2009-09-30 21:52Uploading signatures from a keysigning partySigning people’s keys is one problem, but when people sign your key that requires its own procedure with its own set of potential issues. You will likely receive several emails, one from each person with whom you exchanged keyslips, and these emails will each include an attachment or message body that contains encrypted data for you to decrypt. The plaintext you get from decrypting should be a copy of your public key that has been signed by someone’s private key. It is this signature that you’re looking for, and GPG can extract it and add it to your key. Once you have collected the signatures, you can upload your key to a keyserver where the information about who has signed your key can be publicly stored. That’s the principle, but the steps to do all this can be quite cumbersome, so I used some console one-liners to speed some of the steps up, and I include them below with an explanation of what they do. Firstly, this method assumes that your emails all exist as separate files in a certain directory on your harddrive. If your emails don’t exist on your harddrive at all, then I hope you realise the danger as well as the inconvenience of trusting the “Cloud” to store the record of your personal communication. Assuming you do have at least a copy of your emails on your harddrive, I hope they are stored such that each email is a separate file, so that a single bit error cannot make the whole collection unreadable and so that the format plays well with tools like rsync and incremental backups. The first step then is to get all the relevant emails (the ones containing your signed key) in a directory of their own. In fact the emails could be stored in a directory full of other sensitive files, but it’s best to work on a copy of them in a directory specifically set aside for this process. To find out which are the relevant files, you could run a command like: grep -rl "Subject: Your signed PGP key" . | xargs ls -l
while in the directory with all your emails. This does require that the people who sent the signed key to you used the caff program, or a script which is compatible with it this way, but every signature I have received was done like this. The output of that command, then, should show you a list of all emails which contain a signature on your key, but if you look at the dates you might see that some of them refer to signatures you have already uploaded. To avoid processing the same signature twice, you should try restricting the list of files based on the date string. If you have only been to one key signing party this year, you could try a Once you have a list of email files that you want to copy into a separate directory for processing, you will need to strip off all parts of the line other than the file name itself, and then use xargs to run cp on each line / file. The code for doing that is: grep -rl "Subject: Your signed PGP key" . | xargs ls -l | grep 2009 | sed ’s/.* //’ | xargs cp -t /some/directory/emails/
which uses the -t argument of cp to specify the destination directory of the multiple files being copied. If you then want to check who sent these emails, you can run: for i in `ls emails/`; do grep "From" emails/$i; done
while in the directory above them. Still in the directory above emails, you can now run a one-liner to decrypt the contents of the emails into a set of new files in a new directory called keys: for i in `ls emails/`; do gpg —decrypt emails/$i > keys/$i.decrypt ; done
The problem with this step is that it requires you to provide your passphrase to GPG for each decryption, but you will quickly build up your muscle memory from typing it ten times in a row. I managed to complete the process in well under 4 hours, and I’m sure I’m not the fastest typist out there. I’m also sure that I’m kidding about it taking hours. After creating all these .decrypt files, it’s time to import the keys into your keyring. The command for that is: for i in `ls keys/`; do gpg —import keys/$i; done
Your key should now have lots more signatures on it, but unless you have already downloaded the keys for these people you’ve exchanged keyslips with, you will find that GPG marks them as “User ID not found”. You can see to what extent this is true by running: gpg —list-sigs youremailaddress | grep "User ID not found"
If you just want the key IDs for these keys, you can run: gpg —list-sigs youremailaddress | grep "User ID not found" | cut -c 14-21
but what you probably want to do is download the minimal keys for these users from a keyserver thus: gpg —list-sigs youremailaddress | grep "User ID not found" | cut -c 14-21 | xargs gpg —keyserver some.key.server —keyserver-options import-minimal —recv-keys
Now if you list the signatures on your key, you should find that the user IDs are not missing. The only remaining task is to send this impressive key up to a keyserver using: gpg —send-key yourkeyid
where yourkeyid is an 8 hex digit number (the last 8 hex digits of your key fingerprint, in fact). That command also assumes that you have set your default keyserver before, so that you don’t need to specify it on the command line. All these steps could probably be turned into a script, trading off manual supervision for convenience. When I have tested this code more and have ruled out any obvious problems that might be introduced by automating the process, I will probably try scripting it, but a process so important and so rarely used may not be best suited to automation. I would at least make sure I comment the script heavily and re-read it before I run it each time. Isn’t there an expression which goes something like “Don’t try to create your own crypto algorithm, software license, programming language, operating system, data interchange format, or TCP/IP stack, in decreasing order of impermissibility.”? Where do key signing and signature uploading scripts come in that list? Trackbacks
Trackback specific URI for this entry
No Trackbacks
|
QuicksearchCategoriesSyndicate This BlogBlog Administration |
