Elsewhere

Drupal Blog: Drupal 8.1.0 is now available

Planet Drupal - Wed, 20/04/2016 - 09:48

Drupal 8.1.0, the first minor release of Drupal 8, is now available. With Drupal 8, we made significant changes in our release process, adopting semantic versioning and scheduled feature releases. This allows us to make extensive improvements to Drupal 8 in a timely fashion while still providing backwards compatibility. Drupal 8.1.0 is the first such update.

What's new in Drupal 8.1.x?

Drupal 8.1.0 comes with numerous improvements, including CKEditor WYSIWYG enhancements, added APIs, an improved help page, and two new experimental modules. (Experimental modules are provided with Drupal core for testing purposes, but are not yet fully supported.)

Download Drupal-8.1.0 Experimental UI for migrations from Drupal 6 and 7

Drupal 8.1.0 now includes the Migrate Drupal UI module, which provides a user interface for Drupal core migrations. Use it to migrate Drupal 6 or 7 sites to Drupal 8. The user guide on migrating from Drupal 6 or 7 to Drupal 8 has full documentation. Note that the Drupal 8 Migrate module suite is still experimental and has known issues. Read below for specific information on migrating Drupal 6 and Drupal 7 sites with 8.1.0. (Always back up your data before performing a migration and review the results carefully.)

BigPipe for perceived performance

The Drupal 8 BigPipe module provides an advanced implementation of Facebook's BigPipe page rendering strategy, leading to greatly improved perceived performance for pages with dynamic, personalized, or uncacheable content. See the BigPipe documentation.

CKEditor WYSIWYG spellchecking and language button

Drupal 8.0.0 included the CKEditor module (a WYSIWYG editor), but it was not previously possible to use your browser's built-in spell checker with it to check the text. With Drupal 8.1.0, spellchecking is now enabled within CKEditor as well.

Another great improvement is the addition of the optional language markup button in CKEditor. When configured to appear in your editing toolbar, it allows you to assign language information to parts of the text, which is useful for accessibility and machine processing.

Improved help page with tours

Drupal 8.0.0 included a new system for help tutorials called tours with the core Tour module. In Drupal 8.1.0, we made these tours easier to discover by listing them in the administrative help overview at /admin/help.

The help overview page is also more flexible now, so contributed modules can add sections to it and themes can override its appearance more easily. You can read more about the new system in the change record for the updated help page, or refer to the Tour API documentation for how to add tours for your modules.

Rendered entities in Views fields

Drupal 8.1.0 now includes a rendered entity field handler for Views, which allows placing a fully rendered entity within a view field. For example, this feature could be used to display a rendered user profile for each node author in a table listing node content. (This feature was provided by the Entity contributed module in Drupal 7, but had not yet been available in Drupal 8.)

Support for JavaScript automated testing

Drupal 8.1.0 adds support for automated testing of JavaScript, which will mean fewer bugs with Drupal's JavaScript functionality in the future as we write new tests for it. (Read more about how to run the JavaScript tests.) There are also other improvements to the testing system, including improved reporting of PHPUnit and other test results.

Improved Composer support

Starting with Drupal 8.1.x, Drupal core and its dependencies are packaged by Composer on Drupal.org. This means that sites and modules can now also use Composer to manage all of their third-party dependencies (rather than having to work around the vendor directory that previously shipped with core).

Developer API improvements

Minor releases like Drupal 8.1.0 include backwards-compatible API additions for developers as well as new features. Read the 8.1.0 release notes for more details on the many improvements for developers in this release.

What does this mean to me?
Drupal 8 site owners

Update to 8.1.0 to continue receiving bug and security fixes. The next bugfix release, 8.1.1, is scheduled for May 4, 2016.

Updating your site from 8.0.6 to 8.1.0 with update.php is exactly the same as updating from 8.0.5 to 8.0.6. Modules, themes, and translations may need small changes for this minor release, so test the update carefully before updating your production site.

Drupal 6 site owners

Drupal 6 is not supported anymore. Create a Drupal 8 site and try migrating your data into it as soon as possible. Your Drupal 6 site can still remain up and running while you test migrating your Drupal 6 data into your new Drupal 8 site. Note that there are known issues with the experimental Migrate module suite. If you find a new bug not covered by one of these issues, your detailed bug report with steps to reproduce is a big help!

Drupal 7 site owners

Drupal 7 is still fully supported and will continue to receive bug and security fixes throughout all minor releases of Drupal 8.

The new Migrate Drupal UI for Migrate also allows migrating a Drupal 7 site into a Drupal 8 site, but the migration path from Drupal 7 to 8 is not complete, so you may encounter errors or missing migrations when you try to migrate. That said, since your Drupal 7 site can remain up and running while you test migrating into a new Drupal 8 site, you can help us stabilize the Drupal 7 to Drupal 8 migration path! Testing and bug reports from your real-world Drupal 7 sites will help us stabilize this functionality sooner for everyone. (Search the known issues.)

Translation, module, and theme contributors

Minor releases like Drupal 8.1.0 are backwards-compatible, so modules, themes, and translations that support Drupal 8.0.x will be compatible with 8.1.x as well. However, the new version does include some string changes, minor UI changes, and internal API changes (as well as more significant changes to experimental modules like the Migrate suite). This means that some small updates may be required for your translations, modules, and themes. See the announcement of the 8.1.0 release candidate for more background information.

Categories: Elsewhere

Wunderkraut blog: Dropcat, a new deploy tool for Drupal

Planet Drupal - Wed, 20/04/2016 - 09:24

In a series of blog posts I am going to present our new tool for doing drupal deploys. It is developed internally in the ops-team in Wunderkraut Sweden , and we did that because of when we started doing Drupal 8 deploys we tried to rethink how we mostly have done Drupal deploys before, because we had some issues what we already had.

