a new system for help tutorials called tours with the core Tour module. In Drupal 8.1.0, we made these tours easier to discover by listing them in the administrative help overview at /admin/help.

The help overview page is also more flexible now, so contributed modules can add sections to it and themes can override its appearance more easily. You can read more about the new system in the change record for the updated help page, or refer to the Tour API documentation for how to add tours for your modules.

Rendered entities in Views fields

Drupal 8.1.0 now includes a rendered entity field handler for Views, which allows placing a fully rendered entity within a view field. For example, this feature could be used to display a rendered user profile for each node author in a table listing node content. (This feature was provided by the Entity contributed module in Drupal 7, but had not yet been available in Drupal 8.)

Support for JavaScript automated testing

Drupal 8.1.0 adds support for automated testing of JavaScript, which will mean fewer bugs with Drupal's JavaScript functionality in the future as we write new tests for it. (Read more about how to run the JavaScript tests.) There are also other improvements to the testing system, including improved reporting of PHPUnit and other test results.

Improved Composer support

Starting with Drupal 8.1.x, Drupal core and its dependencies are packaged by Composer on Drupal.org. This means that sites and modules can now also use Composer to manage all of their third-party dependencies (rather than having to work around the vendor directory that previously shipped with core).

Developer API improvements

Minor releases like Drupal 8.1.0 include backwards-compatible API additions for developers as well as new features. Read the 8.1.0 release notes for more details on the many improvements for developers in this release.

What does this mean to me?
Drupal 8 site owners

Update to 8.1.0 to continue receiving bug and security fixes. The next bugfix release, 8.1.1, is scheduled for May 4, 2016.

Updating your site from 8.0.6 to 8.1.0 with update.php is exactly the same as updating from 8.0.5 to 8.0.6. Modules, themes, and translations may need small changes for this minor release, so test the update carefully before updating your production site.

Drupal 6 site owners

Drupal 6 is not supported anymore. Create a Drupal 8 site and try migrating your data into it as soon as possible. Your Drupal 6 site can still remain up and running while you test migrating your Drupal 6 data into your new Drupal 8 site. Note that there are known issues with the experimental Migrate module suite. If you find a new bug not covered by one of these issues, your detailed bug report with steps to reproduce is a big help!

Drupal 7 site owners

Drupal 7 is still fully supported and will continue to receive bug and security fixes throughout all minor releases of Drupal 8.

The new Migrate Drupal UI for Migrate also allows migrating a Drupal 7 site into a Drupal 8 site, but the migration path from Drupal 7 to 8 is not complete, so you may encounter errors or missing migrations when you try to migrate. That said, since your Drupal 7 site can remain up and running while you test migrating into a new Drupal 8 site, you can help us stabilize the Drupal 7 to Drupal 8 migration path! Testing and bug reports from your real-world Drupal 7 sites will help us stabilize this functionality sooner for everyone. (Search the known issues.)

Translation, module, and theme contributors

Minor releases like Drupal 8.1.0 are backwards-compatible, so modules, themes, and translations that support Drupal 8.0.x will be compatible with 8.1.x as well. However, the new version does include some string changes, minor UI changes, and internal API changes (as well as more significant changes to experimental modules like the Migrate suite). This means that some small updates may be required for your translations, modules, and themes. See the announcement of the 8.1.0 release candidate for more background information.

Categories: Elsewhere

Wunderkraut blog: Dropcat, a new deploy tool for Drupal

Planet Drupal - Wed, 20/04/2016 - 09:24

In a series of blog posts I am going to present our new tool for doing drupal deploys. It is developed internally in the ops-team in Wunderkraut Sweden , and we did that because of when we started doing Drupal 8 deploys we tried to rethink how we mostly have done Drupal deploys before, because we had some issues what we already had.

In a series of blog posts I am going to present our new tool for doing drupal deploys. It is developed internally in the ops-team in Wunderkraut Sweden , and we did that because of when we started doing Drupal 8 deploys we tried to rethink how we mostly have done Drupal deploys before, because we had some issues what we already had.

What we had - Jenkins and Aegir

Since some years we have been using a combination of Jenkins and Aegir to deploy our sites. 
That work-flow worked, sort off, well for us. And because it was not a perfect match we tried to rethink how we should do deploys with Drupal 8 in mind. 

Research phase

We looked in many directions, like Capistrano and Appistrano, OpenDevShop, platform.sh, Aegir 3 etc. But none of them fitted our current need – we wanted to simplify things, and most of the tools just added another layer that was not a perfect fit for us. Also, it was important to us that the solution should be open source.

We went old school and built our own solution – almost.

Re-use and invent

With Drupal 8 we got to know Symfony in a better way, and Symfony has a console, that also is used by Drupal console project. The advantages in using Symfony console for a base for our deploy flow were big, based on Symfony best practice and using open source projects. Also, drush does a lot of stuff that we need in the deploy process, so that is an important part also. We did not want to re-invent stuff that already worked well.

Enter Dropcat

So we started to build Dropcat (Drop as in Drupal, and cat because… because of cats) and we slowly added more and more stuff to it, and now we have most part of the commands that we need to do a normal deploy, we are still working on one important bit – and that is the rollback – and hopefully when this series of blog posts about Dropcat is finished, we have that in place also.

In next blog post we take a look into how to install dropcat and how th configuration files works. You could check out the Dropcat project on our GitLab server

Categories: Elsewhere

Yuriy Gerasimov: Visual testing of Drupal.org. BackTrac Case Study

Planet Drupal - Wed, 20/04/2016 - 08:18

Visual testing is a great technique to keep styles of your website under control. But what other things visual testing can catch? Maybe some problems with functionality?

It is always best to see visual testing on real life projects. In this article we have done testing of Drupal.org website by comparing it with its staging environment and found some interesting issues.

 

Read full article on BackTrac's blog

 

Please leave your comments on BackTrac's blog instead of here. Thanks!

Tags: drupal planet
Categories: Elsewhere

Norbert Preining: GnuPG notes: subkeys, yubikey, gpg1 vs gpg2

Planet Debian - Wed, 20/04/2016 - 07:42

Switching from one GnuPG master key to the usage of subkeys was long on my list of things I wanted to do, but never came around. With the advent of a YubiKey NEO in my pocket I finally took the plunge: reading through lots of web pages (and adding one here for confusion), trying to understand the procedures, and above all, understanding my own requirements!

To sum up a long story, it was worth the plunge, and all over the security level of my working environment has improved considerable.

While the advantages of subkeys are well documented (e.g., Debian Wiki), at the end of the day I was – like probably many Debian Developers – having one master key that was used for every action: mail decryption and signing, signing of uploads, etc. Traveling a lot I always felt uncomfortable. Despite a lengthy passphrase, I still didn’t want my master key to get into wrong hands in case the laptop got stolen. Furthermore, I had my master key on several computers (work, laptop, mail server), which didn’t help a lot either. With all this, I started to compile a list of requirements/objectives I wanted to have:

  • master key is only available on offline medium (USB sticks)
  • subkeys for signing, encryption, authentication
  • possibility to sign and decrypt my emails on the server where I read emails (ssh/mutt)
  • laptop does not contain any keys, instead use Yubikey
  • all keys with expiry date (1y)
  • mixture of gpg versions: local laptop: gpg2.1, mail server: gpg1

Warning Before we start a word of caution – make backups, best is to make backups at every stage. You don’t want that an erroneous operations wipes out your precious keys without a backup!

Preparation

In the following I will assume that MASTERKEY environment variable contains the id of the master key to be converted. Furthermore, I have followed some of the advice here, so key ids will be shown in long format.

