From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43180)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1VgG7F-0007Aq-Fo
	for qemu-devel@nongnu.org; Tue, 12 Nov 2013 10:43:17 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1VgG6i-00033Z-Uh
	for qemu-devel@nongnu.org; Tue, 12 Nov 2013 10:42:57 -0500
Received: from mx1.redhat.com ([209.132.183.28]:19001)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <eblake@redhat.com>) id 1VgG6i-00033O-Le
	for qemu-devel@nongnu.org; Tue, 12 Nov 2013 10:42:24 -0500
Message-ID: <52824C5C.3010802@redhat.com>
Date: Tue, 12 Nov 2013 08:42:20 -0700
From: Eric Blake <eblake@redhat.com>
MIME-Version: 1.0
References: <871u6ot93x.fsf@codemonkey.ws>	<CAFEAcA-jLwhm+otJLFxaO1xVAuvbmN1oRyPTeEzJw5fTQtHs5Q@mail.gmail.com>
	<20131112151840.GJ13775@HEDWIG.INI.CMU.EDU>
In-Reply-To: <20131112151840.GJ13775@HEDWIG.INI.CMU.EDU>
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature";
	boundary="gKI1pFTpKAFFtUw0lARp1j9KPlXC5HeEN"
Subject: Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Gabriel L. Somlo" <gsomlo@gmail.com>, Peter Maydell <peter.maydell@linaro.org>
Cc: QEMU Developers <qemu-devel@nongnu.org>, Anthony Liguori <anthony@codemonkey.ws>, kvm-devel <kvm@vger.kernel.org>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--gKI1pFTpKAFFtUw0lARp1j9KPlXC5HeEN
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 11/12/2013 08:18 AM, Gabriel L. Somlo wrote:
> Peter,
>=20
> On Tue, Nov 12, 2013 at 02:57:36PM +0000, Peter Maydell wrote:
>> Can somebody provide known-good instructions for how to
>> sign and return keys? I looked on the web and found four
>> different possible ways to do this (most notably, there
>> seems to be a split between "just send keys back to
>> the keyserver" and "email something to the keyowner"),
>> and as usual gpg's UI is hopelessly opaque and confusing :-(
>=20
> I've pasted my key-signing bash script below. At the (few) key signing
> parties I've been to, the idea was "upload to keyserver as a personal
> favor to those you already know and like, email signatures encrypted
> with the recipient's key to those you've only just met at the party".
>=20
> Assuming a text file with one key signature per line, the bits that
> are commented out were used to import keys and display fingerprints
> for comparison with the stuff we had printed on paper and verified at
> the party. The uncommented bits will do the signature export,
> encryption with the recipient's key, and emailing.

Similarly, here's some advice I've used after previous key-signing
parties; I personally like how 'pius' automates the sending of
signatures to other recipients.

On 10/19/2011 09:56 AM, Jim Meyering wrote:
> You may want to know which of our colleagues have found time
> to handle their side of the key-signing deal.
>
> There are two interesting sets:
>  - who has signed your key (either they uploaded it themselves,
>      or they sent it to you and you processed it: import and upload)
>  - who has uploaded your signature of their key (assuming you signed
>      and mailed it to them)
>
> We want the complement of each set to be empty.
> I.e., each participant should do both things.
> Run the following script to list those who have not yet found the time.=

>
> If you get stuck, reply here or ping me on IRC and I'll try to help.
> As a reminder, the recommended signing procedure was described here,
> in the "Signing GPG keys" section:

[replacing private URL with its contents:]
>
> I have a slight preference for pius over caff:
>     http://www.phildev.net/pius/
> so I use it in the example below: (download sources)
>     http://sourceforge.net/projects/pgpius/files/pius/2.0.9/
>
> Once Markus and I verified fingerprints, I did the following:
>
>     # Download Markus' public key.
>     gpg --recv EB918653
>
>     # Create and email per-ID-signatures to each of his email addresses=
:
>     # I specified a well-configured MTA, so that pius didn't try to sen=
d
>     # directly from my desktop.  It asks for a "level"; I choose 3.[*]
>     ./pius --mail-host=3DGOOD_MTA --encrypt --no-pgp-mime \
> 	--mail=3Djim@meyering.net --signer=3D7FD9FCCB000BEEEE EB918653
>     #          ----------------          ---------------- --------
>     #              my email                  my key       Markus' key
>
> To try it first, sending mail only to myself, I could do this,
> adding the --debug and --override-email=3D... options on the 2nd line:
>
>     ./pius --mail-host=3DGOOD_MTA --encrypt --no-pgp-mime \
>         --debug --override-email=3Djim@meyering.net \
> 	--mail=3Djim@meyering.net --signer=3D7FD9FCCB000BEEEE EB918653
>
> The former sent two messages to Markus, who has to follow the instructi=
ons
> included in each message: decrypt the attached signature, use gpg to
> import it, and then "send" his just-modified (new signature) key
> out to the key servers.  It sent two messages because Markus has two
> IDs (name/email pairs) on his key, and I opted to sign both of them:
>
>     $ gpg --fingerprint EB918653
>     pub   4096R/EB918653 2011-10-07
> 	  Key fingerprint =3D 354B C8B3 D7EB 2A6B 6867  4E5F 3870 B400 EB91 86=
53
>     uid                  Markus Armbruster <armbru@redhat.com>
>     uid                  Markus Armbruster <armbru@pond.sub.org>
>     sub   4096R/26B7449C 2011-10-07
>
> So once Markus receives those two messages and does the
decrypt/import/send
> dance, only *then* do my signatures of his key appear on the public key=

