Penguin
Blame: KeySigningScripts
EditPageHistoryDiffInfoLikePages
Annotated edit history of KeySigningScripts version 7, including all changes. View license author blame.
Rev Author # Line
1 StuartYeates 1 This page lists scripts for assisting in running or participating in key signing parties. For scripts that sign keys fully automatically please see [RobotCA].
2
3 Scripts which help organise a party:
2 StuartYeates 4 * Generate a simple table, [Perl], [ref |http://www.cryptnet.net/fdp/crypto/pgp_party/party-table.pl]
5 * Patrick Bernier's [Perl] [ref|http://www.tzone.org/~pat/sw/keyparty/keyparty]
1 StuartYeates 6
7
8 Scripts which help participants do the signatures after a party:
9
2 StuartYeates 10 * by Dr Bacchus [Perl] [ref|http://drbacchus.com/journal/files/sigs.txt]
11 * caff (CA fire and forget) by in [Perl] [ref|http://shoestringfoundation.org/~bauerm/caff]
12 * cabot by Ian Jackson, Joost van Baal, Laurent Fousse and Peter Palfrader in [Perl] [ref|http://cabot.alioth.debian.org/].
1 StuartYeates 13
2 StuartYeates 14
15 If you use one of these scripts, please add comments / opinions.
3 CraigBox 16
17 ----
18 !!Simple keysigning with caff on Ubuntu:
19
20 Caff is a script written to assist with Debian keysignings. I used this to sign all the keys I sighted at Linux.conf.au 2006.
21
22 ! Installing
23
6 AlbertasAgejevas 24 Install some packages: <tt>apt-get install signing-party gnupg-agent pinentry-gtk2</tt>
3 CraigBox 25
26 signing-party contains caff and some other useful scripts. gpg-agent allows you to save your passphrase in memory for a short period, and thus not type it in on every key you sign.
27
28 I've specified pinentry-gtk2 here, but curses might work for you if you don't have X on the machine you are using or prefer the console.
29
30 ! Setting up your keysigning files
31
32 Generate a list of all the keys you need to sign, one per line. The keylist.txt that you printed and used to tick off IDs on is a good place to start. I went through the list, grepped out only the lines with 'pub' on them, and then removed the ones I didn't want to sign. I then checked them all, confirming I had the right keys, and used some RegularExpression~s to cut out only the 8-digit key fingerprint, so I had a file that looked like this:
33
34 <pre>
35 ABCD1234
36 DBF5ED67
37 DEADBEEF
38 </pre>
39
40 Configure a couple of things:
41
5 CraigBox 42 ; ~~/.caff/gnupghome/gpg.conf : Add <tt>use-agent</tt> so caff will use gpg-agent (note, caff uses its own GPG environment files)
43 ; ~~/.gnupg/gpg-agent.conf : <tt>default-cache-ttl 600</tt><br><tt>pinentry-program /usr/bin/pinentry-gtk-2</tt> (change for the correct pinentry program)
44 ; ~~/.caffrc : add <tt>$CONFIG{'gpg-sign-args'} = "save";</tt> (as per /usr/share/doc/signing-party/caff/README.many-keys)
3 CraigBox 45
46 !A short aside for Ubuntu/Postfix users
47
48 If you're running a default Ubuntu insatllation, your MTA is [Postfix]. This setup will generae e-mail with envelope headers from username@localhost.localdomain (which is bad - lots of hosts on the Internet will drop the messages as the domain isn't real). You should fix the config before you proceed. I fixed it by adding <tt>smtp_generic_maps = hash:/etc/postfix/generic</tt> to /etc/postfix/main.cf, and creating an /etc/postfix/generic file like so:
49
50 <pre>
51 crb@localhost.localdomin craig@example.org
52 </pre>
53
54 I then had to run <tt>postmap /etc/postfix/generic</tt>. It might also be appropriate to make Postfix send mail through a smarthost, as I had a few messages not deliver because I am on a [DSL] IP address.
55
56 If I'd known this BEFORE running caff, I would have fixed it with <tt>apt-get install exim4</tt>. :)
57
58 If any Postfix gurus read this, can they please tidy this section up?
59
60 ! Performing the signing
61
62 Start gpg-agent: <tt>eval `gpg-agent --daemon`</tt>
63
64 And start signing keys: <tt>caff -mR --key-file lca2006-keyring.gpg `cat keys-to-sign.txt`</tt>
65
7 ChrisAndreae 66 In this case, because I have a keyring file, I have specified -R - don't download from keyserver - which speeds this process up. -m specifies that I always want to send mail. It is important to use backticks rather than xargs to pass the list of keys to sign -- caff uses standard in for its own confirmations after signing, and when run from xargs can bail out ungracefully after emailing a subset of the signed keys.
3 CraigBox 67
68 Now, when you sign your first key, you will be asked for a passphrase, which will be kept in memory. You should only have to hit 'y' (to sign all keys) and 'y' (really sign), on each of your preprepared keys, to proceed.
69
70 It is good form to be checking against your list as you go, even at this point.
71
72 caff will then mail out on your behalf a message like this:
73
74 <pre>
75 Hi,
76
77 please find attached the user id.
78 Pie Man <pieman@example.org>
79 of your key DEADBEEFBAADF00D signed by me.
80
81 Note that I did not upload your key to any keyservers.
82 If you have multiple user ids, I sent the signature for each user id
83 separately to that user id's associated email address. You can import
84 the signatures by running each through `gpg --import`.
85
86 If you want this new signature to be available to others, please upload
87 it yourself. With GnuPG this can be done using
88 gpg --keyserver subkeys.pgp.net --send-key DEADBEEFBAADF00D
89
90 If you have any questions, don't hesitate to ask.
91
92 Regards,
93 Key Signer
94 </pre>
95
96 Your work here is done.

PHP Warning

lib/blame.php:177: Warning: Invalid argument supplied for foreach()