GPG keysigning made easy with Pius

Posted: February 10th, 2012 | Filed under: Fedora, Security, Virt Tools | 3 Comments »

A few months back the Red Hat KVM team held a mass keysigning party to setup a web of trust between each others keys. IIRC, there were approximately 20 people participating in this, which potentially meant alot of tedious typing of GPG commands, with the potential for error such tedium implies. Fortunately we had Jim Meyering on hand to give us some tips for facilitating/optimizing the process, the most important of which was to introduce us to the ‘Pius‘ tool.  To quote from its website

pius (PGP Individual UID Signer) helps attendees of PGP keysigning parties. It is the main utility and allows you to quickly and easily sign each UID on a set of PGP keys. It is designed to take the pain out of the sign-all-the-keys part of PGP Keysigning Party while adding security to the process.

That can already be time consuming, but preferrably, you want to verify the identity in each UID, which means verifying the email addresses. There are a few ways to do this, but one of them is to sign each UID on the key individually (which requires import-sign-export-delete for each UID), encrypt-emailing that key to the email address in the UID. This can be incredibly time consuming.

That’s where pius comes in. Pius will do all the work for you – all you have to do is confirm the fingerprint for each key. It will then take care of signing each UID cleanly, minimizing the key, and using PGP/Mime email to send it, encrypted, to the email address in the UID.

The steps Jim defined for us to follow using Pius were as follows

  1. Collate a list of everyone’s key IDs. Our list looked like this (cut down to save space)
     # cat > keyids.txt <<EOF
     4096R/000BEEEE 2010-06-14 Jim Meyering
     4096R/E1B768A0 2011-10-11 Richard W.M. Jones
     4096R/15104FDF 2011-10-11 Daniel P. Berrange
     ...
     EOF
  2. Download all the keys from a key server (it is assumed everyone has already uploaded their own key to a server)
     # id_list=$(perl -nle 'm!^\d{4}R/(\S{8}) ! and print $1' keyids.txt)
     # gpg --recv-keys  $(echo $id_list)
  3. Generate a list of fingerprints for all keys that are to be signed
     # gpg --fingerprint $(echo $id_list)
  4. Verify all the fingerprints and their owners’ identities.
    This is the security critical part. You generally want to meet the person face-to-face, verify their identity via some trusted means (passport, driving license, etc). They should read their key fingerprint out to you, and you should verify that it matches the fingerprint of that downloaded from the key server.
  5. Use Pius to sign all the keys whose fingerprints were verified.
    MAIL_HOST=smtp.your.mail.server.com
    me=your@email.address.com   (eg dan@berrange.com)
    my_id=XXXXXXXXXXX  (Your GPG Key ID eg  15104FDF)
    # pius --mail-host=MAIL_HOST --no-pgp-mime --mail=$me --signer=$my_id $(echo $id_list)

What Pius does here is that for each key ID it is given, it will sign each individual identity (email address). The signature will be ascii-armoured and then sent to the email address associated with that identity. If a user has multiple email addresses on their key, they will receive one signature email per address. The email contains instructions for what the receipient should do. The email will look something like this

From: eblake@redhat.com
To: berrange@redhat.com
Subject: Your signed PGP key

[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.7K --]

Hello,

Attached is a copy of your PGP key (0x15104fdf) signed by my key
(0xa7a16b4a2527436a).

If your key has more than one UID, than this key only has the UID associated
with this email address (berrange@redhat.com) signed and you will receive
additional emails containing signatures of the other UIDs at the respective
email addresses.

Please take the attached message and decrypt it and then import it.
Something like this should work:

   gpg -d  | gpg --import

Then, don't forget to send it to a keyserver:

   gpg --keyserver pool.sks-keyservers.net --send-key 15104fdf

If you have any questions, let me know.

Generated by PIUS (http://www.phildev.net/pius/).

[-- Attachment #2: 15104fdf__berrange_at_redhat.com_ENCRYPTED.asc --]
[-- Type: application/octet-stream, Encoding: 7bit, Size: 4.6K --]

The final thing, once everyone has dealt with the emails they received, is to refresh your local key database to pull down all the new signatures

# gpg --recv-keys  $(echo $id_list)

I should point out that Pius isn’t just for mass key signing parties. Even if you only have 1 single key you want to sign, it is still a very convenient tool to use. The simplified set of steps to go through would be

# gpg --recv-key XXXXXXXX
# gpg --fingerprint XXXXXXXX
# ...verify person's identity & fingerprint
# pius --mail-host=MAIL_HOST --no-pgp-mime --mail=$me --signer=$my_id XXXXXXX
# ....some time later...
# gpg --recv-key XXXXXXXX

Thanks again to Jim Meyering for pointing out Pius and doing the organization for our key signing party & defining the steps I describe above. BTW, Pius is available in Fedora from F16 onwards.