Key Signing Party signature verification tool
Python Shell
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
debian
.gitignore
AUTHORS
LICENSE
README
info9.net.list
kspsig
kspsig.h2m

README

kspsig
------

Key Signing Party signature verification tool

If  you  are  concerned  about  the  hash algorithm strength used
in key signing this tool seeks to answer questions you may have
following a key signing party...
- How strongly did others sign my key?
- How strongly did I sign other's keys?
- How strong are the signatures for my key?

This tool only reads keyrings: it does not do any key modifications.

The most common use case is to verify signature strength
of SHA256 (or greater) prior to importing keys (e.g. here Carla
verifies Joe's signature strength, and then imports the sig):

$ kspsig 0x40BFEE868B055D9B.1.signed-by-0x542AA88AAD5896AD.asc
        pub:u:4096:1:40BFEE868B055D9B:2010-07-26:::u:Carla Coder <carla@coder.net>:
        SHA256    AD5896AD  Joe Hacker <joe@hacker.net>
$ gpg --import 0x40BFEE868B055D9B.1.signed-by-0x542AA88AAD5896AD.asc

See the man page for additional documentation and examples


News
----

An ITP has been filed for this program #594907
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594907

However it has been suggested that it be combined with signing-party
and thus the following bug has been opened #595060
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595060

In the meantime you may add this package to a Debian unstable
system by adding the info9 repository as a source.  The easiest
way to do this is simply:
# cp /usr/share/doc/kspsig/info9.net.list /etc/apt/sources.list.d/

The /etc/apt/sources.list.d/info9.net.list should contain:
deb http://info9.net/debian/ unstable/
deb-src http://info9.net/debian/ unstable/

To avoid APT warnings about unverifyable packages or if you trust me
then you can add my key to your APT key ring:
% gpg --recv-key 0x40BFEE868B055D9A
% gpg --armor --export 0x40BFEE868B055D9A | sudo apt-key add -


Requirements
------------

Depends on python 2.6 and python-gnupginterface (and thus gpg).
Although not strictly required it is assumed that caff is also installed.
It may work on later versions of python 2.x, but it is not
tested with python 3.

The man page can be regenerated using help2man with:
$ help2man --output kspsig.1 --include=kspsig.h2m kspsig


License
-------

Copyright (c) 2010 Tom Marble

Licensed under GPLv3 or later http://www.gnu.org/licenses/gpl-3.0.txt
The full text of the license is available in LICENSE and
on Debian (and derived) systems you may find the full text of the
license in /usr/share/common-licenses/GPL-3


Download
--------

You can find the latest version of kspsig at:
http://github.com/tmarble/kspsig


Configuring caff
----------------

Configuring caff to use a strong hash algorithm for signatures
is a little tricky... If you haven't already please consider
adding "cert-digest-algo  SHA512" to ~/.gnupg/gpg.conf and then
insure caff uses your default GnuPG config file as follows:
$ mv ~/.caff/gnupghome/gpg.conf ~/.caff/gnupghome/gpg.conf.old
$ ln -s ~/.gnupg/gpg.conf ~/.caff/gnupghome/gpg.conf

You can verify the caff signature preference with:
$ grep cert-digest-algo ~/.gnupg/gpg.conf ~/.caff/gnupghome/gpg.conf
/home/USER/.gnupg/gpg.conf:cert-digest-algo SHA512
/home/USER/.caff/gnupghome/gpg.conf:cert-digest-algo SHA512
$

Note: SHA512 isn't strictly necessary.  In the future
the GPG default will be SHA256 (see last URL below).

Apparently the default caff(1) behavior is a _feature_
(see link to bug #527944 below).

It may be wise to review photo UID's before signing
with caff(1) by using this little wrapper function (you can
define it in your ~/.bashrc and don't forget to install xloadimage
or some other gpg --photo-viewer):

function tcaff() {
  echo "=== show photo UIDs ==="
  if ! gpg --list-options show-photos --list-keys $1 ; then
    gpg --recv-key $1
    gpg --list-options show-photos --list-keys $1
  fi
  echo "=== sign key $1 ==="
  caff $1
}


Fixing weak signatures
----------------------

Once you have caff configured for a strong signature algorithm
you may be asked to re-sign some keys.  Here is an approach:

1. Delete the weak signature(s) on your signature (caff) keyring
   (e.g. you signed DEADCAFF with SHA1):

  $ gpg --homedir=~/.caff/gnupghome --secret-keyring ~/.gnupg/secring.gpg --no-auto-check-trustdb --trust-model=always --edit-key DEADCAFF
  gpg> uid 1
  gpg> delsig
  gpg> save

  NOTE: if you signed multiple uid's for that key will need to
  select and delete the signature for each.

2. Re-sign with caff

   $ caff --no-download DEADCAFF

3. Verify the new signature

   $ kspsig --outgoing=DEADCAFF

4. If the new signature doesn't use the algorithm you intended
   then try to reconfigure caff and goto step 1.

Sample Letter
-------------

To: Joe Hacker <joe@hacker.net>
Subject: Resign with stronger signature? [was Re: Your signed PGP key ...]

Thank you for signing my key at KEY SIGNING PARTY.

I noticed that you signed it with the weaker SHA1 algorithm [0].
I used kspsig to verify this [1]:

$ kspsig 0x40BFEE868B055D9B.1.signed-by-0x542AA88AAD5896AD.asc
        pub:u:4096:1:40BFEE868B055D9B:2010-07-26:::u:Carla Coder <carla@coder.net>:
        SHA1      AD5896AD  Joe Hacker <joe@hacker.net>
$

I have not imported nor uploaded this signature yet.  Would
you please consider reconfiguring gpg [2] and caff and signing it again?

Just add "cert-digest-algo  SHA512" to ~/.gnupg/gpg.conf and then
insure caff uses your default GnuPG config file as follows:
% mv ~/.caff/gnupghome/gpg.conf ~/.caff/gnupghome/gpg.conf.old
% ln -s ~/.gnupg/gpg.conf ~/.caff/gnupghome/gpg.conf

Please let me know if you have any questions,

--Carla Coder

[0] http://www.gnupg.org/faq/weak-digest-algos.en.html
[1] http://github.com/tmarble/kspsig
[2] http://www.debian-administration.org/users/dkg/weblog/48


See Also
--------

gpg(1)
caff(1)
http://www.debian-administration.org/users/dkg/weblog/48
http://www.gnupg.org/faq/weak-digest-algos.en.html
http://keyring.debian.org/creating-key.html
http://lists.debian.org/debian-devel-announce/2009/05/msg00005.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=527944
http://www.gag.com/bdale/blog/posts/Strong_Keys.html

To Do
-----

- Peer review of the approach of using gpg --export and
  gpg --list-packets
- Consider rewriting with direct access to the keyrings