[tool / utility] check-trustpaths, a command-line tool for retrieving and checking chains of signatures in the web of trust

[Johannes Nix]

I wrote a small tool for automatically retrieving
and checking trust paths between two PGP keys.


This was motivated by me experiencing difficulty when verifying
signed Linux distribution images or downloads for web software
using GnuPG. The PGP Pathfinder Service provided by Henk P.
Penning allows to do that manually. However, to strongly verify
a key, one needs to download and locally check each key in the
resulting trust path, which is somewhat time-consuming, and
probably to much of a hassle for normal people.

What I wanted was a utility to do that check in an automated
way. Therefore, I wrote a little Python program which does that,
and documentation how to use it, it is here:

https://github.com/jnxx/check-trustpaths

I'd be happy to hear whether it is working for you
and where it can be improved.

The utility tries to cover a number of edge cases and security
aspects - querying several key servers at once, requiring
64-bit key IDs by default, sanitizing responses
from the pgp pathfinder service, handling potential 32-bit
collisions of key IDs (such as for Peter Palfrader's key, which
is a signing key for the Debian image key) and warning about
them.


Also, I have a question. The tool assumes by default that
key ID collisions are possible, for 32-bit key IDs as
well as for 64-bit key IDs. Therefore, the documentation
suggests to use the fingerprint of the target key to
identify this key. If more than one key is found for an
ID, it tries to resolve the ambiguity by matching the signature
with the ID of the preceding key in the chain.

The long IDs of the signing keys are retrieved using
gpg --check-sigs --with-colons. However, this command
only returns a 64-bit key ID for the signing key, not
its fingerprint. 

My questions are, is the above reasonably secure? 
Assuming that it is better the use the fingerprint 
of the signing key, how can I retrieve it?

Johannes