In a series of blog posts I am going to present our new tool for doing drupal deploys. It is developed internally in the ops-team in Wunderkraut Sweden , and we did that because of when we started doing Drupal 8 deploys we tried to rethink how we mostly have done Drupal deploys before, because we had some issues what we already had.

What we had - Jenkins and Aegir

Since some years we have been using a combination of Jenkins and Aegir to deploy our sites. 
That work-flow worked, sort off, well for us. And because it was not a perfect match we tried to rethink how we should do deploys with Drupal 8 in mind. 

Research phase

We looked in many directions, like Capistrano and Appistrano, OpenDevShop, platform.sh, Aegir 3 etc. But none of them fitted our current need – we wanted to simplify things, and most of the tools just added another layer that was not a perfect fit for us. Also, it was important to us that the solution should be open source.

We went old school and built our own solution – almost.

Re-use and invent

With Drupal 8 we got to know Symfony in a better way, and Symfony has a console, that also is used by Drupal console project. The advantages in using Symfony console for a base for our deploy flow were big, based on Symfony best practice and using open source projects. Also, drush does a lot of stuff that we need in the deploy process, so that is an important part also. We did not want to re-invent stuff that already worked well.

Enter Dropcat

So we started to build Dropcat (Drop as in Drupal, and cat because… because of cats) and we slowly added more and more stuff to it, and now we have most part of the commands that we need to do a normal deploy, we are still working on one important bit – and that is the rollback – and hopefully when this series of blog posts about Dropcat is finished, we have that in place also.

In next blog post we take a look into how to install dropcat and how th configuration files works. You could check out the Dropcat project on our GitLab server

Categories: Elsewhere

Yuriy Gerasimov: Visual testing of Drupal.org. BackTrac Case Study

Planet Drupal - Wed, 20/04/2016 - 08:18

Visual testing is a great technique to keep styles of your website under control. But what other things visual testing can catch? Maybe some problems with functionality?

It is always best to see visual testing on real life projects. In this article we have done testing of Drupal.org website by comparing it with its staging environment and found some interesting issues.

 

Read full article on BackTrac's blog

 

Please leave your comments on BackTrac's blog instead of here. Thanks!

Tags: drupal planet
Categories: Elsewhere

Norbert Preining: GnuPG notes: subkeys, yubikey, gpg1 vs gpg2

Planet Debian - Wed, 20/04/2016 - 07:42

Switching from one GnuPG master key to the usage of subkeys was long on my list of things I wanted to do, but never came around. With the advent of a YubiKey NEO in my pocket I finally took the plunge: reading through lots of web pages (and adding one here for confusion), trying to understand the procedures, and above all, understanding my own requirements!

To sum up a long story, it was worth the plunge, and all over the security level of my working environment has improved considerable.

While the advantages of subkeys are well documented (e.g., Debian Wiki), at the end of the day I was – like probably many Debian Developers – having one master key that was used for every action: mail decryption and signing, signing of uploads, etc. Traveling a lot I always felt uncomfortable. Despite a lengthy passphrase, I still didn’t want my master key to get into wrong hands in case the laptop got stolen. Furthermore, I had my master key on several computers (work, laptop, mail server), which didn’t help a lot either. With all this, I started to compile a list of requirements/objectives I wanted to have:

  • master key is only available on offline medium (USB sticks)
  • subkeys for signing, encryption, authentication
  • possibility to sign and decrypt my emails on the server where I read emails (ssh/mutt)
  • laptop does not contain any keys, instead use Yubikey
  • all keys with expiry date (1y)
  • mixture of gpg versions: local laptop: gpg2.1, mail server: gpg1

Warning Before we start a word of caution – make backups, best is to make backups at every stage. You don’t want that an erroneous operations wipes out your precious keys without a backup!

Preparation

In the following I will assume that MASTERKEY environment variable contains the id of the master key to be converted. Furthermore, I have followed some of the advice here, so key ids will be shown in long format.

Let us start with the current situation:

$ gpg -K $MASTERKEY sec 4096R/0x6CACA448860CDC13 2010-09-14 Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid Norbert Preining <norbert@preining.info> uid Norbert Preining <preining@logic.at> uid Norbert Preining <preining@debian.org> uid Norbert Preining <preining@jaist.ac.jp> ssb 4096R/0xD1D2BD14810F62B3 2010-09-14

In the following we will go through the following steps:

  • Prepare the Yubikey NEO (forthcoming blog>
  • Edit to current key: add expiry, add photo, and above all add subkeys
  • Create revocation certificate
  • Create gpg2.1 structure
  • Backup to USB media
  • Move subkeys to Yubikey NEO
  • Remove master keys
  • Separate gpg1 (for mail server) and gpg2 (for laptop)
  • Upload to key servers
Yubikey SmartCard setup

There are several guides out there, but I will in very near future write one about using the NEO for various usage scenaria including GPG keys.

Edit the current key

The following can be done in one session or in different sessions, the screen logs are after starting with:

$ gpg --expert --edit-key $MASTERKEY add expiry date

Having an expiry date on your key serves two purposes: If you loose it, it will solve itself automatically, and furthermore, you are forced to deal with the key – and refresh your gpg knowledge – at least once a year. That are two perfect reasons to set expiry to one year.

The following log selects each key in turn and sets its expiry date.

