Yesterday I attended a PGP key signing BoF session at linux.conf.au. Being a novice at PGP, and never having done this before, it took me a couple of tries to get the actual signing process right after the party. Here's what I learned, and how you should do it. Probably.
I used a fresh installation of Debian, and a similar setup will be assumed for the remainder of this post. This leads naturally into a disclaimer: as I'm using a VM solely for party signing, and this is a quick dump of what I've done, please don't follow this blindly in a home directory with your complete keyrings, etc.
Start by installing caff:
# apt-get install signing-party
exim4 will be automatically installed for email support, but
it won't work until configured. Assuming you're using Gmail or Google Apps:
# dpkg-reconfigure exim4-config
mail sent by smarthost; received via SMTP or fetchmail- System mail name:
localhost - IP addresses to listen on:
127.0.0.1 - Other destinations: empty
- Machines to relay mail for: empty
- Outgoing smarthost:
smtp.gmail.com::587 - Hide local mail name: NO
- Minimise DNS queries: NO
- Delivery method:
mbox format in /var/mail/ - Split configuration: YES
If you use two-factor authentication, generate and use an application-specific password here now; your primary password will not work.
# LOCALUSER='delan' # EMAILADDR='delan@azabani.com' # EMAILPW='...' # echo "*.google.com:$EMAILADDR:$EMAILPW" >> /etc/exim4/passwd.client # echo "$LOCALUSER: $EMAILADDR' >> /etc/email-addresses # echo "$LOCALUSER@localhost: $EMAILADDR' >> /etc/email-addresses # echo "$LOCALUSER@$HOSTNAME: $EMAILADDR' >> /etc/email-addresses # echo "$LOCALUSER@$HOSTNAME.localdomain: $EMAILADDR' >> /etc/email-addresses # update-exim4.conf # invoke-rc.d exim4 restart
Send a testing email to yourself to make sure the mail server actually
works, ending your message entered on stdin by pressing ^D:
$ mail -s 'Testing exim4 configuration' delan@azabani.com Hello, world!
Now that the mail server is configured, set up caff and gnupg. The former is
pretty simple, just add something like this to ~/.caffrc:
$CONFIG{'owner'} = 'Delan Azabani';
$CONFIG{'email'} = 'delan@azabani.com';
$CONFIG{'keyid'} = [ qw{0548747618416AA7} ];
Now you'll need to add ask-cert-level to gpg.conf
if you want to be able to create sig3 trusted signatures (which
you should only do if your party carefully checked photo identification). The
keyserver declaration is simply because I prefer MIT's PGP
keyserver.
$ echo 'expert' >> ~/.gnupg/gpg.conf $ echo 'ask-cert-level' >> ~/.gnupg/gpg.conf $ echo 'keyserver hkp://pgp.mit.edu' >> ~/.gnupg/gpg.conf
I turn on expert mode permanently because it allows you to sign keys that
you have already previously signed, which isn't allowed by default. This was
required for a few keys which I had previously sig'd, but now
wanted to sig3 upon more stringent identity verification.
It's probably a bad idea, but if you want to temporarily remove your private key's passphrase to make signing easier, do this:
$ gpg --edit-key Delan gpg> passwd gpg> save
If you do, remember to secure it again afterwards, of course. Now import the
public keys you want with gpg, and set up caff to read from ~/.gnupg/:
$ caff $ for i in `ls .gnupg`; do ln -sv ~/.gnupg/$i ~/.caff/gnupghome/$i; done
Finally, run caff on the key IDs you want to sign:
$ caff --no-download $KEYID1 $KEYID2 ... $KEYIDn
If you want to push your signatures to a public keyserver immediately,
you'll first need to copy caff's pubring.gpg back to ~/.gnupg/ because it replaces the symlink with a separate file.
$ cp -v ~/.caff/gnupghome/pubring.gpg ~/.gnupg/ $ gpg --send-keys $KEYID1 $KEYID2 ... $KEYIDn