CBlog

(... more or less ;-)

Auf der openSUSE conference gab es neben vielen interessanten Vorträgen und noch mehr netter Leute aus der openSUSE community eine Keysigning-Party. Damit nicht jeder von ganz vorn anfangen muss, hier mein HowTo zum schnellen Signieren der Keys mit caff. Da die "Amtssprache" auf der conference englisch war, gibt es dieses HowTo auch nur in englisch ;-)

At the openSUSE conference I heard many interesting talks and met lots of nice people from the openSUSE community. I also took part at the keysigning party. To avoid that everybody has to start from scratch, here is a HowTo sign keys efficiently with caff.

Preparation

Install caff. It's included in the package "signing-party" in the home:worldcitizen repo and requires perl-GnuPG-Interface and several other packages from devel:languages:perl.

zypper ar -f http://download.opensuse.org/repositories/devel:/languages:/perl/openSUSE_11.3/ devel:languages:perl
zypper ar -f http://download.opensuse.org/repositories/home:/worldcitizen/openSUSE_11.3 home:worldcitizen
zypper in signing-party

caff uses postfix to send out the signed keys (or whatever listens on localhost:25), therefore you have to make sure to have  a working config. Many mailservers reject mails from dialup hosts nowadays. You have to setup postfix to send mails using your provider's mail relay (usually needs SMTP Auth), and you have to make sure it converts your local "geeko@localhost" sender with a working mail address. You can do this with YaST or (as I did) edit /etc/postfix/main.cf directly:

relayhost = mailserver.example.com
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
sender_canonical_maps = hash:/etc/postfix/sender_canonical

Restart postfix after this changes ("rcpostfix restart").

sasl_passwd must contain a line like this:

# servername           SMTP Auth username:password
mailserver.example.com user@example.com:topsecret

sender_canonical looks like this: (host.name is the output of "hostname -f", geeko is your username)

geeko@host.name user@example.com

Then run postmap - postfix always reads the binary form (*.db) of the files, not the plain text version.

postmap sasl_passwd
postmap sender_canonical

[Update 2013-07-17: fixed sasl_passwd syntax and typos in sender_canonical filename]

If unsure, send a test mail to yourself ("echo foo | mail -s testmail you@example.com") and check if the sender address is correct.

Now you have to configure caff. Run "caff" once to generate the configuration file ~/.caffrc, then edit at least the following settings:

$CONFIG{'owner'}
$CONFIG{'email'}
$CONFIG{'keyid'}

Signing the keys

I always sign the fingerprints instead of the key ids. This has the advantage that I don't have to compare the fingerprints manually.

cp ksp-opensuse-conf-10.txt keys-to-sign.txt
vi keys-to-sign.txt

Remove all keys you do not want to sign (those from people that missed the keysigning party or with invalid ID cards) from keys-to-sign.txt. Also remove your own key from the list, it's pointless to sign it.

If people gave you additional keys on a paper strip, create a list of their key ids and save it as additional-keys.txt. Then run

gpg --recv-keys `cat additional-keys`
echo "--- additional keys ---" >> keys-to-sign.txt
LANG=C gpg --fingerprint `cat additional-keys ` >> keys-to-sign.txt

After that, open keys-to-sign.txt and check the fingerprint of the newly added keys. This is important because they were not included in the original checksum of the ksp*.txt file.

Then create a list of fingerprints to sign:

grep "Key fingerprint" keys-to-sign.txt  | sed 's/.*= // ; s/ //g' > fingerprints-to-sign.txt

For some reason, caff failed to download the keys for me. Therefore I did it myself. (Replace /home/cb/.caff/ with the tempdir you use for caff in the following command)

gpg --homedir=/home/cb/.caff/gnupghome --secret-keyring /home/cb/.gnupg/secring.gpg \
    --recv-keys `cat fingerprints-to-sign.txt`

After that, you can finally sign the keys and mail them to their owners:

caff `cat fingerprints-to-sign.txt`

To be sure nothing goes wrong, check against your printed list from the keysigning party that you really want to sign the key. To save the signature, type "save" at the gpg> prompt.

That's it. You should now have produced a mail flood ;-) to the owners of all the keys you signed.