$ gpg --expert --edit-key $MASTERKEY gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.   Secret key is available.   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: never usage: SC trust: ultimate validity: ultimate sub 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: never usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp>   gpg> expire Changing expiration time for the primary key. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:09:16 PM JST Is this correct? (y/N) y   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: never usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp>   gpg> key 1   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: never usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp>   gpg> expire Changing expiration time for a subkey. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:09:27 PM JST Is this correct? (y/N) y   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> Add a photo

Not strictly necessary, but an interesting feature. gpg suggests 240×288, I resized a photo of my head, greyscaled it, and optimized it with jpegoptim -s -m40 my-photo.jpg. The parameter 40 is the quality, I played around a bit to find the best balance between size and quality. The size should not be too big as the photo will be part of the key!

gpg> addphoto   Pick an image to use for your photo ID. The image must be a JPEG file. Remember that the image is stored within your public key. If you use a very large picture, your key will become very large as well! Keeping the image close to 240x288 is a good size to use.   Enter JPEG filename for photo ID: GPG/norbert-head.jpg Is this photo correct (y/N/q)? y   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ unknown] (5) [jpeg image of size 4185] Add subkeys of 2048bit for signing/encryption/authentication

Now comes the interesting part, adding three subkeys: one for signing, one for encrypting, and one for authentication. The one for signing is the one you will use for signing your uploads to Debian as well as emails. The authentication key will later be used to provide ssh authentication. Note that you have to use the --expert expert option to edit-key (as shown above), otherwise gpg does not allow to do this.

As I want to move the subkeys to the Yubikey NEO, a keysize of 2048bits is necessary.

First for the signing:

gpg> addkey Key is protected.   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:10:06 PM JST Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ....+++++ ..........+++++   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E sub 2048R/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ unknown] (5) [jpeg image of size 4185]

Now the same for encryption key:

gpg> addkey Key is protected.   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? 6 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:10:20 PM JST Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ..+++++ ........+++++   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E sub 2048R/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S sub 2048R/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ unknown] (5) [jpeg image of size 4185]

Finally for the authentication key. Note that only here the --expert is necessary! We use ‘(8) RSA (set your own capabilities)’ and then toggle sign and encryption capabilities off, and authentication on.

gpg> addkey Key is protected.   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) Your selection? 8   Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Sign Encrypt   (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished   Your selection? s   Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Encrypt   (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished   Your selection? e   Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions:   (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished   Your selection? a   Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Authenticate   (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished   Your selection? q RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon 06 Feb 2017 08:10:34 PM JST Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ......+++++ +++++   pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub* 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E sub 2048R/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S sub 2048R/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E sub 2048R/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ unknown] (5) [jpeg image of size 4185]   gpg> save Check the current status

Good point to take a break and inspect the current status. We should have one main key and three subkeys, all with expiry dates of 1 year ahead, and a photo also attached to the key:

$ gpg --expert --edit-key $MASTERKEY gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.   Secret key is available.   gpg: checking the trustdb gpg: public key 0x0FC3EC02FBBB8AB1 is 58138 seconds newer than the signature gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 2 signed: 28 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: depth: 1 valid: 28 signed: 41 trust: 28-, 0q, 0n, 0m, 0f, 0u gpg: next trustdb check due at 2016-11-02 pub 4096R/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate sub 4096R/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E sub 2048R/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S sub 2048R/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E sub 2048R/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> Create revocation certificate

In case something happens, like all your backups are burned, your computers are destroyed, or all data stolen by the NSA, it is a good idea to have an old fashioned paper print out of a revocation certificate which allows you to revoke the key even if you are not in possession of it.

This should be printed out and kept in a safe place.

$ gpg --gen-revoke $MASTERKEY > GPG/revoke-certificate-$MASTERKEY.txt   sec 4096R/0x6CACA448860CDC13 2010-09-14 Norbert Preining <norbert@preining.info>   Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 1 Enter an optional description; end it with an empty line: > Reason for revocation: Key has been compromised (No description given) Is this okay? (y/N) y   You need a passphrase to unlock the secret key for user: "Norbert Preining <norbert@preining.info>" 4096-bit RSA key, ID 0x6CACA448860CDC13, created 2010-09-14   Enter passphrase:   ASCII armored output forced. Revocation certificate created.

Please move it to a medium which you can hide away; if the NSA or KGB or Mossad gets access to this certificate, they can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable.

Create gpg 2.1 structure

There are currently three versions of gpg available: ‘classic’ (version 1) which is one static binary, perfect for servers or scripting tasks; ‘stable’ (version 2.0) which is the modularized version supporting OpenPGP, S/MIME, and Secure Shell; and finally ‘modern’ (version 2.1 and up) with enhanced features like support for Elliptic Curve cryptography. Debian currently ships version 1 as standard, and also the modern version (but there are traces in experimental of a pending transition).

The newer versions of GnuPG are modularized and use an agent. For the following we need to kill any running instance of gpg-agent.

$ killall gpg-agent

After that a simple call to gpg2 to list the secret keys will convert the layout to the new standard:

$ gpg2 -K $MASTERKEY gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' in dirmngr.conf gpg: starting migration from earlier GnuPG versions gpg: porting secret keys from '/home/norbert/.gnupg/secring.gpg' to gpg-agent gpg: key 0xD2BF4AA309C5B094: secret key imported gpg: key 0x6CACA448860CDC13: secret key imported gpg: migration succeeded sec rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid [ultimate] Norbert Preining <norbert@preining.info> uid [ultimate] Norbert Preining <preining@logic.at> uid [ultimate] Norbert Preining <preining@debian.org> uid [ultimate] Norbert Preining <preining@jaist.ac.jp> uid [ultimate] [jpeg image of size 4185] ssb rsa4096/0xD1D2BD14810F62B3 2010-09-14 [E] [expires: 2017-02-06] ssb rsa2048/0xEC00B8DAD32266AA 2016-02-07 [S] [expires: 2017-02-06] ssb rsa2048/0xBF361ED434425B4C 2016-02-07 [E] [expires: 2017-02-06] ssb rsa2048/0x9C7CA4E294F04D49 2016-02-07 [A] [expires: 2017-02-06]

After this there will be new files/directories in the .gnupg directory, in particular: .gnupg/private-keys-v1.d/ which contains the private keys.

