Skip to content

chore: refactor and doc changes#1

Open
geyslan wants to merge 16 commits into
mainfrom
geyslan/fixes
Open

chore: refactor and doc changes#1
geyslan wants to merge 16 commits into
mainfrom
geyslan/fixes

Conversation

@geyslan

@geyslan geyslan commented Jun 21, 2026

Copy link
Copy Markdown
Collaborator

No description provided.

geyslan added 4 commits June 21, 2026 12:23
Unify the live image's network commands under one prefix. The core
si-netmode command becomes safe-netmode, alongside the existing
safe-network-on/off wrappers and the safe-status dashboard.

Renames the binary, the boot service (safe-netmode-default-offline),
the polkit policy and action (org.local.safe-netmode), the desktop
launcher items, and the /run state dir, plus all references in the host
test script and the docs. Also corrects the DESIGN.md keybinding diagram,
which showed si-netmode where the Sway bindings actually call the
safe-network-* wrappers.

BREAKING CHANGE: the in-image command `si-netmode` is renamed to
`safe-netmode`; the systemd unit `si-netmode-default-offline.service`
and polkit action `org.local.si-netmode` are renamed to match.
Enable systemd-timesyncd so the clock can synchronize over NTP when the
image is online. Correct dates matter for GPG key creation and expiry
timestamps. Offline-first is preserved: nftables drops outbound traffic
in offline mode, so the clock only syncs during an explicit online window.

The key-generation and expiry-extension guides now sync time in a brief
online window before any key work, and the generate-keys guide adds a
strong random certify passphrase step (gpg --gen-random --armor 1 36).
Replace keys.openpgp.org with keyserver.ubuntu.com across the isolated
signing environment (lib/gpg-env.sh), the pubkey-fetch recovery hints
(lib/yubikey-fetch-pubkey.sh), and the in-image key guides. This matches
the keyserver the live image already ships in dirmngr.conf and returns the
full key with its UIDs intact (no email-verification step), which is what
signature verification needs. The daily-use guide's publish note is
rewritten to describe keyserver.ubuntu.com's behavior and trade-offs.
Add a guide section for provisioning the same subkeys onto more than one
YubiKey: reset GnuPG and re-import the private keys from backup for each
card (keytocard leaves only card stubs), with a warning never to import
the revocation certificate. Add a section for storing the public-key URL
on the card via `gpg --card-edit > admin > url`, noting that ykman cannot
set this field (verified against ykman 5.9.1 and Yubico's official OpenPGP
command reference). The README first-time-signing section gains a matching
note and link.
@geyslan geyslan self-assigned this Jun 21, 2026
@geyslan geyslan requested a review from trvll June 21, 2026 15:26
geyslan added 12 commits June 21, 2026 16:00
Without an explicit port, dirmngr does an SRV lookup
(_pgpkey-https._tcp.keyserver.ubuntu.com) before connecting. On networks
whose resolver fails or times out SRV queries, dirmngr treats that as
fatal and aborts every keyserver operation ("Server indicated a failure"
/ "Try again later"), even though a plain HTTPS fetch works fine.

Append :443 to every hkps://keyserver.ubuntu.com reference (the isolated
signing env, fetch-pubkey help, README, and the in-image key guides) so
dirmngr skips SRV and connects directly. The in-image dirmngr.conf already
pins :80 and is unaffected.
-L is --print-build-logs, not keep-going + verbose.
Follows the earlier dirmngr fix; keeps prose consistent with the
deployed configuration.
The previous form used a fragile perl regex to round-trip through the
filename; ls + head -1 is sufficient.
- Remove stale rm -f of \$_active (variable was already removed)
- Drop the -l flag from grep -qlF; -q alone is sufficient and -l prints
  filenames rather than suppressing output
- Use \$HOME (shell-expanded at write time) in gpg-agent.conf instead of
  a hardcoded path; update the surrounding note to match
gdm-password (not gdm-fingerprint) is the service that backs GNOME
Shell's lock screen, so no separate edit is needed.  The old instruction
to patch gdm-fingerprint would do nothing for users without a fingerprint
sensor enrolled.
Promotes the previously unnumbered "Set the public-key URL" step to
section 3, shifting Move→4, Verify→5, Provision→6, Export→7, Clean up→8.
Updates all internal cross-references accordingly.
- 03-daily-use: add callout pointing to host-setup.md for one-time
  Fedora system setup before the per-user config steps
- 04-extend-expiry: add KEYID export snippet (live image is amnesic);
  rework extend-subkeys section to select all three at once with a single
  expire call instead of repeating per subkey
- 05-revoke-keys: add KEYID export snippet; promote steps 3-7 from ###
  to ## headings; add missing public-key import before revocation cert
  import in Option A; add KEYID export in Options A and B
- 06-recovery.md: add KEYID export snippet; fix step cross-references
  to match the renumbered yubikey-setup guide (3→4, 5→8)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant