usertags 622560 + pca.it-communication block 622560 by 659990 thanks Hi there!
Cc:ing people who organized the latest keysigning parties I participated, I actually want to fix this bug once and for all (sorry for the long email). Given that we are at a point where caff is the de facto "standard" for sending signatures, I would like a similar situation for the previous steps as well. The history is at: <http://bugs.debian.org/622560> On Mon, 19 Sep 2011 01:44:33 +0200, Luca Capello wrote: > On Wed, 27 Jul 2011 04:01:55 +0200, Stefano Zacchiroli wrote: >> On Wed, Apr 13, 2011 at 01:39:30AM +0200, Luca Capello wrote: >>> 4) I parse the digital list and feed the result to caff >>> >>> Point 4) is the most critical one: AFAIK there is no automatic tool to >>> do it, so I still use a pipeline Zack (X-Debbugs-Cc:ed) suggested me >>> back at DebConf6: > [...] >> You can find attached a simple per script which parses a participantlist >> file, and returns all the fingerprints marked with X/X. It will return >> all fingerprints belonging to the marked person. Since, as observed in >> this bug log, caff groks fingerprints, this relieves from the need of >> checking fingerprints when piped to caff (as long as the used >> participantlist file has been verified, of course). > > Thank you very much for the script, here how I tested it: Zack's script does not work for the FOSDEM 2012 Keysigning Party. It does seem that we have (at least) four different KSP files: 1) DebConf9, DebConf10 and DebConf11 --8<---------------cut here---------------start------------->8--- SHA256 Checksum: _________________________________________________________ [ ] #N NAME SURNAME (rank: N N) [ ] Fingerprint(s) OK [ ] ID OK pub NNNNR/HHHHHHHH YYYY-MM-DD Key fingerprint = HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH uid NAME SURNAME <EMAIL> uid NAME SURNAME <EMAIL> pub NNNNR/HHHHHHHH YYYY-MM-DD Key fingerprint = HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH uid NAME SURNAME <EMAIL> uid NAME SURNAME <EMAIL> --8<---------------cut here---------------end--------------->8--- 2) FOSDEM2011 and FOSDEM2012 --8<---------------cut here---------------start------------->8--- RIPEMD160 Checksum: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ [ ] SHA256 Checksum: ________ ________ ________ ________ ________ ________ ________ ________ [ ] NNN [ ] Fingerprint OK [ ] ID OK pub NNNNR/HHHHHHHH YYYY-MM-DD Key fingerprint = HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH uid NAME SURNAME <EMAIL> uid NAME SURNAME <EMAIL> Signatures:[NNNNN] Keys signed:[NNNNNN] MSD:[N.NNNN] Rank:[NNNNNN] -------------------------------------------------------------------------------- --8<---------------cut here---------------end--------------->8--- 3) Chemnitzer Linux-Tage 2011 --8<---------------cut here---------------start------------->8--- MD5 Checksum: __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ [ ] SHA1 Checksum: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ [ ] SHA256 Checksum: ________ ________ ________ ________ ________ ________ ________ ________ [ ] NNN [ ] Fingerprint OK [ ] ID OK pub NNNNR/HHHHHHHH YYYY-MM-DD Schl.-Fingerabdruck = HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH uid NAME SURNAME <EMAIL> uid NAME SURNAME <EMAIL> --8<---------------cut here---------------end--------------->8--- 4) signing-party_1.1.4-1's --8<---------------cut here---------------start------------->8--- MD5 Checksum: __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ [ ] SHA1 Checksum: ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ [ ] NNN [ ] Fingerprint OK [ ] ID OK pub NNNNR/HHHHHHHH YYYY-MM-DD Key fingerprint = HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH HHHH uid NAME SURNAME <EMAIL> uid NAME SURNAME <EMAIL> --8<---------------cut here---------------end--------------->8--- First question: why so many different outputs? AFAIK gpgparticipants has been shipped starting with signing-party_1.0-1 and it has never been modified since then (but we need, see below). I went through the gpg manpage and there is no sign of a similar option. Second question: how Zack's script should be modified to cope with all