On 11/12/2013 08:18 AM, Gabriel L. Somlo wrote: > Peter, > > On Tue, Nov 12, 2013 at 02:57:36PM +0000, Peter Maydell wrote: >> Can somebody provide known-good instructions for how to >> sign and return keys? I looked on the web and found four >> different possible ways to do this (most notably, there >> seems to be a split between "just send keys back to >> the keyserver" and "email something to the keyowner"), >> and as usual gpg's UI is hopelessly opaque and confusing :-( > > I've pasted my key-signing bash script below. At the (few) key signing > parties I've been to, the idea was "upload to keyserver as a personal > favor to those you already know and like, email signatures encrypted > with the recipient's key to those you've only just met at the party". > > Assuming a text file with one key signature per line, the bits that > are commented out were used to import keys and display fingerprints > for comparison with the stuff we had printed on paper and verified at > the party. The uncommented bits will do the signature export, > encryption with the recipient's key, and emailing. Similarly, here's some advice I've used after previous key-signing parties; I personally like how 'pius' automates the sending of signatures to other recipients. On 10/19/2011 09:56 AM, Jim Meyering wrote: > You may want to know which of our colleagues have found time > to handle their side of the key-signing deal. > > There are two interesting sets: > - who has signed your key (either they uploaded it themselves, > or they sent it to you and you processed it: import and upload) > - who has uploaded your signature of their key (assuming you signed > and mailed it to them) > > We want the complement of each set to be empty. > I.e., each participant should do both things. > Run the following script to list those who have not yet found the time. > > If you get stuck, reply here or ping me on IRC and I'll try to help. > As a reminder, the recommended signing procedure was described here, > in the "Signing GPG keys" section: [replacing private URL with its contents:] > > I have a slight preference for pius over caff: > http://www.phildev.net/pius/ > so I use it in the example below: (download sources) > http://sourceforge.net/projects/pgpius/files/pius/2.0.9/ > > Once Markus and I verified fingerprints, I did the following: > > # Download Markus' public key. > gpg --recv EB918653 > > # Create and email per-ID-signatures to each of his email addresses: > # I specified a well-configured MTA, so that pius didn't try to send > # directly from my desktop. It asks for a "level"; I choose 3.[*] > ./pius --mail-host=GOOD_MTA --encrypt --no-pgp-mime \ > --mail=jim@xxxxxxxxxxxx --signer=7FD9FCCB000BEEEE EB918653 > # ---------------- ---------------- -------- > # my email my key Markus' key > > To try it first, sending mail only to myself, I could do this, > adding the --debug and --override-email=... options on the 2nd line: > > ./pius --mail-host=GOOD_MTA --encrypt --no-pgp-mime \ > --debug --override-email=jim@xxxxxxxxxxxx \ > --mail=jim@xxxxxxxxxxxx --signer=7FD9FCCB000BEEEE EB918653 > > The former sent two messages to Markus, who has to follow the instructions > included in each message: decrypt the attached signature, use gpg to > import it, and then "send" his just-modified (new signature) key > out to the key servers. It sent two messages because Markus has two > IDs (name/email pairs) on his key, and I opted to sign both of them: > > $ gpg --fingerprint EB918653 > pub 4096R/EB918653 2011-10-07 > Key fingerprint = 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653 > uid Markus Armbruster <armbru@xxxxxxxxxx> > uid Markus Armbruster <armbru@xxxxxxxxxxxx> > sub 4096R/26B7449C 2011-10-07 > > So once Markus receives those two messages and does the decrypt/import/send > dance, only *then* do my signatures of his key appear on the public key > servers. Since they were encrypted and sent individually, they can appear > in public only if Markus really does control both of those addresses at > the time of signing. IMHO, it's better to sign all IDs, as long as they > look reasonable. > > Jim > > [*] pius asks "Have you verified this user/key, and if so, what level do > you want to sign at? (0/1/2/3/N/q) [default: N]". IMHO, it doesn't > matter if you use 2 or 3. Some tools don't even ask. [resuming first email] > > --------------------- > Save the script below as cross-sign and make it executable. > Then you can run it with a single argument, your gpg key ID, > to see the gaps in the WoT, just considering the participants > in the recent kvm/virt-devel key signing: > > ./cross-sign YOUR_GPG_KEY_ID > > To see how things look using your own key-ring, run it like this: > > env use_temp_keyring=n ./cross-sign YOUR_GPG_KEY_ID > > The only reason it'd look different with your key-ring is if you had > signed locally and forgotten to run gpg --send-key ID for each key > you'd signed. > > That is relatively slow because it runs gpg --refresh ... > If you've already done that, you can run it like this: > > env use_temp_keyring=n refresh=n ./cross-sign YOUR_GPG_KEY_ID cross-sign: ========= #!/bin/bash ME=${0##*/} case $# in 1) my_id=$1 ;; *) echo "Usage: $ME YOUR_GPG_KEY_ID" 1>&2; exit 1;; esac : ${use_temp_keyring=y} : ${refresh=y} # Key IDs of the people who participated in the kvm gpg key-signing. keys='3bb08b22 2527436a eb918653 6a56d670 3e7e013f f83fa044 d3e87138 fe702db5 241786dd 39bcff63 d018682b 7c18c076 5682e5ff 14360cde c03363f4 74ff0269 afbe8e67 c88f2fd6 aaa7a078 0bd1fee1 7ae5e714 854083b6 f108b584 81ab73c8 c11804f0 4aa920d7' # Given gpg --list-sig ... output, print only those lines that start # with "uid" and contain an "@"; print each unique name only once. uid_name_filter() { grep '^uid.*@' | sort -t'<' -u -k1,1 | sed 's/^uid */ /'; } if test "$use_temp_keyring" = y; then # Create a temporary directory in which to download keys. export GNUPGHOME=$(mktemp -d) # Remove it upon interrupt and upon normal termination. for sig in 1 2 3 13 15; do eval "trap 'exit $(expr $sig + 128)' $sig"; done trap 'rm -fr "$GNUPGHOME"' 0 # Use a server that's better than the default. echo keyserver hkp://pool.sks-keyservers.net > "$GNUPGHOME/gpg.conf" # Get latest keys/signatures from key servers. gpg --recv-keys $(echo $keys) else test "$refresh" = y \ && gpg --refresh-keys $(echo $keys) fi echo who appears not to have signed $my_id: s=$(gpg --list-sig $my_id) gpg --list-keys \ $(for i in $(echo $keys); do echo "$s" | grep -q $i || echo $i; done) \ | uid_name_filter echo echo who has not yet uploaded a signature by $my_id on their key: for i in $(echo $keys); do gpg --list-sig $i | grep -qi $my_id || gpg --list-key $i done | uid_name_filter -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