Let us start with the current situation:

$ gpg -K $MASTERKEY sec 4096R/0x6CACA448860CDC13 2010-09-14 Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid Norbert Preining <norbert@preining.info> uid Norbert Preining <preining@logic.at> uid Norbert Preining <preining@debian.org> uid Norbert Preining <preining@jaist.ac.jp> ssb 4096R/0xD1D2BD14810F62B3 2010-09-14

In the following we will go through the following steps:

  • Prepare the Yubikey NEO (forthcoming blog>
  • Edit to current key: add expiry, add photo, and above all add subkeys
  • Create revocation certificate
  • Create gpg2.1 structure
  • Backup to USB media
  • Move subkeys to Yubikey NEO
  • Remove master keys
  • Separate gpg1 (for mail server) and gpg2 (for laptop)
  • Upload to key servers
Yubikey SmartCard setup

There are several guides out there, but I will in very near future write one about using the NEO for various usage scenaria including GPG keys.

Edit the current key

The following can be done in one session or in different sessions, the screen logs are after starting with:

$ gpg --expert --edit-key $MASTERKEY add expiry date

Having an expiry date on your key serves two purposes: If you loose it, it will solve itself automatically, and furthermore, you are forced to deal with the key – and refresh your gpg knowledge – at least once a year. That are two perfect reasons to set expiry to one year.

The following log selects each key in turn and sets its expiry date.

$ gpg --expert --edit-key $MASTERKEY gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.   Secret key is available.   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: never usage: SC trust: ultimate validity: ultimate sub 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: never usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp>   gpg> expire Changing expiration time for the primary key. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:09:16 PM JST Is this correct? (y/N) y   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: never usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp>   gpg> key 1   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: never usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp>   gpg> expire Changing expiration time for a subkey. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:09:27 PM JST Is this correct? (y/N) y   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> Add a photo

Not strictly necessary, but an interesting feature. gpg suggests 240×288, I resized a photo of my head, greyscaled it, and optimized it with jpegoptim -s -m40 my-photo.jpg. The parameter 40 is the quality, I played around a bit to find the best balance between size and quality. The size should not be too big as the photo will be part of the key!

gpg> addphoto   Pick an image to use for your photo ID. The image must be a JPEG file. Remember that the image is stored within your public key. If you use a very large picture, your key will become very large as well! Keeping the image close to 240x288 is a good size to use.   Enter JPEG filename for photo ID: GPG/norbert-head.jpg Is this photo correct (y/N/q)? y   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ unknown] (5) [jpeg image of size 4185] Add subkeys of 2048bit for signing/encryption/authentication

Now comes the interesting part, adding three subkeys: one for signing, one for encrypting, and one for authentication. The one for signing is the one you will use for signing your uploads to Debian as well as emails. The authentication key will later be used to provide ssh authentication. Note that you have to use the --expert expert option to edit-key (as shown above), otherwise gpg does not allow to do this.

As I want to move the subkeys to the Yubikey NEO, a keysize of 2048bits is necessary.

First for the signing:

gpg> addkey Key is protected.   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:10:06 PM JST Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ....+++++ ..........+++++   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E sub 2048R/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ unknown] (5) [jpeg image of size 4185]

Now the same for encryption key:

gpg> addkey Key is protected.   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? 6 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:10:20 PM JST Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ..+++++ ........+++++   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E sub 2048R/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S sub 2048R/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ unknown] (5) [jpeg image of size 4185]

Finally for the authentication key. Note that only here the --expert is necessary! We use ‘(8) RSA (set your own capabilities)’ and then toggle sign and encryption capabilities off, and authentication on.

gpg> addkey Key is protected.   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? 8   Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Sign Encrypt   (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished   Your selection? s   Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Encrypt   (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished   Your selection? e   Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions:   (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished   Your selection? a   Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Authenticate   (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished   Your selection? q RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:10:34 PM JST Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ......+++++ +++++   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E sub 2048R/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S sub 2048R/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E sub 2048R/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ unknown] (5) [jpeg image of size 4185]   gpg> save Check the current status

Good point to take a break and inspect the current status. We should have one main key and three subkeys, all with expiry dates of 1 year ahead, and a photo also attached to the key:

$ gpg --expert --edit-key $MASTERKEY gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.   Secret key is available.   gpg: checking the trustdb gpg: public key 0x0FC3EC02FBBB8AB1 is 58138 seconds newer than the signature gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 2 signed: 28 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid: 28 signed: 41 trust: 28-, 0q, 0n, 0m, 0f, 0u gpg: next trustdb check due at 2016-11-02 pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E sub 2048R/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S sub 2048R/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E sub 2048R/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> Create revocation certificate

In case something happens, like all your backups are burned, your computers are destroyed, or all data stolen by the NSA, it is a good idea to have an old fashioned paper print out of a revocation certificate which allows you to revoke the key even if you are not in possession of it.