Creating backup

Now your .gnupg directory contains still all the keys, available for gpg1 and gpg2.1.

You MUST MAKE A BACKUP NOW!!! on at least 3 USB sticks and maybe some other offline media. Keep them in a safe place, better in different and safe places, you will need them for extending the expiry date, signing other keys, etc.

Warning concerning USB and vfat file systems

gpg >= 2.1 requires gpg-agent which in turn needs a socket. If you have the backup on an USB drive (most often with vfat file system), you need to redirect the socket, as vfat does not support sockets!

Edit /USBSTICK/gnupghome/S.gpg-agent and enter there

%Assuan% socket=/dev/shm/S.gpg-agent

After that the socket will be created in /dev/shm/ instead and invoking gpg with gpg2 --homedir /USBSTICK/gnupghome will work.

You have done your backups, right?

Move sub keys to card

As I mentioned, I want to have no keys on my laptop which I carry around to strange countries, instead I want to have them all on a Yubikey NEO. I will describe the setup and usage in details soon, but mention here only how to move the keys to the card. This requires a finished setup including change of pins.

Note that when using gpg2 to move the keys to the card, the local copies are actually deleted, but only for the gpg2(.1) files. The gpg1 secret keys are still all in place.

$ gpg2 --edit-key $MASTERKEY gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.   Secret key is available.   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 2   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb* rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> keytocard Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb* rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 2   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 3   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb* rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> keytocard Please select where to store the key: (2) Encryption key Your selection? 2   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb* rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 3   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 4   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb* rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> keytocard Please select where to store the key: (3) Authentication key Your selection? 3   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb* rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> key 4   sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 usage: SC trust: ultimate validity: ultimate ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 usage: E ssb rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 usage: S ssb rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 usage: E ssb rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 usage: A [ultimate] (1). Norbert Preining <norbert@preining.info> [ultimate] (2) Norbert Preining <preining@logic.at> [ultimate] (3) Norbert Preining <preining@debian.org> [ultimate] (4) Norbert Preining <preining@jaist.ac.jp> [ultimate] (5) [jpeg image of size 4185]   gpg> save

Note the repetition of selecting and deselecting keys.

Current status

After this procedure we are now in the following situation:

  • gpg1: all keys are still available
  • gpg2: sub keys are moved to yubikey (indicated below by ssb>), and master key is still available

In gpg words it looks like this:

$ gpg2 -K $MASTERKEY gpg: keyserver option 'ca-cert-file' is obsolete; please use 'hkp-cacert' in dirmngr.conf sec rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid [ultimate] Norbert Preining <norbert@preining.info> uid [ultimate] Norbert Preining <preining@logic.at> uid [ultimate] Norbert Preining <preining@debian.org> uid [ultimate] Norbert Preining <preining@jaist.ac.jp> uid [ultimate] [jpeg image of size 4185] ssb rsa4096/0xD1D2BD14810F62B3 2010-09-14 [E] [expires: 2017-02-06] ssb> rsa2048/0xEC00B8DAD32266AA 2016-02-07 [S] [expires: 2017-02-06] ssb> rsa2048/0xBF361ED434425B4C 2016-02-07 [E] [expires: 2017-02-06] ssb> rsa2048/0x9C7CA4E294F04D49 2016-02-07 [A] [expires: 2017-02-06]   $ gpg -K $MASTERKEY sec 4096R/0x6CACA448860CDC13 2010-09-14 [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid Norbert Preining <norbert@preining.info> uid Norbert Preining <preining@logic.at> uid Norbert Preining <preining@debian.org> uid Norbert Preining <preining@jaist.ac.jp> uid [jpeg image of size 4185] ssb 4096R/0xD1D2BD14810F62B3 2010-09-14 [expires: 2017-02-06] ssb 2048R/0xEC00B8DAD32266AA 2016-02-07 [expires: 2017-02-06] ssb 2048R/0xBF361ED434425B4C 2016-02-07 [expires: 2017-02-06] ssb 2048R/0x9C7CA4E294F04D49 2016-02-07 [expires: 2017-02-06]   $ gpg2 --card-status   .... Name of cardholder: Norbert Preining .... PIN retry counter : 3 3 3 Signature counter : 0 Signature key ....: 5871 F824 2DCC 3660 2362 BE7D EC00 B8DA D322 66AA created ....: 2016-02-07 11:10:06 Encryption key....: 2501 195C 90AB F4D2 3DEA A303 BF36 1ED4 3442 5B4C created ....: 2016-02-07 11:10:20 Authentication key: 9CFB 3775 C164 0E99 F0C8 014C 9C7C A4E2 94F0 4D49 created ....: 2016-02-07 11:10:34 General key info..: sub rsa2048/0xEC00B8DAD32266AA 2016-02-07 Norbert Preining <norbert@preining.info> sec rsa4096/0x6CACA448860CDC13 created: 2010-09-14 expires: 2017-02-06 ssb rsa4096/0xD1D2BD14810F62B3 created: 2010-09-14 expires: 2017-02-06 ssb> rsa2048/0xEC00B8DAD32266AA created: 2016-02-07 expires: 2017-02-06 card-no: 0006 03645719 ssb> rsa2048/0xBF361ED434425B4C created: 2016-02-07 expires: 2017-02-06 card-no: 0006 03645719 ssb> rsa2048/0x9C7CA4E294F04D49 created: 2016-02-07 expires: 2017-02-06 card-no: 0006 03645719 $ Remove private master keys

You are sure that you have a working backup? Did you try it with gpg --homedir ...? Only if you are really sure, continue.

