Identifying Non-MDC keys
Robert J. Hansen
rjh at sixdemonbag.org
Fri May 25 20:01:27 CEST 2018
> I am searching a way of detecting non-MDC keys in my keyring.
The following PowerShell script may be of interest to you.
=====
# find_missing_mdc.ps1
#
# Copyright 2018, Rob Hansen
#
# Permission to use, copy, modify, and/or distribute this
# software for any purpose with or without fee is hereby
# granted, provided that the above copyright notice and
# this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS
# ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO
# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
# WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
# TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE
# USE OR PERFORMANCE OF THIS SOFTWARE.
function Find-GnuPG {
If ($PSVersionTable["Platform"] -eq "Win32NT") {
If (Test-Path "HKLM:\Software\WOW6432Node\GnuPG") {
$gpgdir = Join-Path `
-Path (Get-ItemPropertyValue `
-Path "HKLM:\Software\WOW6432Node\GnuPG" `
"Install Directory") `
-ChildPath "bin"
return Join-Path -Path $gpgdir "gpg.exe"
}
ElseIf (Test-Path "HKLM:\Software\WOW6432Node\GNU\GnuPG") {
$gpgdir = Get-ItemPropertyValue `
-Path "HKLM:\Software\WOW6432Node\Gnu\GnuPG" `
"Install Directory"
return Join-Path -Path $gpgdir "gpg2.exe"
}
}
ElseIf ($PSVersionTable["Platform"] -eq "Unix") {
ForEach ($path in $env:PATH.split(':')) {
ForEach ($item in Get-ChildItem -File -Name `
-Path $path -Filter gpg*) {
If ($item -eq "gpg" -Or $item -eq "gpg2") {
return Join-Path $path $item
}
}
}
}
Write-Host "Error: couldn't find GnuPG"
Exit
}
function Find-Cert-Preferences {
$keyids = [ordered]@{}
$gpg = Find-GnuPG
(&$gpg --keyid-format long --fixed-list-mode --with-colons `
--list-key | Select-String -Pattern "^pub:").ForEach({
$match = [regex]::match($_, "([A-F0-9]{16})")
$keyids[($match.Groups[1].Value)] = [ordered]@{}
})
ForEach ($keyid in $keyids.keys) {
ForEach ($uidrow in (&$gpg --keyid-format long `
--fixed-list-mode --with-colons --no-tty --edit-key `
$keyid showpref quit | Select-String -Pattern "^uid:")) {
If ($uidrow.Line -match "^uid:r") {
Continue
}
$elements = $uidrow.Line.Split(':')
$username = $elements[9]
$prefs = $elements[12]
If (-Not $keyids[$keyid].Contains($username)) {
$keyids[$keyid][$username] = ""
}
$keyids[$keyid][$username] += $prefs
}
}
return $keyids
}
function Find-Missing-MDC {
$certs = Find-Cert-Preferences
ForEach ($keyid in $certs.Keys) {
ForEach ($user in $certs[$keyid].Keys) {
If ((-Not ($certs[$keyid][$user] -match "mdc")) -And
(-Not
(($certs[$keyid][$user] -match "S7") -Or
($certs[$keyid][$user] -match "S8") -Or
($certs[$keyid][$user] -match "S9") -Or
($certs[$keyid][$user] -match "S10") -Or
($certs[$keyid][$user] -match "S11") -Or
($certs[$keyid][$user] -match "S12") -Or
($certs[$keyid][$user] -match "S13")))) {
Write-Output "$user (0x$keyid)"
Break
}
}
}
}
Find-Missing-MDC
=====
Save that as "find_missing_mdc.ps1". Then open a PowerShell session and
type:
PS /Users/rjh> . /path/to/find_missing_mdc.ps1
the initial dot is important. Period, space, path to find_missing_mdc.ps1.
If it finds any UIDs which are:
* not revoked
* don't explicitly list MDC in their prefs
* only use pre-MDC algorithms
... it'll give you a warning and a list of affected key IDs.
Wrote it on OS X, should also work on Windows 7+.
More information about the Gnupg-devel
mailing list