[Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013

[Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013

[Anthony Liguori]

I will be hosting a key signing party at this year's KVM Forum.

http://wiki.qemu.org/KeySigningParty2013

Starting for the 1.7 release (begins in December), I will only accepted
signed pull requests so please try to attend this event or make
alternative arrangements to have someone sign your key who will attend
the event.

I will also be attending LinuxCon/CloudOpen/Plumbers North America if
anyone wants to have another key signing party at that event and cannot
attend KVM Forum.

Regards,

Anthony Liguori

Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013

[Stefan Hajnoczi]

On Wed, Jul 24, 2013 at 2:50 PM, Anthony Liguori <anthony@codemonkey.ws> wrote:
>
> I will be hosting a key signing party at this year's KVM Forum.
>
> http://wiki.qemu.org/KeySigningParty2013

keyserver.cryptnet.net seems broken.  I get connection refused when
syncing to it.  On port 80 it serves up a default Fedora apache page.

Is there an alternative key server you'd like to use?

Stefan

Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013

[Asias He]

On Mon, Oct 14, 2013 at 7:14 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
>
> On Wed, Jul 24, 2013 at 2:50 PM, Anthony Liguori <anthony@codemonkey.ws> wrote:
> >
> > I will be hosting a key signing party at this year's KVM Forum.
> >
> > http://wiki.qemu.org/KeySigningParty2013
>
> keyserver.cryptnet.net seems broken.  I get connection refused when
> syncing to it.  On port 80 it serves up a default Fedora apache page.
> Is there an alternative key server you'd like to use?

Same here. Do we have alternative key server now?

> Stefan
>



-- 
Asias

Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013

[Stefan Hajnoczi]

On Wed, Oct 16, 2013 at 10:07:30AM +0800, Asias He wrote:
> On Mon, Oct 14, 2013 at 7:14 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> >
> > On Wed, Jul 24, 2013 at 2:50 PM, Anthony Liguori <anthony@codemonkey.ws> wrote:
> > >
> > > I will be hosting a key signing party at this year's KVM Forum.
> > >
> > > http://wiki.qemu.org/KeySigningParty2013
> >
> > keyserver.cryptnet.net seems broken.  I get connection refused when
> > syncing to it.  On port 80 it serves up a default Fedora apache page.
> > Is there an alternative key server you'd like to use?
> 
> Same here. Do we have alternative key server now?

I synced to hkp://pgp.mit.edu.

Key ID: 81AB73C8
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9CA4ABB381AB73C8

Stefan

Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013

[Gerd Hoffmann]

  Hi,

> I synced to hkp://pgp.mit.edu.
> 
> Key ID: 81AB73C8
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9CA4ABB381AB73C8

I think the key servers sync to each other anyway,
so it doesn't matter much which one you pick.

cheers,
  Gerd

Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013

[Scott Wood]

On Wed, 2013-07-24 at 07:50 -0500, Anthony Liguori wrote:
> I will be hosting a key signing party at this year's KVM Forum.
> 
> http://wiki.qemu.org/KeySigningParty2013
> 
> Starting for the 1.7 release (begins in December), I will only accepted
> signed pull requests so please try to attend this event or make
> alternative arrangements to have someone sign your key who will attend
> the event.
> 
> I will also be attending LinuxCon/CloudOpen/Plumbers North America if
> anyone wants to have another key signing party at that event and cannot
> attend KVM Forum.

The wiki still says "Day/Room TBD" and I don't see it on the published
KVM Forum schedule.  Has this been determined yet?

-Scott

Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013

[Peter Maydell]

On 24 July 2013 13:50, Anthony Liguori <anthony@codemonkey.ws> wrote:
>
> I will be hosting a key signing party at this year's KVM Forum.
>
> http://wiki.qemu.org/KeySigningParty2013

Can somebody provide known-good instructions for how to
sign and return keys? I looked on the web and found four
different possible ways to do this (most notably, there
seems to be a split between "just send keys back to
the keyserver" and "email something to the keyowner"),
and as usual gpg's UI is hopelessly opaque and confusing :-(

thanks
-- PMM

Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013

[Gabriel L. Somlo]

Peter,

On Tue, Nov 12, 2013 at 02:57:36PM +0000, Peter Maydell wrote:
> Can somebody provide known-good instructions for how to
> sign and return keys? I looked on the web and found four
> different possible ways to do this (most notably, there
> seems to be a split between "just send keys back to
> the keyserver" and "email something to the keyowner"),
> and as usual gpg's UI is hopelessly opaque and confusing :-(

I've pasted my key-signing bash script below. At the (few) key signing
parties I've been to, the idea was "upload to keyserver as a personal
favor to those you already know and like, email signatures encrypted
with the recipient's key to those you've only just met at the party".

