I wrote a small tool for automatically retrieving and checking trust paths between two PGP keys.
This was motivated by me experiencing difficulty when verifying signed Linux distribution images or downloads for web software using GnuPG. The PGP Pathfinder Service provided by Henk P. Penning allows to do that manually. However, to strongly verify a key, one needs to download and locally check each key in the resulting trust path, which is somewhat time-consuming, and probably to much of a hassle for normal people. What I wanted was a utility to do that check in an automated way. Therefore, I wrote a little Python program which does that, and documentation how to use it, it is here: https://github.com/jnxx/check-trustpaths I'd be happy to hear whether it is working for you and where it can be improved. The utility tries to cover a number of edge cases and security aspects - querying several key servers at once, requiring 64-bit key IDs by default, sanitizing responses from the pgp pathfinder service, handling potential 32-bit collisions of key IDs (such as for Peter Palfrader's key, which is a signing key for the Debian image key) and warning about them. Also, I have a question. The tool assumes by default that key ID collisions are possible, for 32-bit key IDs as well as for 64-bit key IDs. Therefore, the documentation suggests to use the fingerprint of the target key to identify this key. If more than one key is found for an ID, it tries to resolve the ambiguity by matching the signature with the ID of the preceding key in the chain. The long IDs of the signing keys are retrieved using gpg --check-sigs --with-colons. However, this command only returns a 64-bit key ID for the signing key, not its fingerprint. My questions are, is the above reasonably secure? Assuming that it is better the use the fingerprint of the signing key, how can I retrieve it? Johannes _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
