[ale] ALE Keysiging ... [How To]

Bob Toxen bob at verysecurelinux.com
Mon Feb 17 23:50:00 EST 2003 

I created the following procedure to do the mass signing of PGP/GPG keys
we traded at the Keysigning party on Thursday if you use GPG on *nix.


Copyright 2003 Fly-By-Day Consulting, Inc.  All rights reserved.

Text in [square brackets] are textual notes; other lines are commands.
Be VERY sure nobody can sniff your password.  I.e., don't be connected
via telnet or rlogin over an untrusted network.

      [Ensure your GPG $HOME/.gnupg/options file has a line like:
        keyserver wwwkeys.pgp.net
      in it or do the equivalent for PGP and non-*nix GPG.]
        gpg --refresh-keys
      [Load the following URL into your browser:
        http://www.wittsend.com/mhw/alekeysign/pubring.gpg]
      [Save URL contents as pubring.gpg]
        script gpg.log
        gpg --import pubring.gpg
      [Type "exit" to exit the shell started with the script program]
      [Edit gpg.log to list only the 8-hex digit key numbers, one per line]

        tcsh
        foreach i ( `cat gpg.log` )
        echo $i ==========
        gpg --edit-key $i
        end

      [For each key, respond to GPG's prompts thusly:]
        sign
      [Answer "yes" to "Really sign all user IDs?", if asked]
      [Answer "3" to "How carefully have you verified the key..."
          if you confirmed the fingerprint and viewed gov't-issued
          picture ID (general standard) and you are satisfied as to identity]
      [Answer "yes" to "Are you really sure that you want to sign this key"]
      [Enter your secret key passphrase when prompted]
        save
      [Iterate for each gpg invocation]
      [Type "exit" to enter tcsh started above]

      [Upload the public keys that you have signed; it is VERY important to
      list the keys you are sending and to NOT send all of your public keys
      as that would give away too much information about you and what you do:
        gpg --send-keys `cat gpg.log`
      ]

      [Wait a few days and do the following to get party participants' keys
      subsequently signed by others:
        gpg --refresh-keys
      ]

Best regards,

Bob Toxen, CTO
Fly-By-Day Consulting, Inc.
"Your expert in Firewalls, Virus and Spam Filters, VPNs,
Network Monitoring, and Network Security consulting"
bob at verysecurelinux.com (e-mail)
+1 770-662-8321  (Office)

Author,
"Real World Linux Security: Intrusion Detection, Prevention, and Recovery"
2nd Ed., Prentice Hall, October 2002, 848 pages, ISBN: 0130464562

Public key available at http://www.verysecurelinux.com/pubkey.txt, keyservers,
  and on the CD-ROM that comes sealed and attached to Real World Linux Security
pub  1024D/E3A1C540 2000-06-21 Bob Toxen <book at verysecurelinux.com>
     Key fingerprint = 30BA AA0A 31DD B68B 47C9  601E 96D3 533D E3A1 C540
sub  2048g/03FFCCB9 2000-06-21

 PGP signature

More information about the Ale mailing list