This should be printed out and kept in a safe place.

$ gpg --gen-revoke $MASTERKEY > GPG/revoke-certificate-$MASTERKEY.txt   sec 4096R/0x6CACA448860CDC13 2010-09-14 Norbert Preining <norbert@preining.info>   Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 1 Enter an optional description; end it with an empty line: > Reason for revocation: Key has been compromised (No description given) Is this okay? (y/N) y   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   ASCII armored output forced. Revocation certificate created.

Please move it to a medium which you can hide away; if the NSA or KGB or Mossad gets access to this certificate, they can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable.

Create gpg 2.1 structure

There are currently three versions of gpg available: ‘classic’ (version 1) which is one static binary, perfect for servers or scripting tasks; ‘stable’ (version 2.0) which is the modularized version supporting OpenPGP, S/MIME, and Secure Shell; and finally ‘modern’ (version 2.1 and up) with enhanced features like support for Elliptic Curve cryptography. Debian currently ships version 1 as standard, and also the modern version (but there are traces in experimental of a pending transition).

The newer versions of GnuPG are modularized and use an agent. For the following we need to kill any running instance of gpg-agent.

$ killall gpg-agent

After that a simple call to gpg2 to list the secret keys will convert the layout to the new standard:

$ gpg2 -K $MASTERKEY gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' in dirmngr.conf gpg: starting migration from earlier GnuPG versions gpg: porting secret keys from '/home/norbert/.gnupg/secring.gpg' to gpg-agent gpg: key 0xD2BF4AA309C5B094: secret key imported gpg: key 0x6CACA448860CDC13: secret key imported gpg: migration succeeded sec rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid [ultimate] Norbert Preining <norbert@preining.info> uid [ultimate] Norbert Preining <preining@logic.at> uid [ultimate] Norbert Preining <preining@debian.org> uid [ultimate] Norbert Preining <preining@jaist.ac.jp> uid [ultimate] [jpeg image of size 4185] ssb rsa4096/0xD1D2BD14810F62B3 2010-09-14 [E] [expires: 2017-02-06] ssb rsa2048/0xEC00B8DAD32266AA 2016-02-07 [S] [expires: 2017-02-06] ssb rsa2048/0xBF361ED434425B4C 2016-02-07 [E] [expires: 2017-02-06] ssb rsa2048/0x9C7CA4E294F04D49 2016-02-07 [A] [expires: 2017-02-06]

After this there will be new files/directories in the .gnupg directory, in particular: .gnupg/private-keys-v1.d/ which contains the private keys.

Creating backup

Now your .gnupg directory contains still all the keys, available for gpg1 and gpg2.1.

You MUST MAKE A BACKUP NOW!!! on at least 3 USB sticks and maybe some other offline media. Keep them in a safe place, better in different and safe places, you will need them for extending the expiry date, signing other keys, etc.

Warning concerning USB and vfat file systems

gpg >= 2.1 requires gpg-agent which in turn needs a socket. If you have the backup on an USB drive (most often with vfat file system), you need to redirect the socket, as vfat does not support sockets!

Edit /USBSTICK/gnupghome/S.gpg-agent and enter there

%Assuan% socket=/dev/shm/S.gpg-agent

After that the socket will be created in /dev/shm/ instead and invoking gpg with gpg2 --homedir /USBSTICK/gnupghome will work.

You have done your backups, right?

Move sub keys to card

As I mentioned, I want to have no keys on my laptop which I carry around to strange countries, instead I want to have them all on a Yubikey NEO. I will describe the setup and usage in details soon, but mention here only how to move the keys to the card. This requires a finished setup including change of pins.

