KeysigningParty
About
This page contains information about keysigning parties (KSPs) and how to efficiently handle the work involved prior and after a KSP.
References
Documents relevant for PGP keysigning parties:
Keysigning parties that I attended:
My own PGP Key Signing Policy: http://www.herzbube.ch/pgp-key-signing-policy.html
Software
Debian package
caff
and other utilities that help with managing a keysigning party are part of the Debian package
signing-party
caff =
caff
needs to be run once so that it generates the config file:
~/.caffrc
This file then needs to be edited before the utility is used for real for the first time
$CONFIG{'owner'} = 'Patrick Näf Moser'; $CONFIG{'email'} = 'herzbube@herzbube.ch'; $CONFIG{'keyid'} = [ qw{1319CD4F3FF38573} ]; $CONFIG{'mail-template'} = << 'EOM'; Hi, This is caff, the automated PGP keysigning tool, running on behalf of {$owner} ({$email}). Please find attached the user ID{(scalar @uids >= 2 ? 's' : '')} [...] gpg --keyserver subkeys.pgp.net --send-key {$key} [...] EOM
caff
uses its own keyring in
~/.caff/gnupghome
The keyring can be examined with the --homedir
option, e.g.
gpg --homedir ~/.caff/gnupghome --list-keys
The following options must be placed into ~/.caff/gnupghome/gpg.conf
, esp. the latter two options are important as they influence how keysigning works:
charset utf-8 keyserver hkp://subkeys.pgp.net ask-cert-level cert-policy-url http://herzbube.ch/pgp-key-signing-policy.html
caff
places signed key that it has processed into:
~/.caff/keys
Exim
To make sure that caff
is allowed to send email from the command line, the following file needs to be modified:
/etc/mail/bounce-rcpts/herzbube.ch
The following line needs to be added:
patrick
The reason for this change is that if a recipient MTA performs callout verification, aka sender address verification, the sending email address "patrick@herzbube.ch" must be known to the MTA exim, otherwise it will reject the callout as a bogus bounce.
Before the KSP
gpg-key2ps
TODO
During the KSP
TODO
After the KSP
Using caff
to automate signing
Invocation:
caff --key-file ksp-zrh2k9.asc AAE6022E
Discussion:
- Signs the public key AAE6022E
- Instead of downloading the key from a keyserver, the content of the specified file is imported into
caff
's keyring. Note: All keys in the file are imported, not just the one to be signed. - Unless signatures are generated manually, all signatures are level 3
- UIDs that have no email can be attached to all emails sent to other UIDs. It is not possible to attach only to a single email - either all or none!
caff
asks for each signatures whether an email should be sent. The signature is created even if no email is sent.
Alternative uses of caff
:
- Sign a public key, but download it first from a keyserver. The download is attempted even if the key is already present in
caff
's keyring.
caff AAE6022E
- Sign a public key without downloading it first from a keyserver
caff --no-download 4CBC0D03
Importing signatures
Usually signatures are sent as .asc
email attachments. After decrypting the email (if it is encrypted, which is usually the case), the attachment can be saved and afterwards the signature can be imported with the following command (the example assumes the signature is stored in a caff
-generated file name):
gpg --import 0x1319CD4F3FF38573.1.signed-by-0xC09E1D8995930EDE.asc
If several signature files are present, they can be imported in one fell swoop:
gpg --import *.asc
When all signatures have been imported, they may be listed like this:
gpg --list-sigs 3FF38573
It may also be useful to import the signers' public keys so that signatures are displayed with a meaningful user ID. Hopefully the KSP has provided an .asc file for download that contains the public keys of all participants. This file can then be imported like this:
gpg --import ksp-zrh2k9.asc
Other stuff
- caff: CA - Fire and Forget signs and mails a key
- pgp-clean: removes all non-self signatures from key
- pgp-fixkey: removes broken packets from keys
- gpg-mailkeys: simply mail out a signed key to its owner
- gpg-key2ps: generate PostScript file with fingerprint paper strips
- gpgdir: recursive directory encryption tool
- gpglist: show who signed which of your UIDs
- gpgsigs: annotates list of GnuPG keys with already done signatures
- gpgparticipants: create list of party participants for the organiser
- gpgwrap: a passphrase wrapper
- keyanalyze: minimum signing distance (MSD) analysis on keyrings
- keylookup: ncurses wrapper around gpg --search
- sig2dot: converts a list of GnuPG signatures to a .dot file
- springgraph: creates a graph from a .dot file