We are now removing the master key from both the gpg2 and gpg1 setup.

removal for gpg2

gpg2 keeps the private keys in ~/.gnupg/private-keys-v1.d/KEYGRIP.key and the KEYGRIP can be found by adding --with-keygrip to the key listing. Be sure to delete the correct file, the one related to the master key.

$ gpg2 --with-keygrip --list-key $MASTERKEY pub rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 Keygrip = 9DC1E90703856C1DE0EAC970CED7ABF5EE5EF79D uid [ultimate] Norbert Preining <norbert@preining.info> uid [ultimate] Norbert Preining <preining@logic.at> uid [ultimate] Norbert Preining <preining@debian.org> uid [ultimate] Norbert Preining <preining@jaist.ac.jp> uid [ultimate] [jpeg image of size 4185] sub rsa4096/0xD1D2BD14810F62B3 2010-09-14 [E] [expires: 2017-02-06] Keygrip = 4B8FF57434DD989243666377376903281D861596 sub rsa2048/0xEC00B8DAD32266AA 2016-02-07 [S] [expires: 2017-02-06] Keygrip = 39B14EF1392F2F251863A87AE4D44CE502755C39 sub rsa2048/0xBF361ED434425B4C 2016-02-07 [E] [expires: 2017-02-06] Keygrip = E41C8DDB2A22976AE0DA8D7D11F586EA793203EA sub rsa2048/0x9C7CA4E294F04D49 2016-02-07 [A] [expires: 2017-02-06] Keygrip = A337DE390143074C6DBFEA64224359B9859B02FC   $ rm ~/.gnupg/private-keys-v1.d/9DC1E90703856C1DE0EAC970CED7ABF5EE5EF79D.key $

After that the missing key is shown in gpg2 -K with an additional # meaning that the key is not available:

$ gpg2 -K $MASTERKEY sec# rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] ... removal for gpg1

Up to gpg v2.0 there is no simple way to delete only one part of the key. We export the subkeys, delete the private key, and reimport the subkeys:

$ gpg --output secret-subkeys --export-secret-subkeys $MASTERKEY   $ gpg --delete-secret-keys $MASTERKEY   sec 4096R/0x6CACA448860CDC13 2010-09-14 Norbert Preining <norbert@preining.info>   Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y   $ gpg --import secret-subkeys gpg: key 0x6CACA448860CDC13: secret key imported gpg: key 0x6CACA448860CDC13: "Norbert Preining <norbert@preining.info>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 gpg: secret keys read: 1 gpg: secret keys imported: 1   $ Current status

We are basically at the stage we wanted to achieve:

For gpg2.1 only the old encryption key is available, the master key is not, and the other sub keys are moved to the yubikey:

$ gpg2 -K $MASTERKEY sec# rsa4096/0x6CACA448860CDC13 2010-09-14 [SC] [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid [ultimate] Norbert Preining <norbert@preining.info> uid [ultimate] Norbert Preining <preining@logic.at> uid [ultimate] Norbert Preining <preining@debian.org> uid [ultimate] Norbert Preining <preining@jaist.ac.jp> uid [ultimate] [jpeg image of size 4185] ssb rsa4096/0xD1D2BD14810F62B3 2010-09-14 [E] [expires: 2017-02-06] ssb> rsa2048/0xEC00B8DAD32266AA 2016-02-07 [S] [expires: 2017-02-06] ssb> rsa2048/0xBF361ED434425B4C 2016-02-07 [E] [expires: 2017-02-06] ssb> rsa2048/0x9C7CA4E294F04D49 2016-02-07 [A] [expires: 2017-02-06] $

And for gpg <= 2.0 the old encryption key and the sub keys are available, but the master key is not:

$ gpg -K $MASTERKEY sec# 4096R/0x6CACA448860CDC13 2010-09-14 [expires: 2017-02-06] Key fingerprint = F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13 uid Norbert Preining <norbert@preining.info> uid Norbert Preining <preining@logic.at> uid Norbert Preining <preining@debian.org> uid Norbert Preining <preining@jaist.ac.jp> uid [jpeg image of size 4185] ssb 4096R/0xD1D2BD14810F62B3 2010-09-14 [expires: 2017-02-06] ssb 2048R/0xEC00B8DAD32266AA 2016-02-07 [expires: 2017-02-06] ssb 2048R/0xBF361ED434425B4C 2016-02-07 [expires: 2017-02-06] ssb 2048R/0x9C7CA4E294F04D49 2016-02-07 [expires: 2017-02-06]   $ Split the .gnupg directory for mail server and laptop

As mentioned, I want to have a gpg1 version available at the server where I read my emails, and be able to sign/encrypt emails there, while on my laptop no secret key is available. Thus I prepare two gnupg directories.

For the mailserver the gpg2 specific files are removed:

$ cp -a .gnupg .gnupg-mail $ cd .gnupg-mail $ rm -rf private-keys-v1.d/ pubring.gpg~ reader_0.status $ rm -rf S.gpg-agent* S.scdaemon .gpg-v21-migrated

On my laptop, where I did all this operation, I remove the gpg1 files, namely the outdated secring.gpg:

$ cd $HOME/.gnupg $ rm secring.gpg

As a last step I move the .gnupg-mail directory to my mail server.

Once could *expire* the old encryption key, but for now I leave it as is.

Upload keys to keyservers

If you are a Debian Developer, a simple update of your master key will suffice:

gpg --keyserver hkp://keyring.debian.org --send-key YOURMASTERKEYID

Note that the update from the keyring server to the actual Debian keyring takes up to one month. Until that time either do not upload anything, or use the (offline) master key for signing. After your key has been updated in the Debian keyring, signatures made with the signing subkey will be accepted for uploading to Debian.

