Re: Convenient access to Debian keyrings

2017-04-09 Thread gregor herrmann 
On Sun, 09 Apr 2017 16:30:56 +0800, gustavo panizzo wrote:

> > % grep debian-keyring ~/.gnupg/gpg.conf
> > keyring /home/gregoa/.gnupg/debian-keyring/debian-keyring.gpg
> > keyring /home/gregoa/.gnupg/debian-keyring/debian-maintainers.gpg
> > keyring /home/gregoa/.gnupg/debian-keyring/debian-nonupload.gpg
> > keyring /home/gregoa/.gnupg/debian-keyring/debian-role-keys.gpg
> > keyring /home/gregoa/.gnupg/debian-keyring/emeritus-keyring.gpg
> 
> I can see you are using mutt as well, when you try sign an email,
> doesn't mutt complain?

I'm using kuvert(1) between mutt and exim, so signing/encrypting
happens there.
 

Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Bettina Wegner: Kinder


signature.asc
Description: Digital Signature

Re: Convenient access to Debian keyrings

2017-04-09 Thread gustavo panizzo 

On Sun, Apr 02, 2017 at 01:06:29AM +0200, gregor herrmann wrote:

On Sat, 01 Apr 2017 15:40:17 -0700, Sean Whitton wrote:


Currently, I have mutt pass `--keyring /usr/share/keyrings/...` for each
of the keyrings, so that I can verify signatures on e-mails.  It would
be more natural to just add `keyring /usr/share/keyrings/...` to
~/.gnupg/gpg.conf, but when I tried this I often got errors from gpg
trying to write to the keyrings in /usr/share/keyrings.  Is there some
way to mark a keyring as read-only?


I'm using the keyrings from keyring.debian.org instead of the
packaged ones. That way they are up to date and I don't have the
write errors:

% crontab -l | grep debian-keyring
30 17 * * * /usr/bin/rsync -rlptDq 
"keyring.debian.org::keyrings/keyrings/*.gpg" /home/gregoa/.gnupg/debian-keyring

(copied from someone/somewhere)

% grep debian-keyring ~/.gnupg/gpg.conf
keyring /home/gregoa/.gnupg/debian-keyring/debian-keyring.gpg
keyring /home/gregoa/.gnupg/debian-keyring/debian-maintainers.gpg
keyring /home/gregoa/.gnupg/debian-keyring/debian-nonupload.gpg
keyring /home/gregoa/.gnupg/debian-keyring/debian-role-keys.gpg
keyring /home/gregoa/.gnupg/debian-keyring/emeritus-keyring.gpg


I can see you are using mutt as well, when you try sign an email,
doesn't mutt complain?

"ambiguous specification of secret key $KEYID" it's what I got then I
cannot sign any email

thanks!


--
1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333

keybase: https://keybase.io/gfa

Re: Convenient access to Debian keyrings

2017-04-02 Thread Sean Whitton 
Hello,

On Sun, Apr 02, 2017 at 07:52:00AM +0300, Teemu Likonen wrote:
> Perhaps --primary-keyring will help because it marks one keyring for use
> with key-importing commands. I haven't tried it but it would seem that
> all other keyrings are then read-only.

Thanks for this reply.  I tried

keyring /usr/share/keyrings/debian-archive-keyring.gpg
keyring /usr/share/keyrings/debian-keyring.gpg
keyring /usr/share/keyrings/debian-maintainers.gpg
keyring /usr/share/keyrings/debian-nonupload.gpg
keyring /usr/share/keyrings/debian-role-keys.gpg
primary-keyring ~/.gnupg/pubring.kbx

But then I get errors like this:

gpg: keyblock resource '/home/spwhitton/.gnupg/pubring.kbx': File exists

which I don't understand.

On Sun, Apr 02, 2017 at 01:06:29AM +0200, gregor herrmann wrote:
> I'm using the keyrings from keyring.debian.org instead of the
> packaged ones. That way they are up to date and I don't have the
> write errors:

Good point that this avoids the write errors.  The problem is that
you're going to need to keep the keys of all keyring-maint members
updated out-of-band, in order to verify sha256sums.txt, but effortlessly
keeping track of DD keys was the whole point of all this.

-- 
Sean Whitton


signature.asc
Description: PGP signature

Re: Convenient access to Debian keyrings

2017-04-02 Thread gregor herrmann 
On Sun, 02 Apr 2017 05:43:58 +0100, Jonathan McDowell wrote:

> > > % crontab -l | grep debian-keyring
> > > 30 17 * * * /usr/bin/rsync -rlptDq 
> > > "keyring.debian.org::keyrings/keyrings/*.gpg" 
> > > /home/gregoa/.gnupg/debian-keyring
> > The rsync protocol is unencrypted, I'd suggest switching this to SSH
> > (one colon instead of two). [..]
> If you do an rsync of keyring.debian.org::keyrings (no second keyrings/)
> you get a sha512sums.txt file as well which will be signed by one of
> keyring-maint.

Thanks, I also found a sync-keyring there which checks the sha512sums.txt
file.


Cheers,
gregor
-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Queen: Somebody To Love


signature.asc
Description: Digital Signature

Re: Convenient access to Debian keyrings

2017-04-01 Thread Teemu Likonen 
Sean Whitton [2017-04-01 15:40:17-07] wrote:

> Currently, I have mutt pass `--keyring /usr/share/keyrings/...` for each
> of the keyrings, so that I can verify signatures on e-mails.  It would
> be more natural to just add `keyring /usr/share/keyrings/...` to
> ~/.gnupg/gpg.conf, but when I tried this I often got errors from gpg
> trying to write to the keyrings in /usr/share/keyrings.  Is there some
> way to mark a keyring as read-only?