> servers.  Since they were encrypted and sent individually, they can app=
ear
> in public only if Markus really does control both of those addresses at=

> the time of signing.  IMHO, it's better to sign all IDs, as long as the=
y
> look reasonable.
>
> Jim
>
> [*] pius asks "Have you verified this user/key, and if so, what level d=
o
> you want to sign at? (0/1/2/3/N/q) [default: N]".  IMHO, it doesn't
> matter if you use 2 or 3.  Some tools don't even ask.

[resuming first email]

>
> ---------------------
> Save the script below as cross-sign and make it executable.
> Then you can run it with a single argument, your gpg key ID,
> to see the gaps in the WoT, just considering the participants
> in the recent kvm/virt-devel key signing:
>
>     ./cross-sign YOUR_GPG_KEY_ID
>
> To see how things look using your own key-ring, run it like this:
>
>     env use_temp_keyring=3Dn ./cross-sign YOUR_GPG_KEY_ID
>
> The only reason it'd look different with your key-ring is if you had
> signed locally and forgotten to run gpg --send-key ID for each key
> you'd signed.
>
> That is relatively slow because it runs gpg --refresh ...
> If you've already done that, you can run it like this:
>
>     env use_temp_keyring=3Dn refresh=3Dn ./cross-sign YOUR_GPG_KEY_ID

cross-sign:
=3D=3D=3D=3D=3D=3D=3D=3D=3D
#!/bin/bash

ME=3D${0##*/}

case $# in
  1) my_id=3D$1 ;;
  *) echo "Usage: $ME YOUR_GPG_KEY_ID" 1>&2; exit 1;;
esac

: ${use_temp_keyring=3Dy}
: ${refresh=3Dy}

# Key IDs of the people who participated in the kvm gpg key-signing.
keys=3D'3bb08b22 2527436a eb918653 6a56d670 3e7e013f f83fa044 d3e87138
fe702db5 241786dd 39bcff63 d018682b 7c18c076 5682e5ff 14360cde c03363f4
74ff0269 afbe8e67 c88f2fd6 aaa7a078 0bd1fee1 7ae5e714 854083b6 f108b584
81ab73c8 c11804f0 4aa920d7'

# Given gpg --list-sig ... output, print only those lines that start
# with "uid" and contain an "@"; print each unique name only once.
uid_name_filter() { grep '^uid.*@' | sort -t'<' -u -k1,1 | sed 's/^uid
*/  /'; }

if test "$use_temp_keyring" =3D y; then
  # Create a temporary directory in which to download keys.
  export GNUPGHOME=3D$(mktemp -d)

  # Remove it upon interrupt and upon normal termination.
  for sig in 1 2 3 13 15; do eval "trap 'exit $(expr $sig + 128)' $sig";
done
  trap 'rm -fr "$GNUPGHOME"' 0

  # Use a server that's better than the default.
  echo keyserver hkp://pool.sks-keyservers.net > "$GNUPGHOME/gpg.conf"

  # Get latest keys/signatures from key servers.
  gpg --recv-keys $(echo $keys)
else
  test "$refresh" =3D y \
    && gpg --refresh-keys $(echo $keys)
fi

echo who appears not to have signed $my_id:
s=3D$(gpg --list-sig $my_id)
gpg --list-keys \
    $(for i in $(echo $keys); do echo "$s" | grep -q $i || echo $i; done)=
 \
  | uid_name_filter
echo

echo who has not yet uploaded a signature by $my_id on their key:
for i in $(echo $keys); do
  gpg --list-sig $i | grep -qi $my_id || gpg --list-key $i
done | uid_name_filter

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--gKI1pFTpKAFFtUw0lARp1j9KPlXC5HeEN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJSgkxcAAoJEKeha0olJ0Nq/Y4H/1lZZNZt8UB5tVCcIhuxvb/7
DFQSebuwBYhfU+8h+6ZwzNmR1M9n2YVhnZMzEi1j0c0wzR0r3etX5KTot/1rbd9u
p1/13RM/ELDUNNTMfv7U1SIBfbBpYidXi7GglgruyPTKEF+86smb823eYwjL+9uh
f4HW2VKchACBP2V41LjjYfWQgX827dL68oKUhTd9Xr29E0xCSZF5YOe9xEYGrTwu
lyh/qMELlzle9wZ9FP1A02Ya/uKSTeDISpNtSJz4ZDbUHipq+AfTrlvnPttsuCHj
QjUWIZ+cBGIia2YdhuU4TQ0kD4xUggvuOps4NJcCEbkg3HbQOuMX16OAsjcKf5I=
=YtVp
-----END PGP SIGNATURE-----

--gKI1pFTpKAFFtUw0lARp1j9KPlXC5HeEN--