It might be also a good idea to upload your new keys to some keyservers like:

gpg --keyserver hkp://pool.sks-keyservers.net --send-key $MASTERKEY

Now you an also fix the configuration file skew between gpg1 and gpg2.

Further remark

I am currently trying to use the authentication key from my Yubikey NEO as ssh key, but bugs (see #795368 and #818969) prohibit it at the moment. Raphael Herzog gave a possible fix by killing the gpg-agent and restarting it with gpg-agent --daemon from an X terminal, and I can confirm that this worked.

After one year before the key expires I need to extend the key validity for another year. For this you need the offline master key. I will describe the process when it becomes necessary.

Reading list

The following web sites have been useful in collecting the necessary information:

  1. https://iain.learmonth.me/yubikey-neo-gpg/
  2. https://iain.learmonth.me/yubikey-udev/
  3. http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/
  4. https://wiki.debian.org/Subkeys
  5. https://jclement.ca/articles/2015/gpg-smartcard/ as modernized version of (3)
  6. https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/ similar style, with ssh and gnome-keyring infos
  7. http://karlgrz.com/2fa-gpg-ssh-keys-with-pass-and-yubikey-neo/ also good reading
  8. https://help.riseup.net/en/security/message-security/openpgp/best-practices good and concise advise on gpg practices

My writing is mostly based on (5) with additions from (4).

Please let me know of any errors, improvements, and fixes. I hope this walk-through might help others in the same situation.

Categories: Elsewhere

Mike Ryan: Migration update for Drupal 8.1

Planet Drupal - Tue, 19/04/2016 - 21:24

For those of you using the migration system under Drupal 8.0.x, with Drupal 8.1 scheduled to release tomorrow, let’s take a look at where the migration ecosystem now stands. We’ll discuss the biggest core API change, then how moving to 8.1 affects various use cases.

Migrations are now plugins

read more

Categories: Elsewhere

Drupal core announcements: Reinventing Drupal’s User Experience process

Planet Drupal - Tue, 19/04/2016 - 21:20

The Drupal core product needs to become more engaging and useful right out of the box. Usability testing has shown why. We want to look at how we can change our process to be more efficient and effective.

We learned during the Drupal 8 process, that our way of building the product side of Drupal has many challenges. We propose to adopt a different way of working that avoids current pitfalls and enables a fresher, faster way to iterate on the core product.

The UX-team has started a discussion in the Usability group to explore how we can change our process to allow for more drastic UX changes.

Join the discussion at: Reinventing Drupal’s User Experience process

Categories: Elsewhere

Drupal @ Penn State: Drupal 8 Theme Generation and Development Intro Using the Drupal Console

Planet Drupal - Tue, 19/04/2016 - 19:16

Here is a screen cast of how to get started with Drupal 8 theme development.

In the video I cover:

  • using the drupal console to generate a theme from a base theme
  • creating a libraries yml file
  • adding global css to your theme
  • Using Kint with the devel module
  • debugging twig
  • adding your own twig file to your theme
Categories: Elsewhere

Acquia Developer Center Blog: Drupal 8 Module of the Week: Monolog

Planet Drupal - Tue, 19/04/2016 - 17:33

Special PHP-Interoperability Edition! Each day, more Drupal 7 modules are being migrated over to Drupal 8 and new ones are being created for the Drupal community’s latest major release. In this series, the Acquia Developer Center is profiling some of the most prominent, useful modules available for Drupal 8. This week, logging with Monolog.

Tags: acquia drupal planetloggingPSRPHP FIGMonologdrupal 8
Categories: Elsewhere

Phponwebsites: Create page without header and footer in Drupal 7

Planet Drupal - Tue, 19/04/2016 - 16:46
    This blog describes about create only page contents without header and footer in Drupal 7. All of you know almost all of the pages in Drupal have header and footer. Suppose you want to create a page without header and footer in Drupal 7. Is it possible? Yes, it is possible in Drupal 7. You can create a page without header and footer using 'delivery callback' in hook_menu.

Render a page without header and footer in Drupal 7:
     Drupal provide a option to create page without header and footer. Let see the below code for render a page without header and footer in Drupal 7.

/**
 * Implement hook_menu().
 */
function phponwebsites_menu() {
  $items['sample-wo-header-footer'] = array(
    'title' => 'A page without header and footer in Drupal 7',
    'access callback' => TRUE,
    'page callback' => 'phponwebsites_without_header_footer',
    'type' => MENU_CALLBACK,
    'delivery callback' => 'deliver_plain',
  );
  return $items;
}

function deliver_plain($page_callback_result) {
  print $page_callback_result;
}

/**
 * Implement phponwebsites_without_header_footer().
 */
function phponwebsites_without_header_footer() {
  return 'This is the page without header and footer';
}

   You could see the page without any header and footer when you view page in a browser. Now I've hope you how to render a page without header and footer in Drupal 7.

Related articles:
Add new menu item into already created menu in Drupal 7
Add class into menu item in Drupal 7
Create menu tab programmatically in Drupal 7
Add custom fields to search api index in Drupal 7
Login using both email and username in Drupal 7
Clear views cache when insert, update and delete a node in Drupal 7
Categories: Elsewhere

Cheppers blog: Exploring Behat ep. 1: formatting test results

Planet Drupal - Tue, 19/04/2016 - 16:06

As a growing company with a strong Drupalist department, we have reached a point when continuous integration and automated testing is necessary to sustain pace, and given the characteristics of Drupal, behavior-driven testing with Behat is a logical candidate. To make this happen, we have to explore the undocumented territories of Behat, and we are presenting our findings along the way.