Note that when using gpg2 to move the keys to the card, the local copies are actually deleted, but only for the gpg2(.1) files. The gpg1 secret keys are still all in place.

$ gpg2 --edit-key $MASTERKEY gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.   Secret key is available.   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 2   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb* rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> keytocard Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb* rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 2   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 3   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb* rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> keytocard Please select where to store the key: (2) Encryption key Your selection? 2   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb* rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 3   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 4   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb* rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> keytocard Please select where to store the key: (3) Authentication key Your selection? 3   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb* rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 4   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> save

Note the repetition of selecting and deselecting keys.

Current status

After this procedure we are now in the following situation:

  • gpg1: all keys are still available
  • gpg2: sub keys are moved to yubikey (indicated below by ssb>), and master key is still available

In gpg words it looks like this:

$ gpg2 -K $MASTERKEY gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' in dirmngr.conf sec rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid [ultimate] Norbert Preining <norbert@preining.info> uid [ultimate] Norbert Preining <preining@logic.at> uid [ultimate] Norbert Preining <preining@debian.org> uid [ultimate] Norbert Preining <preining@jaist.ac.jp> uid [ultimate] [jpeg image of size 4185] ssb rsa4096/0xD1D2BD14810F62B3 2010-09-14 [E] [expires: 2017-02-06] ssb> rsa2048/0xEC00B8DAD32266AA 2016-02-07 [S] [expires: 2017-02-06] ssb> rsa2048/0xBF361ED434425B4C 2016-02-07 [E] [expires: 2017-02-06] ssb> rsa2048/0x9C7CA4E294F04D49 2016-02-07 [A] [expires: 2017-02-06]   $ gpg -K $MASTERKEY sec 4096R/0x6CACA448860CDC13 2010-09-14 [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid Norbert Preining <norbert@preining.info> uid Norbert Preining <preining@logic.at> uid Norbert Preining <preining@debian.org> uid Norbert Preining <preining@jaist.ac.jp> uid [jpeg image of size 4185] ssb 4096R/0xD1D2BD14810F62B3 2010-09-14 [expires: 2017-02-06] ssb 2048R/0xEC00B8DAD32266AA 2016-02-07 [expires: 2017-02-06] ssb 2048R/0xBF361ED434425B4C 2016-02-07 [expires: 2017-02-06] ssb 2048R/0x9C7CA4E294F04D49 2016-02-07 [expires: 2017-02-06]   $ gpg2 --card-status   .... Name of cardholder: Norbert Preining .... PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: 5871 F824 2DCC 3660 2362 BE7D EC00 B8DA D322 66AA created ....: 2016-02-07 11:10:06 Encryption key....: 2501 195C 90AB F4D2 3DEA A303 BF36 1ED4 3442 5B4C created ....: 2016-02-07 11:10:20 Authentication key: 9CFB 3775 C164 0E99 F0C8 014C 9C7C A4E2 94F0 4D49 created ....: 2016-02-07 11:10:34 General key info..: sub rsa2048/0xEC00B8DAD32266AA 2016-02-07 Norbert Preining <norbert@preining.info> sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 ssb> rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 card-no: 0006 03645719 ssb> rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 card-no: 0006 03645719 ssb> rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 card-no: 0006 03645719 $ Remove private master keys

You are sure that you have a working backup? Did you try it with gpg --homedir ...? Only if you are really sure, continue.

We are now removing the master key from both the gpg2 and gpg1 setup.

removal for gpg2

gpg2 keeps the private keys in ~/.gnupg/private-keys-v1.d/KEYGRIP.key and the KEYGRIP can be found by adding --with-keygrip to the key listing. Be sure to delete the correct file, the one related to the master key.