these different outputs? Actually, the problem is output 1, i.e. the one used at DebConfs. Where does it come from? Anyway, I adapted Zack's script to output 2, with the following modifications for version 0.2 (full script attached): - add usage output if no argument is passed - removed useless $block variable - support most of the gpgparticipants outputs (e.g. FOSDEM 2012), which also means that DebConfs outputs before 2012 are no more supported (see <http://bugs.debian.org/622560>) - unset $verified_block once the fingeprint has been extracted Two notes: a. the problem with output 3 is that `gpg --fingerprint $KEY` outputs in German, should we force the output of gpgparticipants to be in C.UTF-8? b. output 4, the one coming from signing-party's gpgparticipants, will work out of the box if we move from SHA1 to SHA256 (this is a blocking for this bug, at least in Debian): <http://bugs.debian.org/659990> So here the results with the new script on the FOSDEM 2012 KSP file: ===== $ gpg --decrypt ksp-fosdem2012.txt.gpgsigs.utf8.to-be-signed.only-numbers.gpg | \ gpg-verified-participants_0.2 - >ksp-fosdem2012.txt.gpgsigs.utf8.only-numbers.gpg-verified-participants_0.2 $ cat ksp-fosdem2012.txt.gpgsigs.utf8.only-numbers.gpg-verified-participants_0.2 | \ cut -c 33-40 >caff.only-numbers.gpg-verified-participants_0.2 $ cat ksp-fosdem2012.txt.gpgsigs.utf8.to-be-signed.manual | \ cut -c 13-20 >caff.manual $ diff -u caff.manual caff.only-numbers.gpg-verified-participants_0.2 $ caff $(cat ksp-fosdem2012.txt.gpgsigs.utf8.only-numbers.gpg-verified-participants) ===== > The difference are due to the fact that during the keysigning both > participants told me to sign only their strongest keys, omething we > should not take into account, since it is impossible to detect. This is actually a problem *only* with the DebConfs KSP files, which are participant- and not key-centered. Now that I think about it, I dislike the DebConfs KSP files because it is more difficult to use them to do statistics. For the improvement of the Web of Trust it is not important how many persons, but how many keys participate in a KSP. Thx, bye, Gismo / Luca
#!/usr/bin/perl -w # # parse a gpgparticipants file and return fingerprints of verified keys # # Copyright: © 2011 Stefano Zacchiroli <z...@upsilon.cc> # License: GNU General Public License (GPL), version 3 or above # # Copyright: © 2012 Luca Capello <l...@pca.it> # Modifications for version 0.2: # - add usage output if no argument is passed # - removed useless $block variable # - support most of the gpgparticipants outputs (e.g. FOSDEM 2012), # which also means that DebConfs outputs before 2012 are no more # supported (see <http://bugs.debian.org/622560>) # - unset $verified_block once the fingeprint has been extracted use strict; my $version = 0.2; if (! $ARGV[0]) { # usage ouptut copied from gpgparticipants print "gpg-verified-participants $version Usage: $0 input Or: $0 - to read from STDIN Key verification is indicated by editing the gpgparticipants file and marking with 'X' both the 'Fingerprint' and 'ID' check boxes in it. Nota Bene: the gpgparticipants file must be in English! Here is an example from the file for the FOSDEM 2012 Keysigning Party: --8<---------------cut here---------------start------------->8--- 066 [X] Fingerprint OK [X] ID OK pub 4096R/E397832F 2009-07-01 Key fingerprint = C331 BA3F 75FB 723B 5873 785B 06EA A066 E397 832F uid Luca Capello <luca\@pca.it> uid Luca Capello <gismo\@debian.org> Signatures:[00270] Keys signed:[000214] MSD:[3.9722] Rank:[000219] --8<---------------cut here---------------end--------------->8---\n"; exit 0; } my $checksum_found = 0; my $verified_block = 0; my @fingerprints = (); while (my $line = <>) { chomp $line; if (! $checksum_found && $line =~ /^SHA256/) { $checksum_found = 1; } elsif ($checksum_found) { if ($line =~ /^(\d+)\s+\[X\].*OK\s+\[X\].*OK.*$/i) { $verified_block = 1; } elsif ($verified_block && $line =~ /^\s+Key\s+fingerprint\s+=\s+(.*)\s*$/) { my $fpr = $1; $fpr =~ s/ +//g; push @fingerprints, $fpr; $verified_block = 0; } } } foreach my $fpr (@fingerprints) { print $fpr, "\n"; }
pgpgimefDX3H0.pgp
Description: PGP signature
