GnuPG

From YobiWiki
Jump to navigation Jump to search


Notes on signing-parties

There are some useful tools in Debian: 

apt-get install signing-party

Here is an example based on my participation to the keysigning-party of FOSDEM 2008

  • Importing keys: the organizer provided a file with all the keys exported
tar xzvf keys.tgz
for i in keys/*; do gpg --import $i;done
  • Preparing the given list of keys: the organizer provided a list such as in the examples provided here: /usr/share/doc/signing-party/gpgsigs/examples/. To prepare that file, compute its checksums and add the pictures when possible:
gpgsigs --latex 9ad7e3db ksp-fosdem2008.txt ksp-fosdem2008
latex ksp-fosdem2008
dvips ksp-fosdem2008.dvi
ps2pdf ksp-fosdem2008.ps > ksp-fosdem2008.pdf
  • Preparing a stock of our own fingerprints, in case of...
gpg-key2ps 9ad7e3db |ps2pdf - 9ad7e3db.pdf
  • But after all how was produced the list of fingerprints from the organizer? I created a script to generate such list:
#!/bin/bash

# License: GPLv3
# Copyright Philippe Teuwen <phil a teuwen o org> 2008
if [[ $# -ne 5 ]]; then
    cat <<EOF
Usage: $0 input output datestring organizer title
Or:    $0 -     output datestring organizer title
       to read from STDIN
Example:
       echo 9AD7E3DB 54C12701 |\\
       $0 - ksp-file.txt "20080222 1100" "Philippe Teuwen <phil a teuwen o org>" "my party 08"
EOF
    exit 0
fi

input="$1"
[ "$input" == "-" ] && input="";
output="$2"
date="$3"
org="$4"
title=$(echo "$5"|tr a-z A-Z|sed 's/\(.\)/\1 /g')

exec > "$output"

# Date of event
LANG=C date --date="$date" +"%A, %B %e, %Y;  %H:%M"
# Organiser contact
printf "%80s\n\n\n" "$org"
# Title
printf "%*s\n\n" $(((72+$(echo "$title"|wc -c))/2)) "$title"
# Header
cat <<EOF
                     List of Participants  (v 1.0)


Here's what you have to do with this file:
(1) Print this file to paper.
(2) Compute this file's MD5 checksum and optionally also its SHA1 checksum.
   gpg --print-md md5  $output  (or use md5sum)
   gpg --print-md sha1 $output  (or use sha1sum)
(3) fill in the hash values on the printout.
(4) Bring the printout, a pen, and proof of identity to the keysigningparty (and be on time!).

MD5 Checksum:  __ __ __ __ __ __ __ __    __ __ __ __ __ __ __ __           [ ]



SHA1 Checksum: ____ ____ ____ ____ ____    ____ ____ ____ ____ ____         [ ]




EOF

k=0;
for i in $(cat $input); do 
    k=$(($k+1)); 
    printf "\n%03d  [ ] Fingerprint OK        [ ] ID OK\n" $k;
    gpg --fingerprint $i|grep -v "^sub";
done

After the signing party

  • I clean the list ksp-fosdem2008.txt to keep only those I met.
  • I extract the fingerprints
cat ksp-fosdem2008-ok.txt |grep fingerprint|sed 's/^.*= //;s/ //g'> ksp-fosdem2008-finger.txt
  • I configure caff, the first time it creates a template in ~/.caffrc which was nearly ok, I let only my usual public key, told to encrypt also for that key, activated the default email template, chose agpg as signing gpg program and finally chose a public keyserver:
$CONFIG{'local-user'} = [ qw{7A135F579AD7E3DB} ];
$CONFIG{'also-encrypt-to'} = [ qw{7A135F579AD7E3DB} ];
$CONFIG{'gpg-sign'} = '/usr/bin/agpg';
$CONFIG{'keyserver'} = 'wwwkeys.pgp.net';
  • I could not get caff working until I finally copied ~/.gnupg/pubring.gpg and ~/.gnupg/trustdb.gpg to ~/.caff/gnupghome/ then everything worked including import of new keys from the keyserver.
  • Signing only:
caff --no-download --no-export-old --no-mail $(cat ksp-fosdem2008-finger.txt)
yes / save (check twice the uids as you could have forgotten to remove it in ksp-fosdem2008-ok.txt)
  • Sending emails:
caff --no-download --no-sign --no-export-old $(cat ksp-fosdem2008-finger.txt)
  • I got some undeliverable emails, some obviously being jabber ids, so I recovered the email content from ~/.caff/keys/2008-02-24 and sent it over jabber.
  • Short way for a professional signing-party using an internal keyserver:
#!/bin/bash

for i in $(cat <<EOF
98851B2B8B5B43104A25ECA1A6F4CF46E9A11073
56CFE246BB33A42F1142646EE9E8031D67147274
...
EOF) ; do
    gpg --recv-key $i;
    agpg -u nxp --sign-key $i;
    gpg --send-key $i;
done
  • In case you mistype your passphrase with quintuple-agent (agpg), you've to delete the stored passphrase before trying again:
q-client list
q-client delete 54C12701
  • Check who has signed your key:
gpglist 9AD7E3DB
Retrieved from "https://wiki.yobi.be/index.php?title=GnuPG&oldid=2784"