Difference between revisions of "GnuPG"
m (→Strong Set) |
m (→Strong Set) |
||
Line 358: | Line 358: | ||
|- |
|- |
||
| align="left" | |
| align="left" | |
||
− | [http:// |
+ | [http://keyserver.kjsl.com/~jharris/ka/2008-02-17/ 17-02-2008] |
+ | | align="left" | 4.4435 |
||
+ | | align="left" | 1761 |
||
+ | | align="left" | 16 |
||
+ | | align="left" | 91 |
||
+ | | align="left" | 14 |
||
+ | | align="left" | 40282 |
||
+ | | align="left" | 5.98? |
||
+ | |- |
||
+ | | align="left" | |
||
+ | [http://skylane.kjsl.com/~jharris/ka/2008--/ --2008] |
||
| align="left" | 4. |
| align="left" | 4. |
||
| align="left" | - |
| align="left" | - |
||
− | | align="left" | |
+ | | align="left" | 0 |
− | | align="left" | |
+ | | align="left" | 0 |
− | | align="left" | |
+ | | align="left" | 0 |
| align="left" | - |
| align="left" | - |
||
| align="left" | 6. |
| align="left" | 6. |
Revision as of 20:51, 24 February 2008
French part was converted with HTML::WikiConverter::MediaWiki from my old phpwiki site
Intro
Un très bon point de départ: http://www.gnupg.org/gph/fr/manual.html
Une introduction a GnuPG(vulgaristation): http://www.vilya.org/gpg/
Mes clés
On peut les trouver un peu partout.
gpg --keyserver wwwkeys.pgp.net --recv-key 0x7A135F579AD7E3DB
Serveurs publics
- http://wwwkeys.pgp.net
- A list...
- http://pgp.mit.edu (very slow)
Key Signing Coordination
Distance entre clés
Par exemple
http://keyserver.kjsl.com/~jharris/gpgwww.cgi?from=135EA668&to=9AD7E3DB
http://keyserver.kjsl.com/~jharris/gpgwww.cgi?from=449FA3AB&to=9AD7E3DB
Remplacer les IDs des clés pour essayer d'autres chemins.
Update: les URLs précédentes ne fonctionnent apparemment plus, vous pouvez essayer avec celles-ci:
http://pgp.cs.uu.nl/mk_path.cgi?FROM=135EA668&TO=9AD7E3DB&PATHS=trust+paths
http://pgp.cs.uu.nl/mk_path.cgi?FROM=449FA3AB=9AD7E3DB&PATHS=trust+paths
http://www.cs.uu.nl/people/henkp/henkp/pgp/pathfinder/mk_path.cgi?STAT=9AD7E3DB&STATS=statistics
Strong Set
Une analyse globale est disponible ici: http://pgp.cs.uu.nl/plot/
J'y suis rentré en août 2002 avec une distance moyenne de 6.9916 (merci adulau ;-)
Des analyses mensuelles sont disponibles ici: http://keyserver.kjsl.com/~jharris/ka
Date | Mean dist | World class | From Set to ID | From ID to Set | Max hops | Strong set | Average mean |
6.9916 | >1000 | - | - | 15 | 14159 | 6.5105 | |
5.7041 | >1000 | - | - | 14 | 14353 | 6.5222 | |
5.6948 | >1000 | - | - | 14 | 14586 | 6.5327 | |
5.6979 | >1000 | - | - | 14 | 14797 | 6.5561 | |
5.6648 | >1000 | - | - | 14 | 14973 | 6.5084 | |
5.6414 | >1000 | - | - | 14 | 15169 | 6.5101 | |
5.6296 | >1000 | 9 | 12 | 14 | 15370 | 6.5037 | |
5.5183 | >1000 | 19 | 27 | 13 | 15575 | 6.5045 | |
5.4787 | >1000 | 24 | 27 | 13 | 15787 | 6.5017 | |
