Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013
On 24 July 2013 13:50, Anthony Liguori anth...@codemonkey.ws wrote: I will be hosting a key signing party at this year's KVM Forum. http://wiki.qemu.org/KeySigningParty2013 Can somebody provide known-good instructions for how to sign and return keys? I looked on the web and found four different possible ways to do this (most notably, there seems to be a split between just send keys back to the keyserver and email something to the keyowner), and as usual gpg's UI is hopelessly opaque and confusing :-( thanks -- PMM
Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013
Peter, On Tue, Nov 12, 2013 at 02:57:36PM +, Peter Maydell wrote: Can somebody provide known-good instructions for how to sign and return keys? I looked on the web and found four different possible ways to do this (most notably, there seems to be a split between just send keys back to the keyserver and email something to the keyowner), and as usual gpg's UI is hopelessly opaque and confusing :-( I've pasted my key-signing bash script below. At the (few) key signing parties I've been to, the idea was upload to keyserver as a personal favor to those you already know and like, email signatures encrypted with the recipient's key to those you've only just met at the party. Assuming a text file with one key signature per line, the bits that are commented out were used to import keys and display fingerprints for comparison with the stuff we had printed on paper and verified at the party. The uncommented bits will do the signature export, encryption with the recipient's key, and emailing. HTH, --Gabriel #!/bin/bash for F in $(cat fingerprints.txt); do # receive keys matching ID $F: #gpg --recv-keys $F # list fingerprint for key matching ID $F: #gpg --fingerprint $F # sign key matching ID $F: #gpg --sign-key $F # send signature to recipient matching first uid, encrypted with recipient key E=$(gpg --list-key $F | grep ^uid | head -1 | sed 's/.*\(.*\).*/\1/') gpg --armor --export $F | gpg --armor --encrypt -r $F | \ mailx -r gso...@gmail.com -s the signature you requested (by $F) $E echo sent signature $F $E done
Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013
On 11/12/2013 08:18 AM, Gabriel L. Somlo wrote: Peter, On Tue, Nov 12, 2013 at 02:57:36PM +, Peter Maydell wrote: Can somebody provide known-good instructions for how to sign and return keys? I looked on the web and found four different possible ways to do this (most notably, there seems to be a split between just send keys back to the keyserver and email something to the keyowner), and as usual gpg's UI is hopelessly opaque and confusing :-( I've pasted my key-signing bash script below. At the (few) key signing parties I've been to, the idea was upload to keyserver as a personal favor to those you already know and like, email signatures encrypted with the recipient's key to those you've only just met at the party. Assuming a text file with one key signature per line, the bits that are commented out were used to import keys and display fingerprints for comparison with the stuff we had printed on paper and verified at the party. The uncommented bits will do the signature export, encryption with the recipient's key, and emailing. Similarly, here's some advice I've used after previous key-signing parties; I personally like how 'pius' automates the sending of signatures to other recipients. On 10/19/2011 09:56 AM, Jim Meyering wrote: You may want to know which of our colleagues have found time to handle their side of the key-signing deal. There are two interesting sets: - who has signed your key (either they uploaded it themselves, or they sent it to you and you processed it: import and upload) - who has uploaded your signature of their key (assuming you signed and mailed it to them) We want the complement of each set to be empty. I.e., each participant should do both things. Run the following script to list those who have not yet found the time. If you get stuck, reply here or ping me on IRC and I'll try to help. As a reminder, the recommended signing procedure was described here, in the Signing GPG keys section: [replacing private URL with its contents:] I have a slight preference for pius over caff: http://www.phildev.net/pius/ so I use it in the example below: (download sources) http://sourceforge.net/projects/pgpius/files/pius/2.0.9/ Once Markus and I verified fingerprints, I did the following: # Download Markus' public key. gpg --recv EB918653 # Create and email per-ID-signatures to each of his email addresses: # I specified a well-configured MTA, so that pius didn't try to send # directly from my desktop. It asks for a level; I choose 3.[*] ./pius --mail-host=GOOD_MTA --encrypt --no-pgp-mime \ --mail=j...@meyering.net --signer=7FD9FCCB000B EB918653 # # my email my key Markus' key To try it first, sending mail only to myself, I could do this, adding the --debug and --override-email=... options on the 2nd line: ./pius --mail-host=GOOD_MTA --encrypt --no-pgp-mime \ --debug --override-email=j...