$ gpg2 --with-keygrip --list-key $MASTERKEY pub rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 Keygrip = 9DC1E90703856C1DE0EAC970CED7ABF5EE5EF79D uid [ultimate] Norbert Preining <norbert@preining.info> uid [ultimate] Norbert Preining <preining@logic.at> uid [ultimate] Norbert Preining <preining@debian.org> uid [ultimate] Norbert Preining <preining@jaist.ac.jp> uid [ultimate] [jpeg image of size 4185] sub rsa4096/0xD1D2BD14810F62B3 2010-09-14 [E] [expires: 2017-02-06] Keygrip = 4B8FF57434DD989243666377376903281D861596 sub rsa2048/0xEC00B8DAD32266AA 2016-02-07 [S] [expires: 2017-02-06] Keygrip = 39B14EF1392F2F251863A87AE4D44CE502755C39 sub rsa2048/0xBF361ED434425B4C 2016-02-07 [E] [expires: 2017-02-06] Keygrip = E41C8DDB2A22976AE0DA8D7D11F586EA793203EA sub rsa2048/0x9C7CA4E294F04D49 2016-02-07 [A] [expires: 2017-02-06] Keygrip = A337DE390143074C6DBFEA64224359B9859B02FC   $ rm ~/.gnupg/private-keys-v1.d/9DC1E90703856C1DE0EAC970CED7ABF5EE5EF79D.key $

After that the missing key is shown in gpg2 -K with an additional # meaning that the key is not available:

$ gpg2 -K $MASTERKEY sec# rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] ... removal for gpg1

Up to gpg v2.0 there is no simple way to delete only one part of the key. We export the subkeys, delete the private key, and reimport the subkeys:

$ gpg --output secret-subkeys --export-secret-subkeys $MASTERKEY   $ gpg --delete-secret-keys $MASTERKEY   sec 4096R/0x6CACA448860CDC13 2010-09-14 Norbert Preining <norbert@preining.info>   Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y   $ gpg --import secret-subkeys gpg: key 0x6CACA448860CDC13: secret key imported gpg: key 0x6CACA448860CDC13: "Norbert Preining <norbert@preining.info>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1   $ Current status

We are basically at the stage we wanted to achieve:

For gpg2.1 only the old encryption key is available, the master key is not, and the other sub keys are moved to the yubikey:

$ gpg2 -K $MASTERKEY sec# rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid [ultimate] Norbert Preining <norbert@preining.info> uid [ultimate] Norbert Preining <preining@logic.at> uid [ultimate] Norbert Preining <preining@debian.org> uid [ultimate] Norbert Preining <preining@jaist.ac.jp> uid [ultimate] [jpeg image of size 4185] ssb rsa4096/0xD1D2BD14810F62B3 2010-09-14 [E] [expires: 2017-02-06] ssb> rsa2048/0xEC00B8DAD32266AA 2016-02-07 [S] [expires: 2017-02-06] ssb> rsa2048/0xBF361ED434425B4C 2016-02-07 [E] [expires: 2017-02-06] ssb> rsa2048/0x9C7CA4E294F04D49 2016-02-07 [A] [expires: 2017-02-06] $

And for gpg <= 2.0 the old encryption key and the sub keys are available, but the master key is not:

$ gpg -K $MASTERKEY sec# 4096R/0x6CACA448860CDC13 2010-09-14 [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid Norbert Preining <norbert@preining.info> uid Norbert Preining <preining@logic.at> uid Norbert Preining <preining@debian.org> uid Norbert Preining <preining@jaist.ac.jp> uid [jpeg image of size 4185] ssb 4096R/0xD1D2BD14810F62B3 2010-09-14 [expires: 2017-02-06] ssb 2048R/0xEC00B8DAD32266AA 2016-02-07 [expires: 2017-02-06] ssb 2048R/0xBF361ED434425B4C 2016-02-07 [expires: 2017-02-06] ssb 2048R/0x9C7CA4E294F04D49 2016-02-07 [expires: 2017-02-06]   $ Split the .gnupg directory for mail server and laptop

As mentioned, I want to have a gpg1 version available at the server where I read my emails, and be able to sign/encrypt emails there, while on my laptop no secret key is available. Thus I prepare two gnupg directories.

For the mailserver the gpg2 specific files are removed:

$ cp -a .gnupg .gnupg-mail $ cd .gnupg-mail $ rm -rf private-keys-v1.d/ pubring.gpg~ reader_0.status $ rm -rf S.gpg-agent* S.scdaemon .gpg-v21-migrated

On my laptop, where I did all this operation, I remove the gpg1 files, namely the outdated secring.gpg:

$ cd $HOME/.gnupg $ rm secring.gpg

As a last step I move the .gnupg-mail directory to my mail server.

Once could *expire* the old encryption key, but for now I leave it as is.

Upload keys to keyservers

If you are a Debian Developer, a simple update of your master key will suffice:

gpg --keyserver hkp://keyring.debian.org --send-key YOURMASTERKEYID

Note that the update from the keyring server to the actual Debian keyring takes up to one month. Until that time either do not upload anything, or use the (offline) master key for signing. After your key has been updated in the Debian keyring, signatures made with the signing subkey will be accepted for uploading to Debian.

It might be also a good idea to upload your new keys to some keyservers like:

gpg --keyserver hkp://pool.sks-keyservers.net --send-key $MASTERKEY

Now you an also fix the configuration file skew between gpg1 and gpg2.

Further remark

I am currently trying to use the authentication key from my Yubikey NEO as ssh key, but bugs (see #795368 and #818969) prohibit it at the moment. Raphael Herzog gave a possible fix by killing the gpg-agent and restarting it with gpg-agent --daemon from an X terminal, and I can confirm that this worked.

After one year before the key expires I need to extend the key validity for another year. For this you need the offline master key. I will describe the process when it becomes necessary.

Reading list

The following web sites have been useful in collecting the necessary information:

  1. https://iain.learmonth.me/yubikey-neo-gpg/
  2. https://iain.learmonth.me/yubikey-udev/
  3. http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/
  4. https://wiki.debian.org/Subkeys
  5. https://jclement.ca/articles/2015/gpg-smartcard/ as modernized version of (3)
  6. https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ similar style, with ssh and gnome-keyring infos
  7. http://karlgrz.com/2fa-gpg-ssh-keys-with-pass-and-yubikey-neo/ also good reading
  8. https://help.riseup.net/en/security/message-security/openpgp/best-practices good and concise advise on gpg practices

My writing is mostly based on (5) with additions from (4).

Please let me know of any errors, improvements, and fixes. I hope this walk-through might help others in the same situation.

Categories: Elsewhere

Mike Ryan: Migration update for Drupal 8.1

Planet Drupal - Tue, 19/04/2016 - 21:24

For those of you using the migration system under Drupal 8.0.x, with Drupal 8.1 scheduled to release tomorrow, let’s take a look at where the migration ecosystem now stands. We’ll discuss the biggest core API change, then how moving to 8.1 affects various use cases.

Migrations are now plugins

read more

Categories: Elsewhere

Drupal core announcements: Reinventing Drupal’s User Experience process

Planet Drupal - Tue, 19/04/2016 - 21:20

The Drupal core product needs to become more engaging and useful right out of the box. Usability testing has shown why. We want to look at how we can change our process to be more efficient and effective.

We learned during the Drupal 8 process, that our way of building the product side of Drupal has many challenges. We propose to adopt a different way of working that avoids current pitfalls and enables a fresher, faster way to iterate on the core product.

The UX-team has started a discussion in the Usability group to explore how we can change our process to allow for more drastic UX changes.

Join the discussion at: Reinventing Drupal’s User Experience process

Categories: Elsewhere

Drupal @ Penn State: Drupal 8 Theme Generation and Development Intro Using the Drupal Console

Planet Drupal - Tue, 19/04/2016 - 19:16

Here is a screen cast of how to get started with Drupal 8 theme development.

In the video I cover:

  • using the drupal console to generate a theme from a base theme
  • creating a libraries yml file
  • adding global css to your theme
  • Using Kint with the devel module
  • debugging twig
  • adding your own twig file to your theme
Categories: Elsewhere

Pages

Subscribe to jfhovinne aggregator - Elsewhere