5.4420 | >1000 | 24 | 27 | 13 | 15949 | 6.4797 | |
5.4373 | >1000 | 24 | 27 | 13 | 16174 | 6.4806 | |
5.3922 | >1000 | 24 | 27 | 13 | 16305 | 6.4931 | |
5.3865 | >1000 | 24 | 27 | 13 | 16474 | 6.4804 | |
5.2183 | >1000 | 24 | 27 | 13 | 16673 | 6.4706 | |
5.2173 | >1000 | 24 | 27 | 13 | 16951 | 6.4849 | |
4.7102 | 496 | 43 | 63 | 13 | 17338 | 6.4773 | |
4.7024 | 507 | 45 | 63 | 13 | 17620 | 6.4711 | |
4.6933 | 500 | 46 | 63 | 13 | 17861 | 6.4675 | |
4.6794 | 481 | 47 | 63 | 13 | 18197 | 6.6484 | |
4.6373 | 367 | 51 | 67 | 13 | 19075 | 6.6624 | |
4.6281 | 358 | 51 | 67 | 13 | 19372 | 6.6584 | |
4.6027 | 330 | 51 | 67 | 13 | 19641 | 6.6410 | |
4.6002 | 331 | 51 | 67 | 13 | 19833 | 6.6261 | |
4.5854 | 335 | 52 | 68 | 13 | 20095 | 6.6038 | |
4.5700 | 330 | 52 | 68 | 13 | 20305 | 6.5954 | |
4.5531 | 327 | 52 | 68 | 13 | 20602 | 6.5762 | |
4.5189 | 419 | 52 | 68 | 13 | 20814 | 6.5251 | |
4.4803 | 440 | 52 | 68 | 13 | 21025 | 6.4861 | |
4.4676 | 461 | 58 | 75 | 13 | 21333 | 6.4784 | |
4.4565 | 462 | 59 | 76 | 13 | 21487 | 6.4721 | |
4.4456 | 482 | 59 | 76 | 13 | 21843 | 6.4762 | |
4.4435 | 1761 | 16 | 91 | 14 | 40282 | 5.98? | |
4. | - | 0 | 0 | 0 | - | 6. |
#!/bin/bash # gpg-setstats retrieves stats about the strongset & your key REF="http://skylane.kjsl.com/~jharris/ka" MYKEY=${1:-"9AD7E3DB"} for URL in $(lynx -dump $REF|grep "$REF/200"|cut -c 7-53); do select q in "Stats for the ${URL#$REF}" "Skip" "Quit";do if [ "$q" == "Stats for the ${URL#$REF}" ]; then echo ======================================= echo Retrieve infos for ${URL#$REF}: wget -O - -q ${URL}other.txt wget -O - -q ${URL}status.txt|grep "strongly connected" wget -O - -q $URL${MYKEY:0:2}/$MYKEY|grep "^KeyID\|^Total\|^Mean\|^Farthest" echo -n "World Class:" lynx -dump ${URL}top1000table.html|grep $MYKEY|grep -v kjsl echo ======================================= break; fi if [ "$q" == "Skip" ]; then break; fi if [ "$q" == "Quit" ]; then exit; fi echo test $URL done done
Tips
Pour fetcher ttes les UIDs qui ont signé une clé
for key in $(gpg --list-sigs $1|grep ^sig|cut -c 13-20|sort|uniq); do gpg --recv-key $key done
quintuple-agent
eval `q-agent &` q-client put 9AD7E3DB -t 3600 or directly use agpg instead of gpg
Support de OpenPGP dans KMail:
wget ftp://ftp.gnupg.org/gcrypt/alpha/aegypten/debian/libksba0_0.4.3-1_i386.deb dpkg -i libksba0_0.4.3-1_i386.deb wget ftp://ftp.gnupg.org/gcrypt/alpha/aegypten/debian/pinentry-gtk_0.6.3-1_i386.deb dpkg -i pinentry-gtk_0.6.3-1_i386.deb wget ftp://ftp.gnupg.org/gcrypt/alpha/aegypten/debian/gpgsm_0.3.9-1_i386.deb dpkg -i gpgsm_0.3.9-1_i386.deb gpg --rebuild-keydb-caches
Editer ~/.gnupg/gpg.conf -> use-agent
Dans KMail, Settings->Configure KMail->Security->Crypto Plugins et ajouter gpgme-openpgp.so plugin.
