Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I suggest a feature to sign a public key : gpg2 --sign-key name #29

Open
harobed opened this issue Oct 26, 2013 · 6 comments
Open

I suggest a feature to sign a public key : gpg2 --sign-key name #29

harobed opened this issue Oct 26, 2013 · 6 comments
Labels
enhancement painful patches welcome

Comments

@harobed
Copy link

harobed commented Oct 26, 2013

Hi,

I suggest a feature to sign a public key :

gpg2 --sign-key name

http://www.gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html#OpenPGP-Key-Management

Best regards,
Stephane
@isislovecruft
Copy link
Owner

I might consider adding this, though I can't think of any threat model where allowing automated, likely passwordless, certification of other keys increases security in some substantial manner. Actually, the only "useful" thing (from some peoples' views) that I could foresee being done with this feature would be to use it to spam/poison the Web of Trust with a bunch of fake keys which cross-certify each other.

How were you thinking of using it?

@muelli
Copy link

muelli commented Sep 17, 2014

May I just ask for clarity: Is it possible, right now, to sign a key with python-gnupg?

@meskio
Copy link
Collaborator

meskio commented Sep 23, 2014

@isislovecruft we'll need that in @leapcode to roll new keys, when you generate a new key you want to sign it with the previous one. I'm having a look to the code to propose an implementation of key signature for python-gnupg.

@muelli as far as I digg in the code it's not implemented anywhere.

@isislovecruft
Copy link
Owner

@meskio I'll take patches for this. It's going to be pretty hard to do. By default, --sign-key drops you into an interactive prompt asking Really sign all user IDs? (y/N) and afterwards, regardless of your answer, drops you off in the gpg> interactive prompt (where you have to type save and quit and so forth). By default (because it's meant to be automateable) python-gnupg uses --no-tty to disable all interactivity, and trying to use --sign-key with --no-tty will produce an error message saying gpg: Sorry, no terminal at all requested - can't get input. Further, gpg won't listen to you if you try to use anything like --no-tty --passphrase-fd 0 --sign-key or any of the other passphrase input options. Not to deter anyone, because I'll take all the help I can get, but this is not going to be a fun set of patches, I'm afraid. :/

@isislovecruft isislovecruft self-assigned this Sep 27, 2014
@meskio
Copy link
Collaborator

meskio commented Oct 13, 2014

After some tests I see you are right, this is not going to be easy. Right now I have other priorities and I put that on the back log. I'll come back at some point to try to implemented again.

Thanks for the info.

@isislovecruft isislovecruft removed their assignment Nov 19, 2014
@muelli
Copy link

muelli commented Nov 20, 2014

On gnupg-users, Werner mentions that with GnuPG 2.1 it should be easier to implement.

http://www.gossamer-threads.com/lists/gnupg/users/68547
https://gnupg.org/faq/whats-new-in-2.1.html#quickgen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement painful patches welcome
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@harobed @muelli @meskio @isislovecruft