On 10/16/2017 07:19 PM, Peter Maydell wrote: > It looks like at least five people whose keys I'd like to sign > are going to be at KVM Forum this year, so it seems worth having > a proper key signing party rather than just me ad-hoc finding > people and checking their ID. I am particularly interested > in signing keys for people who are or expect they might be > sending me pull requests.
Thanks again to Peter for hosting this key signing party. Now that the 14 participants (presumably) have the paper with 2 checkmarks per entry (one that the person claiming the key(s) read their personal notation and it matched what your master sheet says, the other that you were happy with the id provided by that person), the next step is to sign those 16 keys and either upload your signature, or to send an encrypted mail to the key owner and have them upload your signature. The latter is arguably a better assurance that the system worked; the pius application can help with that, although it is not mandatory and you can use direct gpg commands instead. (For those following along that were not in the party, yes, we had 2 more keys than participants, as a couple of participants had 2 keys that they wanted signed) I'm attaching a bash script that I used to see which signatures I still need to follow up on (both where someone has not yet signed my key, and where I need to send my signature to someone); as usual, please double-check it before blindly running it. If you want more help running pius for signing and sending the signed key to a particular recipient, see a previous mail of mine on the topic: https://lists.gnu.org/archive/html/qemu-devel/2013-11/msg01477.html -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3266 Virtualization: qemu.org | libvirt.org
#!/bin/bash
# Cross-check for key-signing party followup
# Currently tuned for KVM Forum 2017
ME=${0##*/}
case $# in
1) my_id=$1 ;;
*) echo "Usage: $ME YOUR_GPG_KEY_ID" 1>&2; exit 1;;
esac
: ${use_temp_keyring=y}
: ${refresh=y}
# Key IDs of the people who participated in the kvm gpg key-signing.
keys='
be86ebb415104fdf
a7a16b4a2527436a
b90bc7abe7c41e65
0d8721d82838c7d8
0516331ebc5bfde7
ad1270cc4dd0279b
64df38e8af7e215f
9ca4abb381ab73c8
71d4d5e5822f73d6
dae8e10975969ce5
5bca8ae0f14191d4
3c2525ed14360cde
df32e7c0f0fff9a2
f407db0061d5cf40
7f09b272c88f2fd6
ca35624c6a9171c6
'
# Given gpg --list-sig ... output, print only those lines that start
# with "uid" and contain an "@"; print each unique name only once.
uid_name_filter() { grep '^uid.*@' | sort -t'<' -u -k1,1 |
sed 's/^uid[[:space:]]*/ /'; }
if test "$use_temp_keyring" = y; then
# Create a temporary directory in which to download keys.
export GNUPGHOME=$(mktemp -d)
# Remove it upon interrupt and upon normal termination.
for sig in 1 2 3 13 15; do eval "trap 'exit $(expr $sig + 128)' $sig";
done
trap 'rm -fr "$GNUPGHOME"' 0
# Use a server that's better than the default.
echo keyserver hkp://pool.sks-keyservers.net > "$GNUPGHOME/gpg.conf"
# Get latest keys/signatures from key servers.
gpg --recv-keys $(echo $keys)
else
test "$refresh" = y \
&& gpg --refresh-keys $(echo $keys)
fi
echo
echo who appears not to have signed $my_id:
s=$(gpg --list-sig $my_id)
gpg --list-keys \
$(for i in $(echo $keys); do echo "$s" | grep -qi $i || echo $i; done) \
| uid_name_filter
echo
echo who has not yet uploaded a signature by $my_id on their key:
for i in $(echo $keys); do
gpg --list-sig $i | grep -qi $my_id || gpg --list-key $i
done | uid_name_filter
signature.asc
Description: OpenPGP digital signature
