Home
Main website
Display Sidebar
Hide Ads
Recent Changes
View Source:
KeySigningScripts
Edit
PageHistory
Diff
Info
LikePages
This page lists scripts for assisting in running or participating in key signing parties. For scripts that sign keys fully automatically please see [RobotCA]. Scripts which help organise a party: * Generate a simple table, [Perl], [ref |http://www.cryptnet.net/fdp/crypto/pgp_party/party-table.pl] * Patrick Bernier's [Perl] [ref|http://www.tzone.org/~pat/sw/keyparty/keyparty] Scripts which help participants do the signatures after a party: * by Dr Bacchus [Perl] [ref|http://drbacchus.com/journal/files/sigs.txt] * caff (CA fire and forget) by in [Perl] [ref|http://shoestringfoundation.org/~bauerm/caff] * cabot by Ian Jackson, Joost van Baal, Laurent Fousse and Peter Palfrader in [Perl] [ref|http://cabot.alioth.debian.org/]. If you use one of these scripts, please add comments / opinions. ---- !!Simple keysigning with caff on Ubuntu: Caff is a script written to assist with Debian keysignings. I used this to sign all the keys I sighted at Linux.conf.au 2006. ! Installing Install some packages: <tt>apt-get install signing-party gnupg-agent pinentry-gtk2</tt> signing-party contains caff and some other useful scripts. gpg-agent allows you to save your passphrase in memory for a short period, and thus not type it in on every key you sign. I've specified pinentry-gtk2 here, but curses might work for you if you don't have X on the machine you are using or prefer the console. ! Setting up your keysigning files Generate a list of all the keys you need to sign, one per line. The keylist.txt that you printed and used to tick off IDs on is a good place to start. I went through the list, grepped out only the lines with 'pub' on them, and then removed the ones I didn't want to sign. I then checked them all, confirming I had the right keys, and used some RegularExpression~s to cut out only the 8-digit key fingerprint, so I had a file that looked like this: <pre> ABCD1234 DBF5ED67 DEADBEEF </pre> Configure a couple of things: ; ~~/.caff/gnupghome/gpg.conf : Add <tt>use-agent</tt> so caff will use gpg-agent (note, caff uses its own GPG environment files) ; ~~/.gnupg/gpg-agent.conf : <tt>default-cache-ttl 600</tt><br><tt>pinentry-program /usr/bin/pinentry-gtk-2</tt> (change for the correct pinentry program) ; ~~/.caffrc : add <tt>$CONFIG{'gpg-sign-args'} = "save";</tt> (as per /usr/share/doc/signing-party/caff/README.many-keys) !A short aside for Ubuntu/Postfix users If you're running a default Ubuntu insatllation, your MTA is [Postfix]. This setup will generae e-mail with envelope headers from username@localhost.localdomain (which is bad - lots of hosts on the Internet will drop the messages as the domain isn't real). You should fix the config before you proceed. I fixed it by adding <tt>smtp_generic_maps = hash:/etc/postfix/generic</tt> to /etc/postfix/main.cf, and creating an /etc/postfix/generic file like so: <pre> crb@localhost.localdomin craig@example.org </pre> I then had to run <tt>postmap /etc/postfix/generic</tt>. It might also be appropriate to make Postfix send mail through a smarthost, as I had a few messages not deliver because I am on a [DSL] IP address. If I'd known this BEFORE running caff, I would have fixed it with <tt>apt-get install exim4</tt>. :) If any Postfix gurus read this, can they please tidy this section up? ! Performing the signing Start gpg-agent: <tt>eval `gpg-agent --daemon`</tt> And start signing keys: <tt>caff -mR --key-file lca2006-keyring.gpg `cat keys-to-sign.txt`</tt> In this case, because I have a keyring file, I have specified -R - don't download from keyserver - which speeds this process up. -m specifies that I always want to send mail. It is important to use backticks rather than xargs to pass the list of keys to sign -- caff uses standard in for its own confirmations after signing, and when run from xargs can bail out ungracefully after emailing a subset of the signed keys. Now, when you sign your first key, you will be asked for a passphrase, which will be kept in memory. You should only have to hit 'y' (to sign all keys) and 'y' (really sign), on each of your preprepared keys, to proceed. It is good form to be checking against your list as you go, even at this point. caff will then mail out on your behalf a message like this: <pre> Hi, please find attached the user id. Pie Man <pieman@example.org> of your key DEADBEEFBAADF00D signed by me. Note that I did not upload your key to any keyservers. If you have multiple user ids, I sent the signature for each user id separately to that user id's associated email address. You can import the signatures by running each through `gpg --import`. If you want this new signature to be available to others, please upload it yourself. With GnuPG this can be done using gpg --keyserver subkeys.pgp.net --send-key DEADBEEFBAADF00D If you have any questions, don't hesitate to ask. Regards, Key Signer </pre> Your work here is done.
3 pages link to
KeySigningScripts
:
WebOfTrust
SigningAKey
GPG/PGPNotes