Laisser "update URL" vide et mettre un nom comme par ex. "OpenPGP", "location": /usr/lib/cryptplug/gpgme-opengpg.so
/usr/local/bin/gpg-kmail:
#!/bin/bash launch_me(){ eval "$(gpg-agent --pinentry-program /usr/bin/pinentry-gtk --no-grab --default-cache-ttl 1800 )" kmail $* --nofork echo $GPG_AGENT_INFO|cut -d: -f2|xargs kill } launch_me $* & exit 0
Notes on signing-parties
Old notes
Pas mal d'infos sur http://skylane.kjsl.com/~jharris/keysigning.html
Ainsi que des exemples d'annonce par Adulau sur http://www.ael.be/action/gnupg/ et http://www.ael.be/action/gnupg/fosdem/
Mais un problème courant est la coordination physique des gens pour que chacun rencontre chacun.
Before the party
There are some useful tools in Debian:
apt-get install signing-party
Here is an example based on my participation to the keysigning-party of FOSDEM 2008
- Importing keys: the organizer provided a file with all the keys exported
tar xzvf keys.tgz for i in keys/*; do gpg --import $i;done
- Preparing the given list of keys: the organizer provided a list such as in the examples provided here: /usr/share/doc/signing-party/gpgsigs/examples/. To prepare that file, compute its checksums and add the pictures when possible:
gpgsigs --latex 9ad7e3db ksp-fosdem2008.txt ksp-fosdem2008 latex ksp-fosdem2008 dvips ksp-fosdem2008.dvi ps2pdf ksp-fosdem2008.ps > ksp-fosdem2008.pdf
- Preparing a stock of our own fingerprints, in case of...
gpg-key2ps 9ad7e3db |ps2pdf - 9ad7e3db.pdf
- But after all how was produced the list of fingerprints from the organizer? I created a script to generate such list:
#!/bin/bash # License: GPLv3 # Copyright Philippe Teuwen <phil a teuwen o org> 2008 if [[ $# -ne 5 ]]; then cat <<EOF Usage: $0 input output datestring organizer title Or: $0 - output datestring organizer title to read from STDIN Example: echo 9AD7E3DB 54C12701 |\\ $0 - ksp-file.txt "20080222 1100" "Philippe Teuwen <phil a teuwen o org>" "my party 08" EOF exit 0 fi input="$1" [ "$input" == "-" ] && input=""; output="$2" date="$3" org="$4" title=$(echo "$5"|tr a-z A-Z|sed 's/\(.\)/\1 /g') exec > "$output" # Date of event LANG=C date --date="$date" +"%A, %B %e, %Y; %H:%M" # Organiser contact printf "%80s\n\n\n" "$org" # Title printf "%*s\n\n" $(((72+$(echo "$title"|wc -c))/2)) "$title" # Header cat <<EOF List of Participants (v 1.0) Here's what you have to do with this file: (1) Print this file to paper. (2) Compute this file's MD5 checksum and optionally also its SHA1 checksum. gpg --print-md md5 $output (or use md5sum) gpg --print-md sha1 $output (or use sha1sum) (3) fill in the hash values on the printout. (4) Bring the printout, a pen, and proof of identity to the keysigningparty (and be on time!). MD5 Checksum: __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ [ ] SHA1 Checksum: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ [ ] EOF k=0; for i in $(cat $input); do k=$(($k+1)); printf "\n%03d [ ] Fingerprint OK [ ] ID OK\n" $k; gpg --fingerprint $i|grep -v "^sub"; done
At the party
Old notes...
Soient N personnes prêtes à signer
Ces personnes se numérotent de 0 à N-1
for (i=0;i<N;i++) { x signe (N-x+i)%N }
Puisque l'on fait ça N fois et que chacun ne doit signer que N-1 personnes, chacun sera passif lors d'UNE des itérations, simplement celle pour laquelle l'algo lui dit: x signe x
Bref tout le monde est occupé (N-1/N) % du temps :-)
Physiquement on peut se disposer en double file comme ceci: (ceux mis sur les bords ne signent pas)
| i=0 | i=1 | i=2 | i=3 | i=4 | i=5 ----+---------+---------+---------+---------+---------+--------- | 1 2 | 1 2 | 2 3 | 2 3 | 3 4 | N=5 | 0 | | | | | 3 | 1 | | | | | 4 | 2 | | | | 4 3 | 0 4 | 0 4 | 1 0 | 1 0 | ----+---------+---------+---------+---------+---------+--------- | 1 2 | 1 2 3 | 2 3 | 2 3 4 | 3 4 | 3 4 5 N=6 | 0 | | 3 | | | | | 1 | | 4 | | | | | 2 | | 5 | | | | | 5 4 | 0 5 4 | 0 5 | 1 0 5 | 1 0 | 2 1 0 ----+---------+---------+---------+---------+---------+---------
Avantage de l'algo: lorsqu'on prépare les feuilles avec les fingerprints, on peut aussi préparer pour chacun l'ordre dans lequel il doit signer les autres:
#!/bin/bash # argument: nbre total de personnes N=$1 for ((x=0;x<N;x++)); do echo -n "$x signera dans l'ordre: " for ((i=0;i<N;i++)); do echo -n "$((($N-$x+$i)%$N)) " done echo "" done
UPDATE: intéressant, lors du FOSDEM 2008 c'est en double-rang que l'on a effectivement progressé, avec 200 personnes sur la liste il y avait intéret à optimiser en effet ;-)
After the signing party
- I clean the list ksp-fosdem2008.txt to keep only those I met.
- I extract the fingerprints
cat ksp-fosdem2008-ok.txt |grep fingerprint|sed 's/^.*= //;s/ //g'> ksp-fosdem2008-finger.txt
- I configure caff, the first time it creates a template in ~/.caffrc which was nearly ok, I let only my usual public key, told to encrypt also for that key, activated the default email template, chose agpg as signing gpg program and finally chose a public keyserver:
$CONFIG{'local-user'} = [ qw{7A135F579AD7E3DB} ]; $CONFIG{'also-encrypt-to'} = [ qw{7A135F579AD7E3DB} ]; $CONFIG{'gpg-sign'} = '/usr/bin/agpg'; $CONFIG{'keyserver'} = 'wwwkeys.pgp.net';
- I could not get caff working until I finally copied ~/.gnupg/pubring.gpg and ~/.gnupg/trustdb.gpg to ~/.caff/gnupghome/ then everything worked including import of new keys from the keyserver.
- Signing only:
caff --no-download --no-export-old --no-mail $(cat ksp-fosdem2008-finger.txt) yes / save (check twice the uids as you could have forgotten to remove it in ksp-fosdem2008-ok.txt)
- Sending emails:
caff --no-download --no-sign --no-export-old $(cat ksp-fosdem2008-finger.txt)
- I got some undeliverable emails, some obviously being jabber ids, so I recovered the email content from ~/.caff/keys/2008-02-24 and sent it over jabber.
- Short way for a professional signing-party using an internal keyserver:
#!/bin/bash for i in $(cat <<EOF 98851B2B8B5B43104A25ECA1A6F4CF46E9A11073 56CFE246BB33A42F1142646EE9E8031D67147274 ... EOF) ; do gpg --recv-key $i; agpg -u nxp --sign-key $i; gpg --send-key $i; done
- In case you mistype your passphrase with quintuple-agent (agpg), you've to delete the stored passphrase before trying again:
q-client list q-client delete 54C12701
- Check who has signed your key:
gpglist 9AD7E3DB