[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013
|
From: |
Eric Blake |
|
Subject: |
Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013 |
|
Date: |
Tue, 12 Nov 2013 08:42:20 -0700 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0 |
On 11/12/2013 08:18 AM, Gabriel L. Somlo wrote:
> Peter,
>
> On Tue, Nov 12, 2013 at 02:57:36PM +0000, Peter Maydell wrote:
>> Can somebody provide known-good instructions for how to
>> sign and return keys? I looked on the web and found four
>> different possible ways to do this (most notably, there
>> seems to be a split between "just send keys back to
>> the keyserver" and "email something to the keyowner"),
>> and as usual gpg's UI is hopelessly opaque and confusing :-(
>
> I've pasted my key-signing bash script below. At the (few) key signing
> parties I've been to, the idea was "upload to keyserver as a personal
> favor to those you already know and like, email signatures encrypted
> with the recipient's key to those you've only just met at the party".
>
> Assuming a text file with one key signature per line, the bits that
> are commented out were used to import keys and display fingerprints
> for comparison with the stuff we had printed on paper and verified at
> the party. The uncommented bits will do the signature export,
> encryption with the recipient's key, and emailing.
Similarly, here's some advice I've used after previous key-signing
parties; I personally like how 'pius' automates the sending of
signatures to other recipients.
On 10/19/2011 09:56 AM, Jim Meyering wrote:
> You may want to know which of our colleagues have found time
> to handle their side of the key-signing deal.
>
> There are two interesting sets:
> - who has signed your key (either they uploaded it themselves,
> or they sent it to you and you processed it: import and upload)
> - who has uploaded your signature of their key (assuming you signed
> and mailed it to them)
>
> We want the complement of each set to be empty.
> I.e., each participant should do both things.
> Run the following script to list those who have not yet found the time.
>
> If you get stuck, reply here or ping me on IRC and I'll try to help.
> As a reminder, the recommended signing procedure was described here,
> in the "Signing GPG keys" section:
[replacing private URL with its contents:]
>
> I have a slight preference for pius over caff:
> http://www.phildev.net/pius/
> so I use it in the example below: (download sources)
> http://sourceforge.net/projects/pgpius/files/pius/2.0.9/
>
> Once Markus and I verified fingerprints, I did the following:
>
> # Download Markus' public key.
> gpg --recv EB918653
>
> # Create and email per-ID-signatures to each of his email addresses:
> # I specified a well-configured MTA, so that pius didn't try to send
> # directly from my desktop. It asks for a "level"; I choose 3.[*]
> ./pius --mail-host=GOOD_MTA --encrypt --no-pgp-mime \
> address@hidden --signer=7FD9FCCB000BEEEE EB918653
> # ---------------- ---------------- --------
> # my email my key Markus' key
>
> To try it first, sending mail only to myself, I could do this,
> adding the --debug and --override-email=... options on the 2nd line:
>
> ./pius --mail-host=GOOD_MTA --encrypt --no-pgp-mime \
> --debug address@hidden \
> address@hidden --signer=7FD9FCCB000BEEEE EB918653
>
> The former sent two messages to Markus, who has to follow the instructions
> included in each message: decrypt the attached signature, use gpg to
> import it, and then "send" his just-modified (new signature) key
> out to the key servers. It sent two messages because Markus has two
> IDs (name/email pairs) on his key, and I opted to sign both of them:
>
> $ gpg --fingerprint EB918653
> pub 4096R/EB918653 2011-10-07
> Key fingerprint = 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653
> uid Markus Armbruster <address@hidden>
> uid Markus Armbruster <address@hidden>
> sub 4096R/26B7449C 2011-10-07
>
> So once Markus receives those two messages and does the
decrypt/import/send
> dance, only *then* do my signatures of his key appear on the public key
> servers. Since they were encrypted and sent individually, they can appear
> in public only if Markus really does control both of those addresses at
> the time of signing. IMHO, it's better to sign all IDs, as long as they
> look reasonable.
>
> Jim
>
> [*] pius asks "Have you verified this user/key, and if so, what level do
> you want to sign at? (0/1/2/3/N/q) [default: N]". IMHO, it doesn't
> matter if you use 2 or 3. Some tools don't even ask.
[resuming first email]
>
> ---------------------
> Save the script below as cross-sign and make it executable.
> Then you can run it with a single argument, your gpg key ID,
> to see the gaps in the WoT, just considering the participants
> in the recent kvm/virt-devel key signing:
>
> ./cross-sign YOUR_GPG_KEY_ID
>
> To see how things look using your own key-ring, run it like this:
>
> env use_temp_keyring=n ./cross-sign YOUR_GPG_KEY_ID
>
> The only reason it'd look different with your key-ring is if you had
> signed locally and forgotten to run gpg --send-key ID for each key
> you'd signed.
>
> That is relatively slow because it runs gpg --refresh ...
> If you've already done that, you can run it like this:
>
> env use_temp_keyring=n refresh=n ./cross-sign YOUR_GPG_KEY_ID
cross-sign:
=========
#!/bin/bash
ME=${0##*/}
case $# in
1) my_id=$1 ;;
*) echo "Usage: $ME YOUR_GPG_KEY_ID" 1>&2; exit 1;;
esac
: ${use_temp_keyring=y}
: ${refresh=y}
# Key IDs of the people who participated in the kvm gpg key-signing.
keys='3bb08b22 2527436a eb918653 6a56d670 3e7e013f f83fa044 d3e87138
fe702db5 241786dd 39bcff63 d018682b 7c18c076 5682e5ff 14360cde c03363f4
74ff0269 afbe8e67 c88f2fd6 aaa7a078 0bd1fee1 7ae5e714 854083b6 f108b584
81ab73c8 c11804f0 4aa920d7'
# Given gpg --list-sig ... output, print only those lines that start
# with "uid" and contain an "@"; print each unique name only once.
uid_name_filter() { grep '^uid.*@' | sort -t'<' -u -k1,1 | sed 's/^uid
*/ /'; }
if test "$use_temp_keyring" = y; then
# Create a temporary directory in which to download keys.
export GNUPGHOME=$(mktemp -d)
# Remove it upon interrupt and upon normal termination.
for sig in 1 2 3 13 15; do eval "trap 'exit $(expr $sig + 128)' $sig";
done
trap 'rm -fr "$GNUPGHOME"' 0
# Use a server that's better than the default.
echo keyserver hkp://pool.sks-keyservers.net > "$GNUPGHOME/gpg.conf"
# Get latest keys/signatures from key servers.
gpg --recv-keys $(echo $keys)
else
test "$refresh" = y \
&& gpg --refresh-keys $(echo $keys)
fi
echo who appears not to have signed $my_id:
s=$(gpg --list-sig $my_id)
gpg --list-keys \
$(for i in $(echo $keys); do echo "$s" | grep -q $i || echo $i; done) \
| uid_name_filter
echo
echo who has not yet uploaded a signature by $my_id on their key:
for i in $(echo $keys); do
gpg --list-sig $i | grep -qi $my_id || gpg --list-key $i
done | uid_name_filter
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature