Rev | Author | # | Line |
---|---|---|---|
1 | StuartYeates | 1 | This page lists scripts for assisting in running or participating in key signing parties. For scripts that sign keys fully automatically please see [RobotCA]. |
2 | |||
3 | Scripts which help organise a party: | ||
2 | StuartYeates | 4 | * Generate a simple table, [Perl], [ref |http://www.cryptnet.net/fdp/crypto/pgp_party/party-table.pl] |
5 | * Patrick Bernier's [Perl] [ref|http://www.tzone.org/~pat/sw/keyparty/keyparty] | ||
1 | StuartYeates | 6 | |
7 | |||
8 | Scripts which help participants do the signatures after a party: | ||
9 | |||
2 | StuartYeates | 10 | * by Dr Bacchus [Perl] [ref|http://drbacchus.com/journal/files/sigs.txt] |
11 | * caff (CA fire and forget) by in [Perl] [ref|http://shoestringfoundation.org/~bauerm/caff] | ||
12 | * cabot by Ian Jackson, Joost van Baal, Laurent Fousse and Peter Palfrader in [Perl] [ref|http://cabot.alioth.debian.org/]. | ||
1 | StuartYeates | 13 | |
2 | StuartYeates | 14 | |
15 | If you use one of these scripts, please add comments / opinions. | ||
3 | CraigBox | 16 | |
17 | ---- | ||
18 | !!Simple keysigning with caff on Ubuntu: | ||
19 | |||
20 | Caff is a script written to assist with Debian keysignings. I used this to sign all the keys I sighted at Linux.conf.au 2006. | ||
21 | |||
22 | ! Installing | ||
23 | |||
6 | AlbertasAgejevas | 24 | Install some packages: <tt>apt-get install signing-party gnupg-agent pinentry-gtk2</tt> |
3 | CraigBox | 25 | |
26 | signing-party contains caff and some other useful scripts. gpg-agent allows you to save your passphrase in memory for a short period, and thus not type it in on every key you sign. | ||
27 | |||
28 | I've specified pinentry-gtk2 here, but curses might work for you if you don't have X on the machine you are using or prefer the console. | ||
29 | |||
30 | ! Setting up your keysigning files | ||
31 | |||
32 | Generate a list of all the keys you need to sign, one per line. The keylist.txt that you printed and used to tick off IDs on is a good place to start. I went through the list, grepped out only the lines with 'pub' on them, and then removed the ones I didn't want to sign. I then checked them all, confirming I had the right keys, and used some RegularExpression~s to cut out only the 8-digit key fingerprint, so I had a file that looked like this: | ||
33 | |||
34 | <pre> | ||
35 | ABCD1234 | ||
36 | DBF5ED67 | ||
37 | DEADBEEF | ||
38 | </pre> | ||
39 | |||
40 | Configure a couple of things: | ||
41 | |||
5 | CraigBox | 42 | ; ~~/.caff/gnupghome/gpg.conf : Add <tt>use-agent</tt> so caff will use gpg-agent (note, caff uses its own GPG environment files) |
43 | ; ~~/.gnupg/gpg-agent.conf : <tt>default-cache-ttl 600</tt><br><tt>pinentry-program /usr/bin/pinentry-gtk-2</tt> (change for the correct pinentry program) | ||
44 | ; ~~/.caffrc : add <tt>$CONFIG{'gpg-sign-args'} = "save";</tt> (as per /usr/share/doc/signing-party/caff/README.many-keys) | ||
3 | CraigBox | 45 | |
46 | !A short aside for Ubuntu/Postfix users | ||
47 | |||
48 | If you're running a default Ubuntu insatllation, your MTA is [Postfix]. This setup will generae e-mail with envelope headers from username@localhost.localdomain (which is bad - lots of hosts on the Internet will drop the messages as the domain isn't real). You should fix the config before you proceed. I fixed it by adding <tt>smtp_generic_maps = hash:/etc/postfix/generic</tt> to /etc/postfix/main.cf, and creating an /etc/postfix/generic file like so: | ||
49 | |||
50 | <pre> | ||
51 | crb@localhost.localdomin craig@example.org | ||
52 | </pre> | ||
53 | |||
54 | I then had to run <tt>postmap /etc/postfix/generic</tt>. It might also be appropriate to make Postfix send mail through a smarthost, as I had a few messages not deliver because I am on a [DSL] IP address. | ||
55 | |||
56 | If I'd known this BEFORE running caff, I would have fixed it with <tt>apt-get install exim4</tt>. :) | ||
57 | |||
58 | If any Postfix gurus read this, can they please tidy this section up? | ||
59 | |||
60 | ! Performing the signing | ||
61 | |||
62 | Start gpg-agent: <tt>eval `gpg-agent --daemon`</tt> | ||
63 | |||
64 | And start signing keys: <tt>caff -mR --key-file lca2006-keyring.gpg `cat keys-to-sign.txt`</tt> | ||
65 | |||
7 | ChrisAndreae | 66 | In this case, because I have a keyring file, I have specified -R - don't download from keyserver - which speeds this process up. -m specifies that I always want to send mail. It is important to use backticks rather than xargs to pass the list of keys to sign -- caff uses standard in for its own confirmations after signing, and when run from xargs can bail out ungracefully after emailing a subset of the signed keys. |
3 | CraigBox | 67 | |
68 | Now, when you sign your first key, you will be asked for a passphrase, which will be kept in memory. You should only have to hit 'y' (to sign all keys) and 'y' (really sign), on each of your preprepared keys, to proceed. | ||
69 | |||
70 | It is good form to be checking against your list as you go, even at this point. | ||
71 | |||
72 | caff will then mail out on your behalf a message like this: | ||
73 | |||
74 | <pre> | ||
75 | Hi, | ||
76 | |||
77 | please find attached the user id. | ||
78 | Pie Man <pieman@example.org> | ||
79 | of your key DEADBEEFBAADF00D signed by me. | ||
80 | |||
81 | Note that I did not upload your key to any keyservers. | ||
82 | If you have multiple user ids, I sent the signature for each user id | ||
83 | separately to that user id's associated email address. You can import | ||
84 | the signatures by running each through `gpg --import`. | ||
85 | |||
86 | If you want this new signature to be available to others, please upload | ||
87 | it yourself. With GnuPG this can be done using | ||
88 | gpg --keyserver subkeys.pgp.net --send-key DEADBEEFBAADF00D | ||
89 | |||
90 | If you have any questions, don't hesitate to ask. | ||
91 | |||
92 | Regards, | ||
93 | Key Signer | ||
94 | </pre> | ||
95 | |||
96 | Your work here is done. |
lib/blame.php:177: Warning: Invalid argument supplied for foreach()