Categories: Elsewhere

Zivtech: Tipsheet: Drupal Site Builder Certification

Planet Drupal - Tue, 19/04/2016 - 15:03

Last year, our CTO Jody blogged about the Drupal Jeopardy game that helped some of us at Zivtech prepare for the Acquia Certified Drupal Site Builder Exam. The credential validates the skills and knowledge of professionals who build Drupal sites using core and contributed modules. I started studying for that exam afterwards, and passed it last December. Here are my study methods and experience, which I think would be especially useful to those who are newer to Drupal.

First, some tips
  • The only contributed module you need to know about is Views (a sub module of the Chaos Tool Suite, or CTools, in D7).
  • You don't need to know about Drush (the Drupal shell command-line tool) or how to write code for Drupal development.
  • You should know the best practices related to server file management and how to install, update, and uninstall modules and themes.
  • You should also learn about Drupal best practices concerning security, performance, and community participation using Drupal.org resources.
Basic study steps
  1. Read the exam's blueprint to familiarize yourself with it's structure
  2. Watch this webinar video recording which explains what is and is not in the exam
  3. Manually install a site with only a Drupal 7 core release (see documentation on how)
  4. Enable all the core modules and for each read through its help page (provided by the Help module in core)
  5. Manually install the Views module
  6. Also install and enable the Advanced Help module, which is not part of the exam, but has additional Views documentation aside from its community docs
  7. Click through all the links provided by the Admin Menu at the top of the site
  8. Build stuff with the site!

Finally, here is the study sheet I created for myself before I took the exam (cleaned up a bit so it's less messy). All of the information on there are gathered from a Drupal 7 site install with Views, from Drupal.org, and from the Internet in general.

I hope this helps you study for the Site Builder Certification exam. When you are ready, you can register for the 75 minute test. Good luck!

Categories: Elsewhere

ThinkShout: Customize Menu Items in Drupal User Profile

Planet Drupal - Tue, 19/04/2016 - 15:00

We were recently asked by a client to edit the user profile view page on their site. This client needed us to move the link to the user’s contact form out of the tab area at the top of the profile and replace it with a link that appears further down in the content of the user’s profile. While this is not something you can do through the admin interface in Drupal 7, it is easy to do with just a few lines of code in a custom module, which I will show you how to do here.

Prior to adding our custom code, the link to the contact form appears as a tab.

The “Contact” menu item starts out as a tab because the Drupal contact module originally creates the menu item and assigns it the type MENU_LOCAL_TASK. (See Menu item types for a list of the possible menu types and their uses in Drupal.) In order for us to change the type, we can use Drupal’s hook_menu_alter() function to change the item to the MENU_CALLBACK type, which will remove it from the display, but keep it available as a valid path.

/** * Implements hook_menu_alter(). */ function mymodule_menu_alter(&$items) { // Remove the 'contact' tab. $items['user/%user/contact']['type'] = MENU_CALLBACK; }

Now it is no longer a tab, but we still need make use of Drupal’s hook_user_view_alter() to insert it into the content of the profile before it is rendered on the page.

/** * Implements hook_user_view_alter(). */ function mymodule_user_view_alter(&$build) { // Check to see if this user has allowed others to contact him/her. if ($build['#account']->data['contact']) { // Create the text for the link using the account info to get the user’s first name. $link_text = $build['#account']->field_first_name['und'][0]['safe_value'] ? "email " . $build['#account']->field_first_name['und'][0]['safe_value'] : "email"; // Use the l() function to create the link. $contact_link = l($link_text,'user/' . $build['#account']->uid . '/contact'); // Insert it into the $build array. $build['contact_link'][0]['#markup'] = "<div class=\"field\"><div class=\"field-label\">" . t('Contact') . ":&nbsp;</div><div class=\"field-items\"><div class=\"field-item even\">" . $contact_link . "</div></div></div>"; // Insert into the user details that group we created in the display mode in admin interface. $build['#group_children']['contact_link'] = 'group_user_details'; } }

After the custom code and a quick cache clear, the tab is gone and there is a link to the form within the body of the profile.

I won’t go into creating a custom module; that’s a bit beyond the scope of this post, but there is a tutorial for creating a custom module on drupal.org.

Shout out to Greg Boggs for his assistance!

Categories: Elsewhere

Dariusz Dwornikowski: HAProxy and 503 HTTP errors with AWS ELB as a backend

Planet Debian - Tue, 19/04/2016 - 14:26

Although, AWS provides load balancer service in the form of Elastic Load Balancer (ELB), a common trick is to use HAProxy in the middle to provide SSL offloading, complex routing and better logging.
In this scenario, a public ELB is the frontier of all the traffic, HAProxy farm in the middle is managed by an Auto Scaling Group, and one (or more) internal backend ELBs stay in front of Web farm.

I think that HAProxy does not need any introductions here. It is highly scalable and reliable piece of software. There is however a small caveat when you use it with domain names and not IP addresses. To speed up things, HAProxy resolves all the domain named during startup (during config file parsing in fact). Hence, when the IP of a domain changes, you end up with a lot of 503s (Service Unavailable).

Why is this important ? In AWS, ELB's IP can change over time, so it is recommended to use ELB's domain name. Now, when you use this domain name in HAProxy's backend, you can end up with 503s. ELB IPs do not change so often but still you would not want any downtimes.

The solution is to configure runtime resolvers in HAProxy and use them in the backend (unforntunatelly this works only in HAProxy 1.6):

::haproxy resolvers myresolver nameserver dns1 10.10.10.10:53 resolve_retries 30 timeout retry 1s hold valid 10s backend mybackend server myelb-internal.123456.eu-west-1.elb.amazonaws.com check resolvers myresolver

Now HAProxy will check the domain at runtime, no more 503s.

Categories: Elsewhere

R&#233;mi Vanicat: LudumDare35

Planet Debian - Tue, 19/04/2016 - 13:39
Ludumdare 35

For the Third time, I've submitted a compo to the ludumdare. So I've a new game (source available on github).

