Identifying Non-MDC keys

Robert J. Hansen rjh at sixdemonbag.org
Fri May 25 20:01:27 CEST 2018


> I am searching a way of detecting non-MDC keys in my keyring.

The following PowerShell script may be of interest to you.

=====
# find_missing_mdc.ps1
#
# Copyright 2018, Rob Hansen
#
# Permission to use, copy, modify, and/or distribute this
# software for any purpose with or without fee is hereby
# granted, provided that the above copyright notice and
# this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS
# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
# WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
# TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
# USE OR PERFORMANCE OF THIS SOFTWARE.



function Find-GnuPG {
    If ($PSVersionTable["Platform"] -eq "Win32NT") {
        If (Test-Path "HKLM:\Software\WOW6432Node\GnuPG") {
            $gpgdir = Join-Path `
            -Path (Get-ItemPropertyValue `
            -Path "HKLM:\Software\WOW6432Node\GnuPG" `
            "Install Directory") `
            -ChildPath "bin"
            return Join-Path -Path $gpgdir "gpg.exe"
        }
        ElseIf (Test-Path "HKLM:\Software\WOW6432Node\GNU\GnuPG") {
            $gpgdir = Get-ItemPropertyValue `
            -Path "HKLM:\Software\WOW6432Node\Gnu\GnuPG" `
            "Install Directory"
            return Join-Path -Path $gpgdir "gpg2.exe"
        }
    }
    ElseIf ($PSVersionTable["Platform"] -eq "Unix") {
        ForEach ($path in $env:PATH.split(':')) {
            ForEach ($item in Get-ChildItem -File -Name `
            -Path $path -Filter gpg*) {
                If ($item -eq "gpg" -Or $item -eq "gpg2") {
                    return Join-Path $path $item
                }
            }
        }
    }
    Write-Host "Error: couldn't find GnuPG"
    Exit
}

function Find-Cert-Preferences {
    $keyids = [ordered]@{}
    $gpg = Find-GnuPG
    (&$gpg --keyid-format long --fixed-list-mode --with-colons `
    --list-key | Select-String -Pattern "^pub:").ForEach({
        $match = [regex]::match($_, "([A-F0-9]{16})")
        $keyids[($match.Groups[1].Value)] = [ordered]@{}
    })
    ForEach ($keyid in $keyids.keys) {
        ForEach ($uidrow in (&$gpg --keyid-format long `
        --fixed-list-mode --with-colons --no-tty --edit-key `
        $keyid showpref quit | Select-String -Pattern "^uid:")) {
            If ($uidrow.Line -match "^uid:r") {
                Continue
            }
            $elements = $uidrow.Line.Split(':')
            $username = $elements[9]
            $prefs = $elements[12]
            If (-Not $keyids[$keyid].Contains($username)) {
                $keyids[$keyid][$username] = ""
            }
            $keyids[$keyid][$username] += $prefs
        }
    }
    return $keyids
}

function Find-Missing-MDC {
    $certs = Find-Cert-Preferences
    ForEach ($keyid in $certs.Keys) {
        ForEach ($user in $certs[$keyid].Keys) {
            If ((-Not ($certs[$keyid][$user] -match "mdc")) -And
            (-Not
            (($certs[$keyid][$user] -match "S7") -Or
            ($certs[$keyid][$user] -match "S8") -Or
            ($certs[$keyid][$user] -match "S9") -Or
            ($certs[$keyid][$user] -match "S10") -Or
            ($certs[$keyid][$user] -match "S11") -Or
            ($certs[$keyid][$user] -match "S12") -Or
            ($certs[$keyid][$user] -match "S13")))) {
                Write-Output "$user (0x$keyid)"
                Break
            }
        }
    }
}

Find-Missing-MDC

=====

Save that as "find_missing_mdc.ps1".  Then open a PowerShell session and
type:

PS /Users/rjh> . /path/to/find_missing_mdc.ps1

the initial dot is important.  Period, space, path to find_missing_mdc.ps1.

If it finds any UIDs which are:

	* not revoked
	* don't explicitly list MDC in their prefs
	* only use pre-MDC algorithms

... it'll give you a warning and a list of affected key IDs.

Wrote it on OS X, should also work on Windows 7+.



More information about the Gnupg-devel mailing list