{"id":651,"date":"2017-02-10T15:35:29","date_gmt":"2017-02-10T14:35:29","guid":{"rendered":"https:\/\/www.dereckson.be\/blog\/?p=651"},"modified":"2017-02-10T17:10:50","modified_gmt":"2017-02-10T16:10:50","slug":"fosdem-pgp-key-signing-party-faq","status":"publish","type":"post","link":"https:\/\/www.dereckson.be\/blog\/2017\/02\/10\/fosdem-pgp-key-signing-party-faq\/","title":{"rendered":"FOSDEM PGP Key signing party FAQ"},"content":{"rendered":"

FOSDEM organizes each year one of the largest \u00a0keysigning event for PGP keys. When we come back from a key signing party, what to do?<\/p>\n

Here a FAQ with some useful notes about how I sign the keys.<\/p>\n

Sign other keys<\/h2>\n

Bad practice: don’t upload keys you’ve just signed to the PGP server<\/h3>\n

At the event, you checked the key fingerprints and you checked an ID document. But you also want to verify the email\u00a0address to be sure the mail belongs to the user and not to a namesake.<\/p>\n

So don’t upload keys to a PGP server, send the signature for ONE mail to THAT mail\u00a0address. Luckily, some softwares automate the process and does that.<\/p>\n

Caff<\/h3>\n

Caff will automate signing and sending process.<\/p>\n

You can follow instructions published on the Debian wiki<\/a>.<\/p>\n

Basically,\u00a0it works in three steps:<\/p>\n

    \n
  1. create a ~\/.caffrc file with at least <code>$CONFIG{‘owner’}<\/code> and <code>$CONFIG{’email’}<\/code><\/li>\n
  2. caff <fingerprints of each keys you verified><\/li>\n
  3. check your mail for issues like rejected as spam, not existing mailbox, etc.<\/li>\n
  4. take a highlighter and let a mark when a key has been sent<\/li>\n<\/ol>\n

    What if some keys aren’t fetchable on\u00a0the public servers?<\/h3>\n

    You can ask caff to fetch the keys from the local GnuPG keyring. For that, download the FOSDEM event keyring, then import the keys you want:<\/p>\n

    wget https:\/\/ksp.fosdem.org\/files\/non-authoritative\/keyring.gpg\r\ngpg --import keyring.gpg 6CA63522\r\n<\/pre>\n
    You can then ask caff<\/code> to fetch them locally. For me, it was the following keys:<\/p>\n
    \r\ncaff --keys-from-gnupg 6CA63522 202CE599 5BCF7D95 A85DB372 E1F3FC1C\r\n<\/pre>\n
    Other software<\/h3>\n
    Some key signing participants use another piece of software: PIUS<\/a>.<\/p>\n
    The software claims to be able to detect signed keys in a mailbox, useful for the next step.<\/p>\n
    Don’t expect your nice message will be read<\/h3>\n
    As you encrypt the message with the recipient PGP key, it will have to make an effort to decrypt it. \u00a0Contributors using PGP to sign releases or VCS\u00a0tags or commits don’t use always PGP to read and write mail. So, guess what they\u00a0could with your message if their mail client doesn’t have access to the key? gpg -d | gpg --import<\/code>. Your message will so never be read in clear text.<\/p>\n
    Publish your signed keys<\/h2>\n
    Now you’ve signed the keys from other participants, you want to publish the signed keys you’ve received.<\/p>\n
    When your client mail supports\u00a0GPG<\/h3>\n
    If your mail client handles this, or if you use PIUS, they will allow you to import in GPG the keys.<\/p>\n
    gpg --keyserver pgp.mit.edu --send-key\u00a0<your key fingerprint>\r\n<\/pre>\n
    Manually import the signed keys<\/h3>\n
    #!\/bin\/sh\r\n\r\nwhile true; do\r\n        echo \"Next key?\"\r\n        cat > \/tmp\/key-to-import\r\n        gpg -d \/tmp\/key-to-import | gpg --import\r\n        gpg --keyserver keyserver.siccegge.de --send-key <your key fingerprint>\r\ndone\r\n<\/pre>\n
    This script will ask you Next key?<\/p>\n
    You copy\/paste the PGP block (between -----BEGIN PGP MESSAGE-----<\/code>\u00a0and -----END PGP MESSAGE-----)<\/code>. Then you save with CTRL + D.<\/p>\n
    It doesn’t matter if you’ve added a line after the END line, gpg stops to parse there.<\/p>\n
    GPG will import the key and publish it. Publish on a responsive server, not pgp.mit.edu, that will ease checks.<\/p>\n
    You have two ways to know each signature have been successfully sent.<\/p>\n
    First, check the output of gpg --import<\/code> :<\/p>\n
    gpg: Total number processed: 1\r\ngpg: new signatures: 1\r\ngpg: marginals needed: 3 completes needed: 1 trust model: pgp\r\n<\/pre>\n
    If instead you read this, you’ve already published this key:<\/p>\n
    gpg: Total number processed: 1\r\ngpg:              unchanged: 1\r\n<\/pre>\n
    The second way to check is on the web view of the server.<\/p>\n
    For example if you use the server noted above, search your fingerprint here<\/a>.<\/p>\n
    Stay on the page with your signatures,\u00a0and when you’ve a doubt, you can refresh.<\/p>\n
    Tag the mails as done<\/h3>\n
    There are a lot of mails as there are a lot of participants. So, to\u00a0tag mails as processed\u00a0is useful to know what is processed and what’s not.<\/p>\n
    An IMAP dedicated folder is nice, or any label\/color your client allows.<\/p>\n
    Alternatively, take an highlighter, your paper list and annotate.<\/p>\n","protected":false},"excerpt":{"rendered":"
    FOSDEM organizes each year one of the largest \u00a0keysigning event for PGP keys. When we come back from a key signing party, what to do? Here a FAQ with some useful notes about how I sign the keys. Sign other keys Bad practice: don’t upload keys you’ve just signed to the PGP server At the […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[49,50],"tags":[316,314,318,312],"class_list":["post-651","post","type-post","status-publish","format-standard","hentry","category-dev","category-sysadmin","tag-caff","tag-fosdem","tag-key-signing","tag-pgp"],"_links":{"self":[{"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/posts\/651","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/comments?post=651"}],"version-history":[{"count":5,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/posts\/651\/revisions"}],"predecessor-version":[{"id":656,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/posts\/651\/revisions\/656"}],"wp:attachment":[{"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/media?parent=651"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/categories?post=651"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dereckson.be\/blog\/wp-json\/wp\/v2\/tags?post=651"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}