Re: [Qemu-devel] Key signing party at KVM Forum 2017

[Eric Blake <eblake@redhat.com>]

[-- Attachment #1.1: Type: text/plain, Size: 1843 bytes --]

On 10/16/2017 07:19 PM, Peter Maydell wrote:
> It looks like at least five people whose keys I'd like to sign
> are going to be at KVM Forum this year, so it seems worth having
> a proper key signing party rather than just me ad-hoc finding
> people and checking their ID. I am particularly interested
> in signing keys for people who are or expect they might be
> sending me pull requests.

Thanks again to Peter for hosting this key signing party.

Now that the 14 participants (presumably) have the paper with 2
checkmarks per entry (one that the person claiming the key(s) read their
personal notation and it matched what your master sheet says, the other
that you were happy with the id provided by that person), the next step
is to sign those 16 keys and either upload your signature, or to send an
encrypted mail to the key owner and have them upload your signature.
The latter is arguably a better assurance that the system worked; the
pius application can help with that, although it is not mandatory and
you can use direct gpg commands instead. (For those following along that
were not in the party, yes, we had 2 more keys than participants, as a
couple of participants had 2 keys that they wanted signed)

I'm attaching a bash script that I used to see which signatures I still
need to follow up on (both where someone has not yet signed my key, and
where I need to send my signature to someone); as usual, please
double-check it before blindly running it.

If you want more help running pius for signing and sending the signed
key to a particular recipient, see a previous mail of mine on the topic:

https://lists.gnu.org/archive/html/qemu-devel/2013-11/msg01477.html

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

[-- Attachment #1.2: cross-sign --]
[-- Type: text/plain, Size: 1764 bytes --]

#!/bin/bash
# Cross-check for key-signing party followup
# Currently tuned for KVM Forum 2017

ME=${0##*/}

case $# in
  1) my_id=$1 ;;
  *) echo "Usage: $ME YOUR_GPG_KEY_ID" 1>&2; exit 1;;
esac

: ${use_temp_keyring=y}
: ${refresh=y}

# Key IDs of the people who participated in the kvm gpg key-signing.
keys='
be86ebb415104fdf
a7a16b4a2527436a
b90bc7abe7c41e65
0d8721d82838c7d8
0516331ebc5bfde7
ad1270cc4dd0279b
64df38e8af7e215f
9ca4abb381ab73c8
71d4d5e5822f73d6
dae8e10975969ce5
5bca8ae0f14191d4
3c2525ed14360cde
df32e7c0f0fff9a2
f407db0061d5cf40
7f09b272c88f2fd6
ca35624c6a9171c6
'

# Given gpg --list-sig ... output, print only those lines that start
# with "uid" and contain an "@"; print each unique name only once.
uid_name_filter() { grep '^uid.*@' | sort -t'<' -u -k1,1 |
			sed 's/^uid[[:space:]]*/  /'; }

if test "$use_temp_keyring" = y; then
  # Create a temporary directory in which to download keys.
  export GNUPGHOME=$(mktemp -d)

  # Remove it upon interrupt and upon normal termination.
  for sig in 1 2 3 13 15; do eval "trap 'exit $(expr $sig + 128)' $sig";
done
  trap 'rm -fr "$GNUPGHOME"' 0

  # Use a server that's better than the default.
  echo keyserver hkp://pool.sks-keyservers.net > "$GNUPGHOME/gpg.conf"

  # Get latest keys/signatures from key servers.
  gpg --recv-keys $(echo $keys)
else
  test "$refresh" = y \
    && gpg --refresh-keys $(echo $keys)
fi

echo
echo who appears not to have signed $my_id:
s=$(gpg --list-sig $my_id)
gpg --list-keys \
    $(for i in $(echo $keys); do echo "$s" | grep -qi $i || echo $i; done) \
  | uid_name_filter
echo

echo who has not yet uploaded a signature by $my_id on their key:
for i in $(echo $keys); do
  gpg --list-sig $i | grep -qi $my_id || gpg --list-key $i
done | uid_name_filter

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 619 bytes --]