[Chat] Key signing notes

michael at cassaniti.id.au michael at cassaniti.id.au
Mon Jan 23 18:00:50 AEDT 2017


Unfortunately I had an issue with Daniel's key ending in 00D4 08C4 FA9E
C035 when using gcaff. There are some attributes of that key that are
not recognised by gcaff and it throws an exception. A little bit of
hacking to make it ignore those attributes and it all worked like a charm.

Also, if anyone wants a keybase invite then please contact me.

On 23/01/17 15:56, Daniel Sobey via Chat wrote:
> Hello Everyone,
>
> Sorry for not getting this email out earlier.
> Below are some notes for what to do after attending a key signing.
>
> At the event we did two things:
> Verified that the claims that each person made match the details on
> the key.
> That the gpg fingerprint belongs to that person.
>
> Please check the identity carefully, if someone has included a middle
> name or claims to be from the USA check that they have a passport from
> that country.
>
> You sign the uid in the key and not the key itself.
> This can be the person's name, comment and email address string.
> Gpg can also include an image so look at this and see if this matches
> your expectation.
> You can add and remove these identities at any time so there is the
> potential to claim to be someone else. If you remove a uid any
> signatures for that uid are gone. If  you add a new entry there will
> not be any signatures on it and you will need to ask people to sign it
> again.
>
> If you are planning on changing email address or move to a new gpg key
> you may be able to email people and ask them to sign your new
> identities. You would want to verify that this email really did come
> from them, hopefully they have signed the message with the previous
> key so you can verify that it really came from them.
>
>
> SIGNING KEYS:
> =============
>
> Simple method:
> --------------
> Download the key list from https://keysigning.xyz/?keylist=1
> Gpg --import keylist
> Verify that the fingerprints match the print out: gpg --fingerprint
> --list-key 4111E1E2
> Sign the key:   gpg --sign-key   4111E1E2
> If you have multiple keys you should sign the key with each of these:
> gpg  --fingerprint --sign-with FA9EC035 --sign-key 4111E1E2
> Export their key (this contains your new signature): gpg -a --export
> 4111E1E2 > 4111E1E2
> (optional) Encrypt this exported file with their gpg key. If they are
> able to decrypt it they must have the key.
> (optional) send this key to the key server: gpg --send-keys 4111E1E2
> Some people do not want their gpg key on a key server so it may be a
> good idea to ask them before doing this.
>
> Loading signatures.
> Decrypt the message to a temporary file: gpg --decrypt file > newfile
> View the encrypted message
> Import any signatures found in the message:   gpg --import newfile
> (optional) send your key to a key server: gpg --send-key FA9EC035
> (optional) refresh keys from server: gpg --refresh-keys
>
>
>
> CAFF:
> -----
> This stands for CA - Fire and Forget and is in the signing-party package.
> See https://wiki.debian.org/caff for notes.
> For a gui too see https://github.com/frasertweedale/gcaff developed by
> Frazer Tweedale.
>
> These tools need sendmail to be working correctly for them to work.
> I use SSMTP to send to gmail as it is easy to set up.
> You should login to gmail and create an app specific password for this.
> See the below for an example configuration file.
> https://wiki.archlinux.org/index.php/SSMTP
> You can then use the ‘sendmail’ command provided by the ssmtp package
> to send email.
>
> Run caff to generate a configuration file.
> Edit the configuration file and change the following:
> $CONFIG{'owner'} = 'Daniel Sobey';
> $CONFIG{'email'} = 'dns at dns.id.au <mailto:dns at dns.id.au>';
> $CONFIG{'keyid'} = [ qw{82D4793D50871827ADA3069C69EB32C8E31A9CB2
> 28F82EA326A37748EC41CD2800D408C4FA9EC035 } ];
>
> Uncomment the message template and change it if you wish.
>
> Download the key list from https://keysigning.xyz/?keylist=1 so you do
> not need to fetch this every time.
>
> You should now be able to sign you key.
> caff --key-file linux.conf.au.2017.txt -R 4111E1E2
>
> You can use the full gpg fingerprint or the 8 digit short key.
> If you use the 8 digit key it will show the full fingerprint when you
> sign the key, verify the fingerprint with the print out.
> Enter the passphrase on your key.
> You will be in a gpg prompt, type save
> It will then prompt if you would like to send the email.
>
> This message is signed by me with ascii armor and can be verified that
> it came from my gpg key.
> Copy the message from the starting dashes to the end pgp signature to
> a file.
> Run gpg --verify email.txt and it should confirm that it came from me.
>
> Regards,
>
> Daniel
> > > _______________________________________________ > Chat mailing list
> Chat at lists.lca2017.linux.org.au >
http://lists.lca2017.linux.org.au/mailman/listinfo/chat



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 205 bytes
Desc: OpenPGP digital signature
URL: <http://lists.lca2017.linux.org.au/pipermail/chat/attachments/20170123/597a9e15/attachment.sig>


More information about the Chat mailing list