February 11th 2019 @ 7:49 am Uncategorized

This year I attended the infamous PGP Keysigning Party at FOSDEM. One of the biggest in the world, the KSP is well known for often being outside where participants’ hands got numb verifying ID and marking little checkboxes.

I was pretty impressed by the setup of this party. Instead of submitting keys in usual ways, a custom keyserver had been setup for you to submit keys to. A worksheet was then made which was hashed with two different hash algorithms (RIPEMD160 and SHA256). Participants needed to print their own copy of the worksheet and write the checksums they got on the worksheets. The “official” checksums were provided at the beginning of the party for everyone to verify. This way at the party only 2 fingerprints needed to be verified instead of 100. And thankfully, this year it was indoors.

However, the FOSDEM KSP does not officially provide a keyring. Technically a keyring is provided, but it is not signed, does not guarantee it has all keys, and they call it “unofficial.” Since I – of course – intended to use PIUS to sign keys, I was going to need a keyring. As you may have seen in my twitter thread, I made a quick-n-dirty shell script to build my keyring:


grep -A 1 pub ksp-fosdem2019.txt | grep -v pub | while read line; do
   [[ "$line" =~ -- ]] && continue
   if gpg --keyring ./fosdem-ksp-keyring.gpg --fingerprint "$line" &>/dev/null; then
     echo "Skipping $line, already have"
   echo "Grabbing: $line"
   for ks in hkps://; do
     echo "  .. from $ks"
     pius-keyring-mgr raw -r ./fosdem-ksp-keyring.gpg -- \
         --keyserver $ks --recv-key "$line"
   echo "Sleeping 1"
   sleep 1

Except I didn’t end up with a keyring. That’s weird. Turns out there was a bug in pius-keyring-mgr raw if you use it to create¬†a keyring (instead of modify one). So I wrote PR 118 to fix that. Trying again, this worked well, though unfortunately, has been down for days, so there were a handful of keys I could not get. From there I was able to use pius-keyring-mgr to strip the keyring:

pius-keyring-mgr prune -r ./fosdem-ksp-keyring.gpg

Unfortunately, prune sorts the keyring, but the worksheet for FOSDEM is intentionally in the order people submitted their keys. So then I wrote PR 119 to add an option to not sort to prune. Now I tried again with:

pius-keyring-mgr prune --no-sort-keyring -r ./fosdem-ksp-keyring.gpg

That worked out much better. Now I could sign with (again specifying not to sort the keyring):

pius -A -r ./fosdem-ksp-keyring.gpg --no-sort-keyring

But of course, I can’t leave people running janky bash scripts, PIUS should handle this case natively, so PR 120 adds the ability to build a keyring from a flat file with pius-keyring-mgr build -r ./fosdem-ksp-keyring.gpg -f ksp-fosdem2019.txt. And then I released PIUS 2.2.7 with these new features/fixes.

So, if you were at FOSDEM and want a simple way to sign the keys, here’s all you need:

# Build the keyring
pius-keyring-mgr build -r ./fosdem-ksp-keyring.gpg -f ksp-fosdem2019.txt
# Prune the keyring
pius-keyring-mgr prune --no-sort-keyring -r ./fosdem-ksp-keyring.gpg
# Sign the keyring
pius -A -r ./fosdem-ksp-keyring.gpg --no-sort-keyring -m <your_email> -s <your_keyid>

PIUS 2.2.7 has a slew of other fixes in it as well, so make sure you upgrade before your next KSP!

rss no comments
comment on this article

Notice: All comments are moderated. Your comment will appear once approved.