Key Signing Party signature verification tool
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
examples
.gitignore
AUTHORS
LICENSE
README
kspsig

README

kspsig
------

Key Signing Party signature verification tool

If  you  are  concerned  about  the  hash algorithm strength used
in key signing this tool seeks to answer questions you may have
following a key signing party...
- How strongly did others sign my key?
- How strongly did I sign other's keys?
- How strong are the signatures for my key?

This tool only reads keyrings: it does not do any key modifications.

The most common use case is to verify signature strength
of SHA256 (or greater) prior to importing keys (e.g. here Carla
verifies Joe's signature strength, and then imports the sig):

$ kspsig 0x40BFEE868B055D9B.1.signed-by-0x542AA88AAD5896AD.asc
        pub:u:4096:1:40BFEE868B055D9B:2010-07-26:::u:Carla Coder <carla@coder.net>:
        SHA256    AD5896AD  Joe Hacker <joe@hacker.net>
$ gpg --import 0x40BFEE868B055D9B.1.signed-by-0x542AA88AAD5896AD.asc


News
----

As of version 0.9.0
- Switch from python 2 to python 3
- Remove dependency on any python gpg library (just use gpg directly)
- The old debian packaging has been removed (and needs to be updated)
- Added examples/ directory (for future PR's which demonstrate bugs)

NOTE:

Never use 32 bit hex id's to identify keys: see http://evil32.com
(use 0x40BFEE868B055D9A not just 0x8B055D9A)

An ITP has been filed for this program #594907
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594907

However it has been suggested that it be combined with signing-party
and thus the following bug has been opened #595060
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595060


License
-------

Copyright (c) 2010-2017 Tom Marble

Licensed under GPLv3 or later http://www.gnu.org/licenses/gpl-3.0.txt
The full text of the license is available in LICENSE and
on Debian (and derived) systems you may find the full text of the
license in /usr/share/common-licenses/GPL-3


Download
--------

You can find the latest version of kspsig at:
http://github.com/tmarble/kspsig


Configuring caff
----------------

Configuring caff to use a strong hash algorithm for signatures
is a little tricky... If you haven't already please consider
adding "cert-digest-algo  SHA512" to ~/.gnupg/gpg.conf and then
insure caff uses your default GnuPG config file as follows:
$ mv ~/.caff/gnupghome/gpg.conf ~/.caff/gnupghome/gpg.conf.old
$ ln -s ~/.gnupg/gpg.conf ~/.caff/gnupghome/gpg.conf

You can verify the caff signature preference with:
$ grep cert-digest-algo ~/.gnupg/gpg.conf ~/.caff/gnupghome/gpg.conf
/home/USER/.gnupg/gpg.conf:cert-digest-algo SHA512
/home/USER/.caff/gnupghome/gpg.conf:cert-digest-algo SHA512
$

Note: SHA512 isn't strictly necessary.  In the future
the GPG default will be SHA256 (see last URL below).

Apparently the default caff(1) behavior is a _feature_
(see link to bug #527944 below).

It may be wise to review photo UID's before signing
with caff(1) by using this little wrapper function (you can
define it in your ~/.bashrc and don't forget to install xloadimage
or some other gpg --photo-viewer):

function tcaff() {
  echo "=== show photo UIDs ==="
  if ! gpg --list-options show-photos --list-keys $1 ; then
    gpg --recv-key $1
    gpg --list-options show-photos --list-keys $1
  fi
  echo "=== sign key $1 ==="
  caff $1
}


Fixing weak signatures
----------------------

Once you have caff configured for a strong signature algorithm
you may be asked to re-sign some keys.  Here is an approach:

1. Delete the weak signature(s) on your signature (caff) keyring
   (e.g. you signed 0xDEADCAFF with SHA1):

  $ gpg --homedir=~/.caff/gnupghome --secret-keyring ~/.gnupg/secring.gpg --no-auto-check-trustdb --trust-model=always --edit-key 0xDEADCAFF
  gpg> uid 1
  gpg> delsig
  gpg> save

  NOTE: if you signed multiple uid's for that key will need to
  select and delete the signature for each.

2. Re-sign with caff

   $ caff --no-download 0xDEADCAFF

3. Verify the new signature

   $ kspsig --outgoing 0xDEADCAFF

4. If the new signature doesn't use the algorithm you intended
   then try to reconfigure caff and goto step 1.


Sample Letter
-------------

To: Joe Hacker <joe@hacker.net>
Subject: Re-sign with stronger signature? [was Re: Your signed PGP key ...]

Thank you for signing my key at KEY SIGNING PARTY.

I noticed that you signed it with the weaker SHA1 algorithm [0].
I used kspsig to verify this [1]:

$ kspsig 0x40BFEE868B055D9B.1.signed-by-0x542AA88AAD5896AD.asc
        pub:u:4096:1:40BFEE868B055D9B:2010-07-26:::u:Carla Coder <carla@coder.net>:
        SHA1      AD5896AD  Joe Hacker <joe@hacker.net>
$

I have not imported nor uploaded this signature yet.  Would
you please consider reconfiguring gpg [2] and caff and signing it again?

Just add "cert-digest-algo  SHA512" to ~/.gnupg/gpg.conf and then
insure caff uses your default GnuPG config file as follows:
% mv ~/.caff/gnupghome/gpg.conf ~/.caff/gnupghome/gpg.conf.old
% ln -s ~/.gnupg/gpg.conf ~/.caff/gnupghome/gpg.conf

Please let me know if you have any questions,

--Carla Coder

[0] http://www.gnupg.org/faq/weak-digest-algos.en.html
[1] http://github.com/tmarble/kspsig
[2] http://www.debian-administration.org/users/dkg/weblog/48


Usage Examples
--------------

# Verify incoming signatures
$ ./kspsig examples/0x40BFEE868B055D9A.1.signed-by-0xDB221A6900000011.asc
file:     0x40BFEE868B055D9A.1.signed-by-0xDB221A6900000011.asc
  SIGNED  0x40BFEE868B055D9A UID 1 = "Tom Marble <tmarble@info9.net>"
    BY 0xDB221A6900000011 = Keith Packard <keithp@keithp.com> WITH SHA256

# How did I sign someone's key?
$ kspsig --caffhome ~/.gnupg -o tmancill@debian.org
          pub RSA 4096 0x21D20589974B3E96 2010-07-19 [SC]
          uid #1  [full] tony mancill <tmancill@debian.org>
SHA512    sig    40BFEE868B055D9A 2010-09-02  Tom Marble <tmarble@info9.net>
          uid #2  [full] tony mancill <tony@mancill.com>
SHA512    sig    40BFEE868B055D9A 2010-09-02  Tom Marble <tmarble@info9.net>

# How did someone sign my key?
$ kspsig --key 0x21D20589974B3E96 --caffhome ~/.gnupg --outgoing 0x40BFEE868B055D9A
          pub RSA 4096 0x40BFEE868B055D9A 2010-07-26 [SC]
          uid #1  [ultimate] Tom Marble <tmarble@info9.net>
SHA1      sig    21D20589974B3E96 2010-08-06  tony mancill <tmancill@debian.org>

# How did a third person sign someone's key
$ kspsig --key miguel@miguel.cc --caffhome ~/.gnupg --outgoing tmancill@debian.org
          pub RSA 4096 0x21D20589974B3E96 2010-07-19 [SC]
          uid #1  [full] tony mancill <tmancill@debian.org>
SHA512    sig    6E608B637D8967E9 2014-09-09  Miguel Landaeta <miguel@miguel.cc>
          uid #2  [full] tony mancill <tony@mancill.com>
SHA512    sig    6E608B637D8967E9 2014-09-09  Miguel Landaeta <miguel@miguel.cc>
SHA512    sig    6E608B637D8967E9 2014-09-09  Miguel Landaeta <miguel@miguel.cc>
SHA512    sig    6E608B637D8967E9 2014-09-09  Miguel Landaeta <miguel@miguel.cc>

# show the strengh of all signatures on my key
./kspsig --signatures

# show the strengh of all signatures on someone's key
$ kspsig -s 0xDB221A6900000011
          pub RSA 4096 0xDB221A6900000011 2012-03-15 [ESCA]
          uid #1  [full] Keith Packard <keithp@keithp.com>
SHA1      sig    E74D29B82BE16D01 2013-08-13  Moray Allan <moray@sermisy.org>
SHA256    sig    E106481EEDF008C5 2013-08-25  [uid#1 E106481EEDF008C5]
SHA1      sig    79BE3E4300411886 2013-10-02  Linus Torvalds <torvalds@linux-foundation.org>


Bugs
----

There are certainly bugs in kspsig related to multiple UID's
and non-standard UID's (e.g. JPEG images). Please file issues
and / or make pull requests to add example files in the
examples/ directory (in order to reproduce the bug).


See Also
--------

gpg(1)
caff(1)
http://www.debian-administration.org/users/dkg/weblog/48
http://www.gnupg.org/faq/weak-digest-algos.en.html
http://keyring.debian.org/creating-key.html
http://lists.debian.org/debian-devel-announce/2009/05/msg00005.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=527944
http://www.gag.com/bdale/blog/posts/Strong_Keys.html
https://evil32.com/