Add docs that the secret key only needs to be able to sign

author Mark Hymers <mhy@debian.org>

Sat, 30 Jul 2011 09:36:30 +0000 (10:36 +0100)

committer Mark Hymers <mhy@debian.org>

Sat, 30 Jul 2011 09:36:30 +0000 (10:36 +0100)
author Mark Hymers <mhy@debian.org>
Sat, 30 Jul 2011 09:36:30 +0000 (10:36 +0100)
committer Mark Hymers <mhy@debian.org>
Sat, 30 Jul 2011 09:36:30 +0000 (10:36 +0100)
diff --git a/setup/README b/setup/README

index c193e9a3cd480c9be8b512ba6f18ae306a36ec95..9d5103c19e4ef8e043ef5d7cbb2c676a12cd9911 100644 (file)
--- a/setup/README
+++ b/setup/README
@@ -67,7 +67,9 @@ WARNING: Please check these templates over and customise as necessary
  # cp templates/* /srv/dak/templates/
  
  Set up a private signing key: don't set a passphrase as dak will not
-pass one through to gpg.  Guard this key carefully
+pass one through to gpg.  Guard this key carefully!
+The key only needs to be able to sign, it doesn't need to be able
+to encrypt.
  # gpg --no-default-keyring --secret-keyring /srv/dak/keyrings/s3kr1t/dot-gnupg/secring.gpg --keyring /srv/dak/keyrings/s3kr1t/dot-gnupg/pubring.gpg --gen-key
  Remember the signing key id for when creating the suite below.
  Here we'll pretend it is DDDDDDDD for convenience
author	Mark Hymers <mhy@debian.org>
	Sat, 30 Jul 2011 09:36:30 +0000 (10:36 +0100)
committer	Mark Hymers <mhy@debian.org>
	Sat, 30 Jul 2011 09:36:30 +0000 (10:36 +0100)