docs(provenance): update explanation of new GnuPG format (helm#4710)

Signed-off-by: Matt Butcher <matt.butcher@microsoft.com>
splisson · Dec 6, 2018 · 1e227e0 · 1e227e0
1 parent ae310d0
commit 1e227e0
Showing 1 changed file with 14 additions and 17 deletions.
diff --git a/docs/provenance.md b/docs/provenance.md
@@ -22,12 +22,17 @@ Prerequisites:
 
 - A valid PGP keypair in a binary (not ASCII-armored) format
 - The `helm` command line tool
-- GnuPG command line tools (optional)
+- GnuPG >=2.1 command line tools (optional)
 - Keybase command line tools (optional)
 
 **NOTE:** If your PGP private key has a passphrase, you will be prompted to enter
 that passphrase for any commands that support the `--sign` option.
 
+**NOTE:** The keyfile format for GnuPG changed in version 2.1. Prior to that release
+it was unnecessary to export keys out of GnuPG, and you could instead point Helm
+at your `*.gpg` files. With 2.1, the new `.kbx` format was introduced, and this
+format is not supported by Helm.
+
 Creating a new chart is the same as before:
 
 ```
@@ -42,10 +47,10 @@ the name under which the signing key is known and the keyring containing the cor
 $ helm package --sign --key 'helm signing key' --keyring path/to/keyring.secret mychart
 ```
 
-**TIP:** for GnuPG users, your secret keyring is in `~/.gnupg/secring.gpg`. You can
+**TIP:** for GnuPG users, your secret keyring is in `~/.gnupg/secring.kbx`. You can
 use `gpg --list-secret-keys` to list the keys you have.
 
-**Warning:**  the GnuPG v2 store your secret keyring using a new format 'kbx' on the default location  '~/.gnupg/pubring.kbx'. Please use the following command to convert your keyring to the legacy gpg format:
+**Warning:**  the GnuPG v2.1 store your secret keyring using a new format 'kbx' on the default location  '~/.gnupg/pubring.kbx'. Please use the following command to convert your keyring to the legacy gpg format:
 
 ```
 $ gpg --export-secret-keys >~/.gnupg/secring.gpg
@@ -95,24 +100,16 @@ Prerequisites:
 The first step is to import your keybase keys into your local GnuPG keyring:
 
 ```
-$ keybase pgp export -s | gpg --import
+$ keybase pgp export -s > secring.gpg
 ```
 
-This will convert your Keybase key into the OpenPGP format, and then import it
-locally into your `~/.gnupg/secring.gpg` file.
-
-You can double check by running `gpg --list-secret-keys`.
+This will convert your Keybase key into the OpenPGP format, and then place it
+locally into your `secring.gpg` file.
 
-```
-$ gpg --list-secret-keys                                                                                                       1 ↵
-/Users/mattbutcher/.gnupg/secring.gpg
--------------------------------------
-sec   2048R/1FC18762 2016-07-25
-uid                  technosophos (keybase.io/technosophos) <technosophos@keybase.io>
-ssb   2048R/D125E546 2016-07-25
-```
+> Tip: If you need to add a Keybase key to an existing keyring, you will need to
+> do `keybase pgp export -s | gpg --import && gpg --export-secret-keys --outfile secring.gpg`
 
-Note that your secret key will have an identifier string:
+Your secret key will have an identifier string:
 
 ```
 technosophos (keybase.io/technosophos) <technosophos@keybase.io>