Some note about the technology used:

  • this is a javascript/html5 game,
  • using the phaser framework.
  • Code has been wrote using Emacs and js2-mode,
  • tested with the python -m SimpleHTTPServer http server.
  • Sound:

    • sfx is mostly recording of real life sound, edited with Audacity, but I've also used labChirp (inside wine...).
    • Music is done using Bosca Ceoil.

      Next time I will try lmms.

  • Graphics are using aseprite (mostly) and gimp (very little)
  • Level has been created using Tiled

Most of those tool are free software, Exception are labChirp (we have no source), and Adobe Air/flash that is used by Bosca Ceoil (but Bosca Ceoil is a free software).

Categories: Elsewhere

Valuebound: Boost your Drupal development with Docker

Planet Drupal - Tue, 19/04/2016 - 12:29

Vagrant is a great virtualisation tool, which I prefer heavily for my development purposes. But sometimes it gets a bit hectic and resource consuming, to set up a new vagrant environment to work trivial things or testing out a module/API. 

Not being a great fan of local *AMP stack I was looking for some alternative to Vagrant to use. In comes Docker, which is super fast and very easy to setup. Containers (“virtual machines”) are easy to destroy and  rebuild.They do not require the overhead of virtual machines but they  still provide a high level of isolation from the host OS.

Docker hub have many Docker containers for Drupal which are ready to use . But I prefered to create my own Docker container which just works and runs Drupal…

Categories: Elsewhere

Michal &#268;iha&#345;: Weekly phpMyAdmin contributions 2016-W15

Planet Debian - Tue, 19/04/2016 - 12:00

After weeks of bugfixing my focus has again shifted to refactoring and code cleanups.

One big area was charsets and collations, which were cached in the session data so far. This had bad effect of making the session data quite huge leading to performance loss on every page, while the cached information is needed only on few pages. I've removed this caching, cleaned up the code and everything seems to be behave faster, even the pages which used cached content in the past.

Second area was handling of file uploads. Historically we had two copies of code doing almost the same thing. I've tried to merge them and use File class for all the operations. However this code was built to handle lot of corner cases, so I'm a bit afraid of breaking some special setups.

Handled issues:

Filed under: English phpMyAdmin | 0 comments

Categories: Elsewhere

OpenLucius: Update OpenLucius | April 2016

Planet Drupal - Tue, 19/04/2016 - 11:20

The past month we have processed again a lot of feedback and improved OpenLucius, a Drupal social intranet. Below the improvements that have been made yesterday:

1. Navigation text documents better and faster

We noticed that the navigation of text documents was loading slowly - when placing a lot of text documents (100+) in a group. This is now loaded with a different technique that makes everything much quicker.

We also addressed the navigation to sub-pages (1): this is now more intuitive, faster and mobile usable. Finally, we placed a search feature above (2), so you can find/filter documents quickly.

Read more about text documents >

2. Hide comments

We received a lot of feedback that a page with many comments was becoming unnecessarily long and cluttered. We solved this by hiding comments - just like Gmail does. Hidden comments can easily be shown again.

3. Improved status updates
Categories: Elsewhere

Norbert Preining: Gaming: Monument Valley

Planet Debian - Tue, 19/04/2016 - 06:09

With a small baby invading your lifestyle, not much time for other activities is left over, especially for gaming. Most of the times even using my computer is a one-hand-action. In these times mobile games that can be played one-handed are greatly appreciated. And if it is one like Monument Valley, full of atmosphere and incredibly stimulating game play, then the level of gratitude is near infinite.

Set in an Escherian universe where space and distance is often an illusion, the player is guiding a small princess through several levels (10+1 in the basic game, 8 more in the In-App-Purchase) of astonishing simplicity and beauty at the same time. Carefully crafted graphics, atmospheric music, calm game play (no action, don’t worry), and the lovely crows sitting around and craaaahing at the little princess.

My favorite level was the first of the expansion pack “Forgotten shores” called “The Chasm” – a wonderful homage to the Lord of the Rings and the descent to the Bridge of Khazad-dûm. Not one of the difficult levels, but definitely one of the most funny. The middle image in the above collage is from that level.

I guess my only complain about this game is that it doesn’t last long. I remember only one really difficult level where I had to play around quite some time. Most of the others are quite straight forward, but despite of that, you cannot stop playing until you are all through it.

Simply a wonderful game, that was well worth every Yen. Thanks to the developers for doing innovative things in a perfect setting.

Post scriptum: After finishing this game I also tried Evo Explores, a clone of Monument Valley. The difference cannot be more stunning: Evo Explores is mostly repetitive, with a focus on an irrelevant story, simple graphics, and riddles that miss the ingenuity of the original.

Categories: Elsewhere

Craig Sanders: Book Review: Trader’s World by Charles Sheffield

Planet Debian - Tue, 19/04/2016 - 05:05

One line review:

Boys Own Dale Carnegie Post-Apocalyptic Adventures with casual racism and misogyny.

That tells you everything you need to know about this book. I wasn’t expecting much from it, but it was much worse than I anticipated. I’m about half-way through it at the moment, and can’t decide whether to just give up in disgust or keep reading in horrified fascination to see if it gets even worse (which is all that’s kept me going with it so far).

Book Review: Trader’s World by Charles Sheffield is a post from: Errata

Categories: Elsewhere

DrupalCon News: Think you’re a Drupal genius? Prove it at DrupalCon.

Planet Drupal - Mon, 18/04/2016 - 23:13

Do you know EVERYTHING about Drupal? Palantir.net is sponsoring a Trivia Night at DrupalCon, and this is your chance to prove you're a Drupal mastermind.

Categories: Elsewhere

Pages

Subscribe to jfhovinne aggregator - Elsewhere