Back home, keys signed and all

Submitted by gwolf on Mon, 08/03/2009 - 13:02

After leaving DebConf on the much uncomfortable 06:45 train last Friday (uncomfortable not because of the seats but because of the timing — It basically meant not sleeping at all in order to spend a last full night of socialization+Mao), I stopped by two dear friends' houses near Madrid (Adriano+Nuria at Alcobendas, María+Borja at Alovera) and came back to Mexico. I must say I was... Really, really, really tired most of the time. On Friday, I met my friends slightly past 5PM, and all the time in between was spent walking to get some things done in Madrid. I would not call this sight-seeing as I was mostly in places I had already been before, but crossing out to-do items from my checklist (i.e. getting a much needed second suitcase, getting some music for Nadezhda's brother, finding good cheap food and so on). Every now and then, when I was not walking (i.e. while on the Cercanías trains), I would doze out - And it was common, for this couple-of-seconds dozing-out, that I would hear or even see any random person of DebConf speaking about any random topic. Quite close to a hallucinative thing! Anyway, my brain has finally understood it does not have to carry you guys around at all times, and I'm just back to (jetlagged and tired) normality.

I got home at ~21:30, unpacked a couple of things, and fell asleep right away. Woke up at around 6AM. That is great, if I can sustain the trend, I will have defeated jetlag!

Today, I got to work, only to find an unresponsive computer — During some update I did from .es, dbus was left on a semi-installed state. No dbus means no HAL, and no HAL means X won't know which input devices to use. Of course, easy to fix, but as I didn't have any other computer handy, instead of ssh'ing my way in, I had to do a couple of reboot cycles until I found the culprit (bah…)

First thing I did upon getting my machine in a workable state is to sign the keys I had left, and to fix those that were probably not signed with SHA256. Some people asked me what was BDale's post about, so I'll summarize, hoping that more explanations might not be better, but contain the same information worded differently, and gets best in everybody's brain. One of the instructions at Ana's great post regarding what to do to get a SHA256 key mentions setting up the following lines in your .gnupg/gpg.conf file:

  1. personal-digest-preferences SHA256
  2. cert-digest-algo SHA256
  3. default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

Thing is, those lines are not added to .caff/gnupghome/gpg.conf, which is an independent copy. I was missing such file, and I don't really know the defaults, so I am not sure this was really needed, but followed BDale's instructions: Delete my signatures on all the affected keys, and run them again through caff (in signing-party). Of course, hand-processing a handful of keys is not exactly fun — But given that signatures are stored in .caff/keys/ ordered by date, it was quite easy to get them all. Yes, some manual shuffling was required, but quite minor all in all. First of all, edit each of the keys, removing your signature from each of the UIDs. This is the user-interaction-heavy part, as gnupg does not like to be driven by piping commands to it (understandably). I wanted to do this on all the keys I had signed during July 2009, so:
  1. $ for i in $(find .caff/keys/2009-07* -type f|cut -f 2 -d .|cut -f 4 -d / |sort|uniq)
  2. do
  3. gpg --homedir=~/.caff/gnupghome/ --secret-keyring=~/.gnupg/secring.gpg \
  4. --no-auto-check-trustdb --trust-model=always --edit-key $i
  5. done

So, for each key, I would do:

  • uid 1
  • delsig
  • Delete all of my signatures (not that it matters deleting others', but it is easy to set your brain to grep for yourself ;-) ) It is very important to note if any of the keys does not have your signature on — That would mean that, for whatever reason it happened, you would need to remember that key to be skipped in the caff step.
  • If the key has more than one UID, repeat for all others

After this, go through each of those keys again, re-signing them. I could have included this step in the previous block, but I... didn't ;-)

  1. $ for i in $(find .caff/keys/2009-07* -type f|cut -f 2 -d .|cut -f 4 -d / |sort|uniq)
  2. do
  3. caff --no-download $i
  4. done

Note that by specifying --no-download, I am not getting it from the keyserver but using the copy I already had on my directory, without the weak signature. And, as I checked I had already signed each of them, it was no longer necessary to triple-check the signature (as I had discarded several of the paper snippets people had given me). I trust well enough this computer, where I had done the initial signatures (and which is not accessible from teh intarwebs without compromising an intermediate server).

As a last bit of caff goodness: Many people will remember only the last eight bytes of their signature. As an example, my new and shiny key information reads:

  1. pub 4096R/C1DB921F 2009-07-09
  2. Key fingerprint = AB41 C1C6 8AFD 668C A045 EBF8 673A 03E4 C1DB 921F
  3. uid Gunnar Eyal Wolf Iszaevich <>
  4. uid Gunnar Eyal Wolf Iszaevich <>
  5. uid Gunnar Eyal Wolf Iszaevich (Instituto de Investigaciones Económicas UNAM) <>

Speaking informally, I will tell you my key ID is C1DB921F — A short-enough string to be memorized. However, many people do not note this string is just the final part of the fingerprint. And caff allows for keys for it to work on to be specified in several different formats, being C1DB921F only the shortest one. However, you will find way more comfortable (but only after triple-checking the SHA256sum matches!) to ask caff to do the process based on the whole fingerprint. In this case, if I gave caff as its argument AB41C1C68AFD668CA045EBF8673A03E4C1DB921F, I would not have to hand-check the fingerprint matches what I have on the listing, isn't it great? So I did so both for those that were handed out to me as paper snippets (I typed the whole fingerprint as an argument to caff, as I'd have to check it anyway) and for those in Anibal's list. Good thing on Anibal's list is that it is already electronic, and after comparing the SHA256sum to the string I had hand-written in the paper, and weeding out all the people I had not cross-signed with, I just did:

caff $(cat ksp-dc9.txt |grep Key\ fing|cut -f 2 -d =|sed s/\ //g )
And, ta-da, just answer some prompts (I prefer to always answer to them, checking one more time against my list, just to be sure), produce your passphrase a couple dozen times, and off the mails are sent.

As a final note: I felt much, much more in control and at ease with this edition's key signing process. No more horribly long queues, no more stupid and pointless document checking. Many people just agreed to cross-sign based on the fact that we have known each other's face-to-name relation for long enough to trust it more than any government-issued IDs; other people did request an ID, so I always kept my passport handy. There are several people I engaged in interesting conversations as a result of keysigning request. This year, I did not sign any keys of people whose face I cannot remember (of course, that recalling bound to decrease with time, but it is a much stronger policy than previous years... And I might end up following a stricter one, as several other friends do). And, strangely… Well, there are many people I felt strange of not signing. People I spent long amounts of time working or talkin with, and I ultimately trust their identity. However, seems we didn't ask each other for signatures, or I didn't have a pen handy, or something like that… Anyway, that only leaves me with one more excuse to see you all guys next year in New York!

( categories: )
nion's picture

oergs, thanks for the blog

oergs, thanks for the blog post! same happened to me, I had this in my settings but didn't have a symlink to my gpg.conf in the caff directory. I hopefully have the time to redo the keysigning soon. Thanks again for the heads up!

vicm3's picture

Now that you say...

For one or other reason never have signed keys :D

gwolf's picture

…And you are among the very few people

I would even consider exchanging fingerprints with via phone! Anyway, we have one more reason to meet :-}

Simon's picture

gnupg automation

It *is* possible to automate GnuPg, see :

Miriam Ruiz's picture

minimize instead of delsig

I found it quicker to use minimize inside --edit-key than having to do all that delsig stuff:

minimize -> compact unusable user IDs and remove all signatures from key