Perhaps --primary-keyring will help because it marks one keyring for use
with key-importing commands. I haven't tried it but it would seem that
all other keyrings are then read-only.

~/.gnupg/gpg.conf:

primary-keyring ~/.gnupg/pubring.kbx
keyring /usr/share/...
keyring /usr/share/...
keyring /usr/share/...


-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature

Re: Convenient access to Debian keyrings

2017-04-01 Thread Jonathan McDowell 
On Sun, Apr 02, 2017 at 11:29:22AM +0800, Paul Wise wrote:
> On Sun, Apr 2, 2017 at 7:06 AM, gregor herrmann wrote:
> 
> > % crontab -l | grep debian-keyring
> > 30 17 * * * /usr/bin/rsync -rlptDq 
> > "keyring.debian.org::keyrings/keyrings/*.gpg" 
> > /home/gregoa/.gnupg/debian-keyring
> 
> The rsync protocol is unencrypted, I'd suggest switching this to SSH
> (one colon instead of two). You could also use rsync over TLS on port
> 1873 (uses the same cert as via http). I couldn't easily work out how
> to do it with stunnel but the following works with socat. I thought
> there was also a way to verify the keyring when it was at rest but
> can't find where I saw that.

If you do an rsync of keyring.debian.org::keyrings (no second keyrings/)
you get a sha512sums.txt file as well which will be signed by one of
keyring-maint.

J.

-- 
   Give me liberty or I will cut   |  .''`.  Debian GNU/Linux Developer
   you.| : :' :  Happy to accept PGP signed
   | `. `'   or encrypted mail - RSA
   |   `-key on the keyservers.


signature.asc
Description: Digital signature

Re: Convenient access to Debian keyrings

2017-04-01 Thread Paul Wise 
On Sun, Apr 2, 2017 at 7:06 AM, gregor herrmann wrote:

> % crontab -l | grep debian-keyring
> 30 17 * * * /usr/bin/rsync -rlptDq 
> "keyring.debian.org::keyrings/keyrings/*.gpg" 
> /home/gregoa/.gnupg/debian-keyring

The rsync protocol is unencrypted, I'd suggest switching this to SSH
(one colon instead of two). You could also use rsync over TLS on port
1873 (uses the same cert as via http). I couldn't easily work out how
to do it with stunnel but the following works with socat. I thought
there was also a way to verify the keyring when it was at rest but
can't find where I saw that.

rsync --rsh 'sh -c "socat OPENSSL:keyring.debian.org:1873 STDIO"'
keyring.debian.org::keyrings .

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Re: Convenient access to Debian keyrings

2017-04-01 Thread gregor herrmann 
On Sat, 01 Apr 2017 15:40:17 -0700, Sean Whitton wrote:

> Currently, I have mutt pass `--keyring /usr/share/keyrings/...` for each
> of the keyrings, so that I can verify signatures on e-mails.  It would
> be more natural to just add `keyring /usr/share/keyrings/...` to
> ~/.gnupg/gpg.conf, but when I tried this I often got errors from gpg
> trying to write to the keyrings in /usr/share/keyrings.  Is there some
> way to mark a keyring as read-only?

I'm using the keyrings from keyring.debian.org instead of the
packaged ones. That way they are up to date and I don't have the
write errors:

% crontab -l | grep debian-keyring
30 17 * * * /usr/bin/rsync -rlptDq 
"keyring.debian.org::keyrings/keyrings/*.gpg" /home/gregoa/.gnupg/debian-keyring

(copied from someone/somewhere)

% grep debian-keyring ~/.gnupg/gpg.conf 
keyring /home/gregoa/.gnupg/debian-keyring/debian-keyring.gpg
keyring /home/gregoa/.gnupg/debian-keyring/debian-maintainers.gpg
keyring /home/gregoa/.gnupg/debian-keyring/debian-nonupload.gpg
keyring /home/gregoa/.gnupg/debian-keyring/debian-role-keys.gpg
keyring /home/gregoa/.gnupg/debian-keyring/emeritus-keyring.gpg


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Status Quo: Caroline


signature.asc
Description: Digital Signature

Convenient access to Debian keyrings

2017-04-01 Thread Sean Whitton 
Hello,

I'd like to ask for tips and ideas to make more convenient use of the
keyrings installed by the debian-keyring package.

Currently, I have mutt pass `--keyring /usr/share/keyrings/...` for each
of the keyrings, so that I can verify signatures on e-mails.  It would
be more natural to just add `keyring /usr/share/keyrings/...` to
~/.gnupg/gpg.conf, but when I tried this I often got errors from gpg
trying to write to the keyrings in /usr/share/keyrings.  Is there some
way to mark a keyring as read-only?

Another issue is that I'd like to mark the keys in the Debian keyrings
as trusted.  The default way of using PGP requires quite short trust
paths in order to consider a key trusted, but since our keyring is
curated, it is much less important for there to exist a short trust path
between my key and a DD's key -- if it's in the keyring, I have very
good reason to believe it really belongs to the person named in the
UID.  Is there some way to mark a whole keyring as trusted?

Thanks!

--
Sean Whitton


signature.asc
Description: PGP signature