chore: refactor and doc changes#1
Open
geyslan wants to merge 16 commits into
Open
Conversation
Unify the live image's network commands under one prefix. The core si-netmode command becomes safe-netmode, alongside the existing safe-network-on/off wrappers and the safe-status dashboard. Renames the binary, the boot service (safe-netmode-default-offline), the polkit policy and action (org.local.safe-netmode), the desktop launcher items, and the /run state dir, plus all references in the host test script and the docs. Also corrects the DESIGN.md keybinding diagram, which showed si-netmode where the Sway bindings actually call the safe-network-* wrappers. BREAKING CHANGE: the in-image command `si-netmode` is renamed to `safe-netmode`; the systemd unit `si-netmode-default-offline.service` and polkit action `org.local.si-netmode` are renamed to match.
Enable systemd-timesyncd so the clock can synchronize over NTP when the image is online. Correct dates matter for GPG key creation and expiry timestamps. Offline-first is preserved: nftables drops outbound traffic in offline mode, so the clock only syncs during an explicit online window. The key-generation and expiry-extension guides now sync time in a brief online window before any key work, and the generate-keys guide adds a strong random certify passphrase step (gpg --gen-random --armor 1 36).
Replace keys.openpgp.org with keyserver.ubuntu.com across the isolated signing environment (lib/gpg-env.sh), the pubkey-fetch recovery hints (lib/yubikey-fetch-pubkey.sh), and the in-image key guides. This matches the keyserver the live image already ships in dirmngr.conf and returns the full key with its UIDs intact (no email-verification step), which is what signature verification needs. The daily-use guide's publish note is rewritten to describe keyserver.ubuntu.com's behavior and trade-offs.
Add a guide section for provisioning the same subkeys onto more than one YubiKey: reset GnuPG and re-import the private keys from backup for each card (keytocard leaves only card stubs), with a warning never to import the revocation certificate. Add a section for storing the public-key URL on the card via `gpg --card-edit > admin > url`, noting that ykman cannot set this field (verified against ykman 5.9.1 and Yubico's official OpenPGP command reference). The README first-time-signing section gains a matching note and link.
Without an explicit port, dirmngr does an SRV lookup
(_pgpkey-https._tcp.keyserver.ubuntu.com) before connecting. On networks
whose resolver fails or times out SRV queries, dirmngr treats that as
fatal and aborts every keyserver operation ("Server indicated a failure"
/ "Try again later"), even though a plain HTTPS fetch works fine.
Append :443 to every hkps://keyserver.ubuntu.com reference (the isolated
signing env, fetch-pubkey help, README, and the in-image key guides) so
dirmngr skips SRV and connects directly. The in-image dirmngr.conf already
pins :80 and is unaffected.
-L is --print-build-logs, not keep-going + verbose.
Follows the earlier dirmngr fix; keeps prose consistent with the deployed configuration.
The previous form used a fragile perl regex to round-trip through the filename; ls + head -1 is sufficient.
- Remove stale rm -f of \$_active (variable was already removed) - Drop the -l flag from grep -qlF; -q alone is sufficient and -l prints filenames rather than suppressing output - Use \$HOME (shell-expanded at write time) in gpg-agent.conf instead of a hardcoded path; update the surrounding note to match
gdm-password (not gdm-fingerprint) is the service that backs GNOME Shell's lock screen, so no separate edit is needed. The old instruction to patch gdm-fingerprint would do nothing for users without a fingerprint sensor enrolled.
Promotes the previously unnumbered "Set the public-key URL" step to section 3, shifting Move→4, Verify→5, Provision→6, Export→7, Clean up→8. Updates all internal cross-references accordingly.
- 03-daily-use: add callout pointing to host-setup.md for one-time Fedora system setup before the per-user config steps - 04-extend-expiry: add KEYID export snippet (live image is amnesic); rework extend-subkeys section to select all three at once with a single expire call instead of repeating per subkey - 05-revoke-keys: add KEYID export snippet; promote steps 3-7 from ### to ## headings; add missing public-key import before revocation cert import in Option A; add KEYID export in Options A and B - 06-recovery.md: add KEYID export snippet; fix step cross-references to match the renumbered yubikey-setup guide (3→4, 5→8)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.