Assuming a text file with one key signature per line, the bits that
are commented out were used to import keys and display fingerprints
for comparison with the stuff we had printed on paper and verified at
the party. The uncommented bits will do the signature export,
encryption with the recipient's key, and emailing.

HTH,
--Gabriel

#!/bin/bash

for F in $(cat fingerprints.txt); do
  # receive keys matching ID $F:
  #gpg --recv-keys $F
  # list fingerprint for key matching ID $F:
  #gpg --fingerprint $F
  # sign key matching ID $F:
  #gpg --sign-key $F
  # send signature to recipient matching first uid, encrypted with recipient key
  E=$(gpg --list-key $F | grep ^uid | head -1 | sed 's/.*<\(.*\)>.*/\1/')
  gpg --armor --export $F | gpg --armor --encrypt -r $F | \
    mailx -r gsomlo@gmail.com -s "the signature you requested (by $F)" $E
  echo "sent signature $F $E"
done

Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013

[Eric Blake]

[-- Attachment #1: Type: text/plain, Size: 7254 bytes --]

On 11/12/2013 08:18 AM, Gabriel L. Somlo wrote:
> Peter,
> 
> On Tue, Nov 12, 2013 at 02:57:36PM +0000, Peter Maydell wrote:
>> Can somebody provide known-good instructions for how to
>> sign and return keys? I looked on the web and found four
>> different possible ways to do this (most notably, there
>> seems to be a split between "just send keys back to
>> the keyserver" and "email something to the keyowner"),
>> and as usual gpg's UI is hopelessly opaque and confusing :-(
> 
> I've pasted my key-signing bash script below. At the (few) key signing
> parties I've been to, the idea was "upload to keyserver as a personal
> favor to those you already know and like, email signatures encrypted
> with the recipient's key to those you've only just met at the party".
> 
> Assuming a text file with one key signature per line, the bits that
> are commented out were used to import keys and display fingerprints
> for comparison with the stuff we had printed on paper and verified at
> the party. The uncommented bits will do the signature export,
> encryption with the recipient's key, and emailing.

Similarly, here's some advice I've used after previous key-signing
parties; I personally like how 'pius' automates the sending of
signatures to other recipients.

On 10/19/2011 09:56 AM, Jim Meyering wrote:
> You may want to know which of our colleagues have found time
> to handle their side of the key-signing deal.
>
> There are two interesting sets:
>  - who has signed your key (either they uploaded it themselves,
>      or they sent it to you and you processed it: import and upload)
>  - who has uploaded your signature of their key (assuming you signed
>      and mailed it to them)
>
> We want the complement of each set to be empty.
> I.e., each participant should do both things.
> Run the following script to list those who have not yet found the time.
>
> If you get stuck, reply here or ping me on IRC and I'll try to help.
> As a reminder, the recommended signing procedure was described here,
> in the "Signing GPG keys" section:

[replacing private URL with its contents:]
>
> I have a slight preference for pius over caff:
>     http://www.phildev.net/pius/
> so I use it in the example below: (download sources)
>     http://sourceforge.net/projects/pgpius/files/pius/2.0.9/
>
> Once Markus and I verified fingerprints, I did the following:
>
>     # Download Markus' public key.
>     gpg --recv EB918653
>
>     # Create and email per-ID-signatures to each of his email addresses:
>     # I specified a well-configured MTA, so that pius didn't try to send
>     # directly from my desktop.  It asks for a "level"; I choose 3.[*]
>     ./pius --mail-host=GOOD_MTA --encrypt --no-pgp-mime \
> 	--mail=jim@meyering.net --signer=7FD9FCCB000BEEEE EB918653
>     #          ----------------          ---------------- --------
>     #              my email                  my key       Markus' key
>
> To try it first, sending mail only to myself, I could do this,
> adding the --debug and --override-email=... options on the 2nd line:
>
>     ./pius --mail-host=GOOD_MTA --encrypt --no-pgp-mime \
>         --debug --override-email=jim@meyering.net \
> 	--mail=jim@meyering.net --signer=7FD9FCCB000BEEEE EB918653
>
> The former sent two messages to Markus, who has to follow the instructions
> included in each message: decrypt the attached signature, use gpg to
> import it, and then "send" his just-modified (new signature) key
> out to the key servers.  It sent two messages because Markus has two
> IDs (name/email pairs) on his key, and I opted to sign both of them:
>
>     $ gpg --fingerprint EB918653
>     pub   4096R/EB918653 2011-10-07
> 	  Key fingerprint = 354B C8B3 D7EB 2A6B 6867  4E5F 3870 B400 EB91 8653
>     uid                  Markus Armbruster <armbru@redhat.com>
>     uid                  Markus Armbruster <armbru@pond.sub.org>
>     sub   4096R/26B7449C 2011-10-07
>
> So once Markus receives those two messages and does the
decrypt/import/send
> dance, only *then* do my signatures of his key appear on the public key
> servers.  Since they were encrypted and sent individually, they can appear
> in public only if Markus really does control both of those addresses at
> the time of signing.  IMHO, it's better to sign all IDs, as long as they
> look reasonable.
>
> Jim
>
> [*] pius asks "Have you verified this user/key, and if so, what level do
> you want to sign at? (0/1/2/3/N/q) [default: N]".  IMHO, it doesn't
> matter if you use 2 or 3.  Some tools don't even ask.

