Delan Azabani

After PGP key signing parties

Yesterday I attended a PGP key signing BoF session at linux.conf.au. Being a novice at PGP, and never having done this before, it took me a couple of tries to get the actual signing process right after the party. Here's what I learned, and how you should do it. Probably.

I used a fresh installation of Debian, and a similar setup will be assumed for the remainder of this post. This leads naturally into a disclaimer: as I'm using a VM solely for party signing, and this is a quick dump of what I've done, please don't follow this blindly in a home directory with your complete keyrings, etc.

Start by installing caff:

# apt-get install signing-party

exim4 will be automatically installed for email support, but it won't work until configured. Assuming you're using Gmail or Google Apps:

# dpkg-reconfigure exim4-config

If you use two-factor authentication, generate and use an application-specific password here now; your primary password will not work.

# LOCALUSER='delan'
# EMAILADDR='delan@azabani.com'
# EMAILPW='...'
# echo "*.google.com:$EMAILADDR:$EMAILPW" >> /etc/exim4/passwd.client
# echo "$LOCALUSER: $EMAILADDR' >> /etc/email-addresses
# echo "$LOCALUSER@localhost: $EMAILADDR' >> /etc/email-addresses
# echo "$LOCALUSER@$HOSTNAME: $EMAILADDR' >> /etc/email-addresses
# echo "$LOCALUSER@$HOSTNAME.localdomain: $EMAILADDR' >> /etc/email-addresses
# update-exim4.conf
# invoke-rc.d exim4 restart

Send a testing email to yourself to make sure the mail server actually works, ending your message entered on stdin by pressing ^D:

$ mail -s 'Testing exim4 configuration' delan@azabani.com
Hello, world!

Now that the mail server is configured, set up caff and gnupg. The former is pretty simple, just add something like this to ~/.caffrc:

$CONFIG{'owner'} = 'Delan Azabani';
$CONFIG{'email'} = 'delan@azabani.com';
$CONFIG{'keyid'} = [ qw{0548747618416AA7} ];

Now you'll need to add ask-cert-level to gpg.conf if you want to be able to create sig3 trusted signatures (which you should only do if your party carefully checked photo identification). The keyserver declaration is simply because I prefer MIT's PGP keyserver.

$ echo 'expert' >> ~/.gnupg/gpg.conf
$ echo 'ask-cert-level' >> ~/.gnupg/gpg.conf
$ echo 'keyserver hkp://pgp.mit.edu' >> ~/.gnupg/gpg.conf

I turn on expert mode permanently because it allows you to sign keys that you have already previously signed, which isn't allowed by default. This was required for a few keys which I had previously sig'd, but now wanted to sig3 upon more stringent identity verification.

It's probably a bad idea, but if you want to temporarily remove your private key's passphrase to make signing easier, do this:

$ gpg --edit-key Delan
gpg> passwd
gpg> save

If you do, remember to secure it again afterwards, of course. Now import the public keys you want with gpg, and set up caff to read from ~/.gnupg/:

$ caff
$ for i in `ls .gnupg`; do ln -sv ~/.gnupg/$i ~/.caff/gnupghome/$i; done

Finally, run caff on the key IDs you want to sign:

$ caff --no-download $KEYID1 $KEYID2 ... $KEYIDn

If you want to push your signatures to a public keyserver immediately, you'll first need to copy caff's pubring.gpg back to ~/.gnupg/ because it replaces the symlink with a separate file.

$ cp -v ~/.caff/gnupghome/pubring.gpg ~/.gnupg/
$ gpg --send-keys $KEYID1 $KEYID2 ... $KEYIDn