@meyering.net \ --mail=j...@meyering.net --signer=7FD9FCCB000B EB918653 The former sent two messages to Markus, who has to follow the instructions included in each message: decrypt the attached signature, use gpg to import it, and then send his just-modified (new signature) key out to the key servers. It sent two messages because Markus has two IDs (name/email pairs) on his key, and I opted to sign both of them: $ gpg --fingerprint EB918653 pub 4096R/EB918653 2011-10-07 Key fingerprint = 354B C8B3 D7EB 2A6B 6867 4E5F 3870 B400 EB91 8653 uid Markus Armbruster arm...@redhat.com uid Markus Armbruster arm...@pond.sub.org sub 4096R/26B7449C 2011-10-07 So once Markus receives those two messages and does the decrypt/import/send dance, only *then* do my signatures of his key appear on the public key servers. Since they were encrypted and sent individually, they can appear in public only if Markus really does control both of those addresses at the time of signing. IMHO, it's better to sign all IDs, as long as they look reasonable. Jim [*] pius asks Have you verified this user/key, and if so, what level do you want to sign at? (0/1/2/3/N/q) [default: N]. IMHO, it doesn't matter if you use 2 or 3. Some tools don't even ask. [resuming first email] - Save the script below as cross-sign and make it executable. Then you can run it with a single argument, your gpg key ID, to see the gaps in the WoT, just considering the participants in the recent kvm/virt-devel key signing: ./cross-sign YOUR_GPG_KEY_ID To see how things look using your own key-ring, run it like this: env use_temp_keyring=n ./cross-sign YOUR_GPG_KEY_ID The only reason it'd look different with your key-ring is if you had signed locally and forgotten to run gpg --send-key ID for
Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013
On 12 November 2013 15:42, Eric Blake ebl...@redhat.com wrote: I personally like how 'pius' automates the sending of signatures to other recipients. I had a look at 'pius' since some of the signed-key emails I've received used it; however I couldn't find any way to make it write the emails to a file for sending elsewhere (my machine with the gpg key has no external SMTP access). Similarly, 'caff' claims to support that but doesn't actually seem to in practice. -- PMM
Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013
On Wed, 2013-07-24 at 07:50 -0500, Anthony Liguori wrote: I will be hosting a key signing party at this year's KVM Forum. http://wiki.qemu.org/KeySigningParty2013 Starting for the 1.7 release (begins in December), I will only accepted signed pull requests so please try to attend this event or make alternative arrangements to have someone sign your key who will attend the event. I will also be attending LinuxCon/CloudOpen/Plumbers North America if anyone wants to have another key signing party at that event and cannot attend KVM Forum. The wiki still says Day/Room TBD and I don't see it on the published KVM Forum schedule. Has this been determined yet? -Scott
Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013
On Wed, Oct 16, 2013 at 10:07:30AM +0800, Asias He wrote: On Mon, Oct 14, 2013 at 7:14 PM, Stefan Hajnoczi stefa...@gmail.com wrote: On Wed, Jul 24, 2013 at 2:50 PM, Anthony Liguori anth...@codemonkey.ws wrote: I will be hosting a key signing party at this year's KVM Forum. http://wiki.qemu.org/KeySigningParty2013 keyserver.cryptnet.net seems broken. I get connection refused when syncing to it. On port 80 it serves up a default Fedora apache page. Is there an alternative key server you'd like to use? Same here. Do we have alternative key server now? I synced to hkp://pgp.mit.edu. Key ID: 81AB73C8 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x9CA4ABB381AB73C8 Stefan
Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013
Hi, I synced to hkp://pgp.mit.edu. Key ID: 81AB73C8 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x9CA4ABB381AB73C8 I think the key servers sync to each other anyway, so it doesn't matter much which one you pick. cheers, Gerd
Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013
On Mon, Oct 14, 2013 at 7:14 PM, Stefan Hajnoczi stefa...@gmail.com wrote: On Wed, Jul 24, 2013 at 2:50 PM, Anthony Liguori anth...@codemonkey.ws wrote: I will be hosting a key signing party at this year's KVM Forum. http://wiki.qemu.org/KeySigningParty2013 keyserver.cryptnet.net seems broken. I get connection refused when syncing to it. On port 80 it serves up a default Fedora apache page. Is there an alternative key server you'd like to use? Same here. Do we have alternative key server now? Stefan -- Asias
Re: [Qemu-devel] [ANNOUNCE] Key Signing Party at KVM Forum 2013
On Wed, Jul 24, 2013 at 2:50 PM, Anthony Liguori anth...@codemonkey.ws wrote: I will be hosting a key signing party at this year's KVM Forum. http://wiki.qemu.org/KeySigningParty2013 keyserver.cryptnet.net seems broken. I get connection refused when syncing to it. On port 80 it serves up a default Fedora apache page. Is there an alternative key server you'd like to use? Stefan
