Improve/verify my GnuPG-sign-script

Karl Voit vk_news@gmx.at
Fri Mar 21 11:45:02 2003


Hi!

Though I am using my gpg for a couple of years, but I did not attend a
signing party until last month.

After that party, I had a big problem: how to sign keys
a) properly
b) with a minimum of effort and
c) not too much paranoia?

To help me with those about 60 other keys, I came up with the idea of
writing a bash-script, that automates as much as possible, with adding
help and avoiding loosing the thread.

Besides that, "normal gpg-users" like me, get help to sign keys
properly too without heavy research at http://www.gnupg.org/gph/ (or
so) which I do not want to replace. But I think that it's not quite
clearly written, when it comes to practicle work.


The (beta) result is lgh (little GnuPG helper) which can be downloaded
from http://home.pages.at/voit/scripts/lgh/lgh

NOTES:
* The only implemented feature yet is "sign"
* I did NOT test it with the keys and so on (I only skipped so far)
  because I want to have a correct handling before testing the details.

Please feel free to post comments here before I announce a wrong script
to a wider range of people.



To save you time, I copy&paste the output of the script here:


==8<=================================================================
                 ( The script starts here )
==8<=================================================================


vk@lisa:~/work/2del$ lgh s SOMEONE@THIS.SERVER.COM TESTKEYID

=== notification ==============================================
                                                 lgh
Step 1/13:
Check the authentity of the key-fingerprint

===============================================================

Please check now, if the key you want to sign is related to
the person.
This can be done in several ways:
*) check the fingerprint of the key with the fingerprint which
   the person has published
*) download the whole key from the homepage of the other person
*) ...

Either way, you have to check the person too: let's have a look
at the person's ID-card.

(press ENTER when finished with each point)


=== notification ==============================================
                                                 lgh
Step 2/13:
Make sure, you  really  checked the identity.

===============================================================

The quality of the "web of trust" is inherently related to the
fact, that noone signs other keys without having checked the
person or the connection between the emailaddress and the person.

You would not sign any official document blindly and GnuPG-signed
EMails can be seen as "official documents" from you.

So please do NOT blindly sign other keys without a REAL check!
Thank you!



=== notification ==============================================
                                                 lgh
Step 3/13:
Getting the public key

===============================================================

There are several ways to get the public key of someone into
your local keyring:

1) get it from a keyserver
   executing "gpg --recv-keys TESTKEYID"

2) import the public key which is already on your harddisk
   executing "gpg --import TESTKEYID.gpg.asc" (from current directory)

3) execute nothing, I'll probably skip it or do it by hand


=== question ==================================================
                                                 lgh
What do you want?

===============================================================

3

  (you skipped that step)


=== notification ==============================================
                                                 lgh
Step 4/13:
What EMailaddress do I have to use?

===============================================================

Be sure, that you use only the confirmed emailaddress of
the other person even when there are several UIDs (user IDs)
with different emailaddresses in the public key.

Note that anybody can send you EMails from let's say
              Bill.Gates@microsoft.com
No problem for someone, who want's to do something like this.



=== notification ==============================================
                                                 lgh
Step 5-9/13:
Now, for the GnuPG-part...

===============================================================

You will have to use GnuPG (gpg) to sign the public key.

1) start it now
    executing "gpg --edit-key TESTKEYID"

2) execute nothing, I'll probably skip it or do it by hand


=== question ==================================================
                                                 lgh
What do you want?

===============================================================

2

=== notification ==============================================
                                                 lgh
What is to be done in GnuPG?

===============================================================

Step 5/13:
Command> fpr
   Just to make sure, you have to check the fingerprint of
   the key you're about to sign.

Step 6/13:
Command> uid <uid-number>
   Select the UID of SOMEONE@THIS.SERVER.COM

Step 7/13:
Command> sign
   Sign the public key of the other person with the correct
   identity of yours.

Step 8/13:
Command> trust
   Define your local/private trust in the other key.

Step 9/13:
Command> save
   Save your modifications to your local keyring.
   (This also quits gpg)


  For the case, you want to do it manually, I pause here...



=== notification ==============================================
                                                 lgh
And now export to the keyserver?

===============================================================

NO!
You did not check, if the user id (UID) matches to the
emailaddress, the person pretended to own.



=== notification ==============================================
                                                 lgh
Step 10/13:
Export the key into an ascii-file

===============================================================

Step 10/13
Now, you export the signed public key into a human readable
textfile on your local harddisk.

1) executing "gpg --armor --export TESTKEYID > "TESTKEYID.gpg.asc""

2) execute nothing, I'll probably skip it or do it by hand.


=== question ==================================================
                                                 lgh
What do you want?

===============================================================

2

  (you skipped that step)


=== notification ==============================================
                                                 lgh
Step 11/13:
Delete the key from local keyring

===============================================================

Until now, you don't have the guarantee, that the key belongs
to the guy, who owns the emailaddress. Therefore, you'll delete
this key from the local keyring, until you get your signed and
encrypted key from that emailaddress.

NOTE: This step may be skipped, if you already got this email.

1) executing "gpg --delete-key SOMEONE@THIS.SERVER.COM"

2) execute nothing, I'll probably skip it or do it by hand.


=== question ==================================================
                                                 lgh
What do you want?

===============================================================

2

  (you skipped that step)


=== notification ==============================================
                                                 lgh
Step 12/13:
Send the signed key to the owner of SOMEONE@THIS.SERVER.COM

===============================================================

At this point, you can send the signed key to the owner of the
emailaddress.

NOTE: You have to send this email signed and encrypted!

1) executing "mutt -a "TESTKEYID.gpg.asc" SOMEONE@THIS.SERVER.COM"

2) execute nothing, I'll probably skip it or do it by hand.


=== question ==================================================
                                                 lgh
What do you want?

===============================================================


2

  (you skipped that step)


=== notification ==============================================
                                                 lgh
Step 13/13:
Finished. What's next?

===============================================================

You're done so far.

When a returnmail arrives _exactly from , you can
re-import the stored key from "TESTKEYID.gpg.asc" into your local
keyring by executing command below.

Since then, you cannot be irritated by a "false" verification of a bad
person which claimed, that this emailaddress belongs to that bad
person.

1) executing "gpg --import "TESTKEYID.gpg.asc""

2) execute nothing, I'll probably skip it or do it by hand.


=== question ==================================================
                                                 lgh
What do you want?

===============================================================

2

  (you skipped that step)

lgh: Thank you for using lgh! Have a nice day.
lgh done.
vk@lisa:~/work/2del$



-- 
Karl VOIT, Graz University of Technology (Austria/Europe)