gpg-keycheck && tlscert-get

kardan kardan at riseup.net
Wed Jul 17 13:44:15 CEST 2013


Dear gpg users,

I think top priority is to make OpenPGP / GnuPG more user friendly and
especially user understandable. So I took Daniel's howto and wrapped
a key tester around it. It contains links to some gpg documentation
for interested users. If you find important howtos are missing, please
let me know. 
Also if there are testcases which should be included (like key relation
checks for advanced usage).

So far this is a bash script. If it turns out, that that there are
higher demands, I will consider a rewrite in perl, except somebody
comes up with something fancy like python or ruby :)

I also had in mind, to create an output that is easy transportable via
email to inform other users, if their keys do not comply current
standards.

For example my own key shows I should create a new one (however it
does not tell me about the mess I created on the keyservers with my
unrevocable lost keys):

----- BEGIN PGP KEY CHECK -----
PUBLIC KEY ID           9D6108AE58C06558
ALGORITHM               RSA 
SHA1 SIGNATURES         yes (INSECURE) [2]
ALGORITHM PRIORITY      8 2 9 10 11 (DISORDER) [3]

[WARNING] Better generate a new key [1]. (Show detailed reasons with
'gpg-keycheck -v 9D6108AE58C06558')
  [1] steps to create a key
<http://ekaia.org/blog/2009/05/10/creating-new-gpgkey>
  [2] SHA1 broken
<https://www.schneier.com/blog/archives/2005/02/sha1_broken.html>
  [3]
https://we.riseup.net/riseuplabs+paow/openpgp-best-practices#stated-digest-algorithm-preferences-must-include-a
  [4] update your web of trust (WoT)
<https://www.debian-administration.org/users/dkg/weblog/48>

pub   2048R/9D6108AE58C06558 2013-04-23 [expires: 2014-06-30]
----- END PGP KEY CHECK -----

This is the condensed version with the basic info (-p). If you are
curious what 'gpg-keycheck -v 9D6108AE58C06558' says, have a try :)

Unlike for 'gpg --list-key' it is possible to dump a fingerprint like
the one below without changes. If you have an idea, how to catch the
'key not found error' and automatically download them, please share. But
maybe this is overkill.

I also attached the script for retrieving tls certificates which
i forgot in my last mail.

Happy hacking!
Kardan

-- 
Kardan <kardan at riseup.net>
Encrypt your email: http://gnupg.org/documentation
Public GPG key 9D6108AE58C06558 at hkp://pool.sks-keyservers.net
fpr: F72F C4D9 6A52 16A1 E7C9  AE94 9D61 08AE 58C0 6558
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tlscert-get
Type: application/octet-stream
Size: 1436 bytes
Desc: not available
URL: </pipermail/attachments/20130717/d55ba30d/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gpg-keycheck
Type: application/octet-stream
Size: 21079 bytes
Desc: not available
URL: </pipermail/attachments/20130717/d55ba30d/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: not available
URL: </pipermail/attachments/20130717/d55ba30d/attachment-0001.sig>


More information about the Gnupg-users mailing list