Skip to content
Submit all the keys on a keylist to keys.openpgp.org, and request email verification for all UIDs
Python
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
LICENSE
Pipfile
Pipfile.lock
README.md
hv.py

README.md

hagrid-verifier

This script submits all the keys on a keylist to keys.openpgp.org, and requests email verification for all UIDs.

Why?

The SKS keyserver network is vulnerable to certificate flooding attacks, making it trivial for anyone to prevent anyone else's public key from getting fetched from these servers. And the software that powers SKS keyservers is unmaintained, so there's little chance that this and other critical vulnerabilities will ever get fixed.

If you run a keylist for your organization, it's prudent to migrate all keys on it over to keys.openpgp.org, a new abuse-resistent keyserver that's powered by software called Hagrid. Hagrid has important differences from SKS keyservers that are necessary to understand for those who manage a keylist:

  • Anyone can upload public keys, but by default Hagrid strips all user IDs, signatures, and everything else. Only the cryptographic key material is freely distributed.
  • If a user wants their user ID to be available, this UID needs to contain an email address, and the user needs to opt-in to including their email address by verifying it. Hagrid will send a verification email, and the user must click a link in the email.
  • Because signatures are stripped, Hagrid cannot be used to facilitate the web of trust.

This means that if you subscribe to a keylist and refresh keys from keys.openpgp.org for the first time, you'll download all of the public keys, but only the ones who have opted in will contain UIDs with email addresses, so you'll only be able to send encrypted email to those people.

If you're migrating an existing keylist to using keys.openpgp.org, this script helps you automate opting everyone in. You run it and pass in a JSON keylist filename. For each key in the keylist, it exports the public key from your local gnupg keyring (you must already have these keys imported), uploads it to keys.openpgp.org, and asks if you'd like to request verification emails for all of them. If you choose yes, it requests verification emails in bulk, and all members of the keylist will receive an email from the keyserver with a link they must click.

You can re-run this script at any point to check the status of your keylist, to see which members haven't opted in yet, without re-requesting verification emails.

How?

You need python 3 and pipenv. Install the dependencies:

pipenv install

Run the program:

pipenv run ./hv.py [KEYLIST_FILENAME]
You can’t perform that action at this time.