[Chat] Key signing notes

Fraser Tweedale ftweedal at redhat.com
Mon Jan 23 18:19:45 AEDT 2017


On Mon, Jan 23, 2017 at 03:26:49PM +1030, Daniel Sobey via Chat wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hello Everyone,
> 
> Sorry for not getting this email out earlier.
> Below are some notes for what to do after attending a key signing.
> 
> At the event we did two things:
> Verified that the claims that each person made match the details on the key.
> That the gpg fingerprint belongs to that person.
> 
> Please check the identity carefully, if someone has included a middle name
> or claims to be from the USA check that they have a passport from that
> country.
> 
> You sign the uid in the key and not the key itself.
> This can be the person's name, comment and email address string.
> Gpg can also include an image so look at this and see if this matches your
> expectation.
> You can add and remove these identities at any time so there is the
> potential to claim to be someone else. If you remove a uid any signatures
> for that uid are gone. If  you add a new entry there will not be any
> signatures on it and you will need to ask people to sign it again.
> 
> If you are planning on changing email address or move to a new gpg key you
> may be able to email people and ask them to sign your new identities. You
> would want to verify that this email really did come from them, hopefully
> they have signed the message with the previous key so you can verify that
> it really came from them.
> 
> 
> SIGNING KEYS:
> =============
> 
> Simple method:
> - --------------
> Download the key list from https://keysigning.xyz/?keylist=1
> Gpg --import keylist
> Verify that the fingerprints match the print out: gpg --fingerprint
> --list-key 4111E1E2
> Sign the key:   gpg --sign-key   4111E1E2
> If you have multiple keys you should sign the key with each of these: gpg
>  --fingerprint --sign-with FA9EC035 --sign-key 4111E1E2
> Export their key (this contains your new signature): gpg -a --export
> 4111E1E2 > 4111E1E2
> (optional) Encrypt this exported file with their gpg key. If they are able
> to decrypt it they must have the key.
> (optional) send this key to the key server: gpg --send-keys 4111E1E2
> Some people do not want their gpg key on a key server so it may be a good
> idea to ask them before doing this.
> 
> Loading signatures.
> Decrypt the message to a temporary file: gpg --decrypt file > newfile
> View the encrypted message
> Import any signatures found in the message:   gpg --import newfile
> (optional) send your key to a key server: gpg --send-key FA9EC035
> (optional) refresh keys from server: gpg --refresh-keys
> 
> 
> 
> CAFF:
> - -----
> This stands for CA - Fire and Forget and is in the signing-party package.
> See https://wiki.debian.org/caff for notes.
> For a gui too see https://github.com/frasertweedale/gcaff developed by
> Frazer Tweedale.
> 
> These tools need sendmail to be working correctly for them to work.
> I use SSMTP to send to gmail as it is easy to set up.
> You should login to gmail and create an app specific password for this.
> See the below for an example configuration file.
> https://wiki.archlinux.org/index.php/SSMTP
> You can then use the ‘sendmail’ command provided by the ssmtp package to
> send email.
> 
> Run caff to generate a configuration file.
> Edit the configuration file and change the following:
> $CONFIG{'owner'} = 'Daniel Sobey';
> $CONFIG{'email'} = 'dns at dns.id.au';
> $CONFIG{'keyid'} = [ qw{82D4793D50871827ADA3069C69EB32C8E31A9CB2
> 28F82EA326A37748EC41CD2800D408C4FA9EC035 } ];
> 
> Uncomment the message template and change it if you wish.
> 
> Download the key list from https://keysigning.xyz/?keylist=1 so you do not
> need to fetch this every time.
> 
> You should now be able to sign you key.
> caff --key-file linux.conf.au.2017.txt -R 4111E1E2
> 
> You can use the full gpg fingerprint or the 8 digit short key.
> If you use the 8 digit key it will show the full fingerprint when you sign
> the key, verify the fingerprint with the print out.
> Enter the passphrase on your key.
> You will be in a gpg prompt, type save
> It will then prompt if you would like to send the email.
> 
> This message is signed by me with ascii armor and can be verified that it
> came from my gpg key.
> Copy the message from the starting dashes to the end pgp signature to a
> file.
> Run gpg --verify email.txt and it should confirm that it came from me.
> 
> Regards,
> 
> Daniel
>
Thanks for putting this info to the list, Daniel, and for running
the keysigning.  And to everyone who participated!

Cheers,
Fraser


More information about the Chat mailing list