This page lists scripts for assisting in running or participating in key signing parties. For scripts that sign keys fully automatically please see RobotCA.
Scripts which help participants do the signatures after a party:
If you use one of these scripts, please add comments / opinions.
Caff is a script written to assist with Debian keysignings. I used this to sign all the keys I sighted at Linux.conf.au 2006.
Install some packages: apt-get install signing-party gnupg-agent pinentry-gtk2
signing-party contains caff and some other useful scripts. gpg-agent allows you to save your passphrase in memory for a short period, and thus not type it in on every key you sign.
I've specified pinentry-gtk2 here, but curses might work for you if you don't have X on the machine you are using or prefer the console.
Generate a list of all the keys you need to sign, one per line. The keylist.txt that you printed and used to tick off IDs on is a good place to start. I went through the list, grepped out only the lines with 'pub' on them, and then removed the ones I didn't want to sign. I then checked them all, confirming I had the right keys, and used some RegularExpressions to cut out only the 8-digit key fingerprint, so I had a file that looked like this:
ABCD1234 DBF5ED67 DEADBEEF
Configure a couple of things:
If you're running a default Ubuntu insatllation, your MTA is Postfix. This setup will generae e-mail with envelope headers from email@example.com (which is bad - lots of hosts on the Internet will drop the messages as the domain isn't real). You should fix the config before you proceed. I fixed it by adding smtp_generic_maps = hash:/etc/postfix/generic to /etc/postfix/main.cf, and creating an /etc/postfix/generic file like so:
I then had to run postmap /etc/postfix/generic. It might also be appropriate to make Postfix send mail through a smarthost, as I had a few messages not deliver because I am on a DSL IP address.
If I'd known this BEFORE running caff, I would have fixed it with apt-get install exim4. :)
If any Postfix gurus read this, can they please tidy this section up?
Start gpg-agent: eval `gpg-agent --daemon`
And start signing keys: caff -mR --key-file lca2006-keyring.gpg `cat keys-to-sign.txt`
In this case, because I have a keyring file, I have specified -R - don't download from keyserver - which speeds this process up. -m specifies that I always want to send mail. It is important to use backticks rather than xargs to pass the list of keys to sign -- caff uses standard in for its own confirmations after signing, and when run from xargs can bail out ungracefully after emailing a subset of the signed keys.
Now, when you sign your first key, you will be asked for a passphrase, which will be kept in memory. You should only have to hit 'y' (to sign all keys) and 'y' (really sign), on each of your preprepared keys, to proceed.
It is good form to be checking against your list as you go, even at this point.
caff will then mail out on your behalf a message like this:
Hi, please find attached the user id. Pie Man <firstname.lastname@example.org> of your key DEADBEEFBAADF00D signed by me. Note that I did not upload your key to any keyservers. If you have multiple user ids, I sent the signature for each user id separately to that user id's associated email address. You can import the signatures by running each through `gpg --import`. If you want this new signature to be available to others, please upload it yourself. With GnuPG this can be done using gpg --keyserver subkeys.pgp.net --send-key DEADBEEFBAADF00D If you have any questions, don't hesitate to ask. Regards, Key Signer