[resuming first email]

>
> ---------------------
> Save the script below as cross-sign and make it executable.
> Then you can run it with a single argument, your gpg key ID,
> to see the gaps in the WoT, just considering the participants
> in the recent kvm/virt-devel key signing:
>
>     ./cross-sign YOUR_GPG_KEY_ID
>
> To see how things look using your own key-ring, run it like this:
>
>     env use_temp_keyring=n ./cross-sign YOUR_GPG_KEY_ID
>
> The only reason it'd look different with your key-ring is if you had
> signed locally and forgotten to run gpg --send-key ID for each key
> you'd signed.
>
> That is relatively slow because it runs gpg --refresh ...
> If you've already done that, you can run it like this:
>
>     env use_temp_keyring=n refresh=n ./cross-sign YOUR_GPG_KEY_ID

cross-sign:
=========
#!/bin/bash

ME=${0##*/}

case $# in
  1) my_id=$1 ;;
  *) echo "Usage: $ME YOUR_GPG_KEY_ID" 1>&2; exit 1;;
esac

: ${use_temp_keyring=y}
: ${refresh=y}

# Key IDs of the people who participated in the kvm gpg key-signing.
keys='3bb08b22 2527436a eb918653 6a56d670 3e7e013f f83fa044 d3e87138
fe702db5 241786dd 39bcff63 d018682b 7c18c076 5682e5ff 14360cde c03363f4
74ff0269 afbe8e67 c88f2fd6 aaa7a078 0bd1fee1 7ae5e714 854083b6 f108b584
81ab73c8 c11804f0 4aa920d7'

# Given gpg --list-sig ... output, print only those lines that start
# with "uid" and contain an "@"; print each unique name only once.
uid_name_filter() { grep '^uid.*@' | sort -t'<' -u -k1,1 | sed 's/^uid
*/  /'; }

if test "$use_temp_keyring" = y; then
  # Create a temporary directory in which to download keys.
  export GNUPGHOME=$(mktemp -d)

  # Remove it upon interrupt and upon normal termination.
  for sig in 1 2 3 13 15; do eval "trap 'exit $(expr $sig + 128)' $sig";
done
  trap 'rm -fr "$GNUPGHOME"' 0

  # Use a server that's better than the default.
  echo keyserver hkp://pool.sks-keyservers.net > "$GNUPGHOME/gpg.conf"

  # Get latest keys/signatures from key servers.
  gpg --recv-keys $(echo $keys)
else
  test "$refresh" = y \
    && gpg --refresh-keys $(echo $keys)
fi

echo who appears not to have signed $my_id:
s=$(gpg --list-sig $my_id)
gpg --list-keys \
    $(for i in $(echo $keys); do echo "$s" | grep -q $i || echo $i; done) \
  | uid_name_filter
echo

echo who has not yet uploaded a signature by $my_id on their key:
for i in $(echo $keys); do
  gpg --list-sig $i | grep -qi $my_id || gpg --list-key $i
done | uid_name_filter

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 621 bytes --]

Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013

[Peter Maydell]

On 12 November 2013 15:42, Eric Blake <eblake@redhat.com> wrote:
> I personally like how 'pius' automates the sending of
> signatures to other recipients.

I had a look at 'pius' since some of the signed-key
emails I've received used it; however I couldn't find
any way to make it write the emails to a file for
sending elsewhere (my machine with the gpg key has
no external SMTP access). Similarly, 'caff' claims
to support that but doesn't actually seem to in
practice.

-- PMM