Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013

[Eric Blake <eblake@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 7254 bytes --]

On 11/12/2013 08:18 AM, Gabriel L. Somlo wrote:
> Peter,
> 
> On Tue, Nov 12, 2013 at 02:57:36PM +0000, Peter Maydell wrote:
>> Can somebody provide known-good instructions for how to
>> sign and return keys? I looked on the web and found four
>> different possible ways to do this (most notably, there
>> seems to be a split between "just send keys back to
>> the keyserver" and "email something to the keyowner"),
>> and as usual gpg's UI is hopelessly opaque and confusing :-(
> 
> I've pasted my key-signing bash script below. At the (few) key signing
> parties I've been to, the idea was "upload to keyserver as a personal
> favor to those you already know and like, email signatures encrypted
> with the recipient's key to those you've only just met at the party".
> 
> Assuming a text file with one key signature per line, the bits that
> are commented out were used to import keys and display fingerprints
> for comparison with the stuff we had printed on paper and verified at
> the party. The uncommented bits will do the signature export,
> encryption with the recipient's key, and emailing.

Similarly, here's some advice I've used after previous key-signing
parties; I personally like how 'pius' automates the sending of
signatures to other recipients.

On 10/19/2011 09:56 AM, Jim Meyering wrote:
> You may want to know which of our colleagues have found time
> to handle their side of the key-signing deal.
>
> There are two interesting sets:
>  - who has signed your key (either they uploaded it themselves,
>      or they sent it to you and you processed it: import and upload)
>  - who has uploaded your signature of their key (assuming you signed
>      and mailed it to them)
>
> We want the complement of each set to be empty.
> I.e., each participant should do both things.
> Run the following script to list those who have not yet found the time.
>
> If you get stuck, reply here or ping me on IRC and I'll try to help.
> As a reminder, the recommended signing procedure was described here,
> in the "Signing GPG keys" section:

[replacing private URL with its contents:]
>
> I have a slight preference for pius over caff:
>     http://www.phildev.net/pius/
> so I use it in the example below: (download sources)
>     http://sourceforge.net/projects/pgpius/files/pius/2.0.9/
>
> Once Markus and I verified fingerprints, I did the following:
>
>     # Download Markus' public key.
>     gpg --recv EB918653
>
>     # Create and email per-ID-signatures to each of his email addresses:
>     # I specified a well-configured MTA, so that pius didn't try to send
>     # directly from my desktop.  It asks for a "level"; I choose 3.[*]
>     ./pius --mail-host=GOOD_MTA --encrypt --no-pgp-mime \
> 	--mail=jim@meyering.net --signer=7FD9FCCB000BEEEE EB918653
>     #          ----------------          ---------------- --------
>     #              my email                  my key       Markus' key
>
> To try it first, sending mail only to myself, I could do this,
> adding the --debug and --override-email=... options on the 2nd line:
>
>     ./pius --mail-host=GOOD_MTA --encrypt --no-pgp-mime \
>         --debug --override-email=jim@meyering.net \
> 	--mail=jim@meyering.net --signer=7FD9FCCB000BEEEE EB918653
>
> The former sent two messages to Markus, who has to follow the instructions
> included in each message: decrypt the attached signature, use gpg to
> import it, and then "send" his just-modified (new signature) key
> out to the key servers.  It sent two messages because Markus has two
> IDs (name/email pairs) on his key, and I opted to sign both of them:
>
>     $ gpg --fingerprint EB918653
>     pub   4096R/EB918653 2011-10-07
> 	  Key fingerprint = 354B C8B3 D7EB 2A6B 6867  4E5F 3870 B400 EB91 8653
>     uid                  Markus Armbruster <armbru@redhat.com>
>     uid                  Markus Armbruster <armbru@pond.sub.org>
>     sub   4096R/26B7449C 2011-10-07
>
> So once Markus receives those two messages and does the
decrypt/import/send
> dance, only *then* do my signatures of his key appear on the public key
> servers.  Since they were encrypted and sent individually, they can appear
> in public only if Markus really does control both of those addresses at
> the time of signing.  IMHO, it's better to sign all IDs, as long as they
> look reasonable.
>
> Jim
>
> [*] pius asks "Have you verified this user/key, and if so, what level do
> you want to sign at? (0/1/2/3/N/q) [default: N]".  IMHO, it doesn't
> matter if you use 2 or 3.  Some tools don't even ask.

[resuming first email]

>
> ---------------------
> Save the script below as cross-sign and make it executable.
> Then you can run it with a single argument, your gpg key ID,
> to see the gaps in the WoT, just considering the participants
> in the recent kvm/virt-devel key signing:
>
>     ./cross-sign YOUR_GPG_KEY_ID
>
> To see how things look using your own key-ring, run it like this:
>
>     env use_temp_keyring=n ./cross-sign YOUR_GPG_KEY_ID
>
> The only reason it'd look different with your key-ring is if you had
> signed locally and forgotten to run gpg --send-key ID for each key
> you'd signed.
>
> That is relatively slow because it runs gpg --refresh ...
> If you've already done that, you can run it like this:
>
>     env use_temp_keyring=n refresh=n ./cross-sign YOUR_GPG_KEY_ID

cross-sign:
=========
#!/bin/bash

ME=${0##*/}

case $# in
  1) my_id=$1 ;;
  *) echo "Usage: $ME YOUR_GPG_KEY_ID" 1>&2; exit 1;;
esac

: ${use_temp_keyring=y}
: ${refresh=y}

# Key IDs of the people who participated in the kvm gpg key-signing.
keys='3bb08b22 2527436a eb918653 6a56d670 3e7e013f f83fa044 d3e87138
fe702db5 241786dd 39bcff63 d018682b 7c18c076 5682e5ff 14360cde c03363f4
74ff0269 afbe8e67 c88f2fd6 aaa7a078 0bd1fee1 7ae5e714 854083b6 f108b584
81ab73c8 c11804f0 4aa920d7'

# Given gpg --list-sig ... output, print only those lines that start
# with "uid" and contain an "@"; print each unique name only once.
uid_name_filter() { grep '^uid.*@' | sort -t'<' -u -k1,1 | sed 's/^uid
*/  /'; }

if test "$use_temp_keyring" = y; then
  # Create a temporary directory in which to download keys.
  export GNUPGHOME=$(mktemp -d)

  # Remove it upon interrupt and upon normal termination.
  for sig in 1 2 3 13 15; do eval "trap 'exit $(expr $sig + 128)' $sig";
done
  trap 'rm -fr "$GNUPGHOME"' 0

  # Use a server that's better than the default.
  echo keyserver hkp://pool.sks-keyservers.net > "$GNUPGHOME/gpg.conf"

  # Get latest keys/signatures from key servers.
  gpg --recv-keys $(echo $keys)
else
  test "$refresh" = y \
    && gpg --refresh-keys $(echo $keys)
fi

echo who appears not to have signed $my_id:
s=$(gpg --list-sig $my_id)
gpg --list-keys \
    $(for i in $(echo $keys); do echo "$s" | grep -q $i || echo $i; done) \
  | uid_name_filter
echo

echo who has not yet uploaded a signature by $my_id on their key:
for i in $(echo $keys); do
  gpg --list-sig $i | grep -qi $my_id || gpg --list-key $i
done | uid_name_filter

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]