gpgmailsign v0.7a ----------------- (c) 2003, 2004 Christoph Berg This program is free software covered by the GPL. This is the script I use to sign PGP/GnuPG keys. The script works for me but as the GnuPG user interface is extremely braindamaged, it is very hard to make sure it really does the right thing. I've tried to catch every possible error, but you will certainly find bugs. 0. Prerequisites You need the following programs: * gpg * q-agent and agpg from quintuple-agent * expect (to interact with gpg/agpg) Debian users can simply run 'apt-get install gnupg quintuple-agent expect' 1. How it works The idea is as follows: As I like to verify mail addresses, I sign each uid separately and mail the key with that signature to the mail address in the uid. The mail is encrypted. The receiver is responsable to import the signature into his keyring and upload it to a keyserver. I don't do that myself, so the mail address is implicitely verified. A nice side-effect is that the receiver can choose which uids he wants to have signed, they just do not import these signatures -- some people don't want to blow up their keyring with lots of signatures on uids they don't use (any more/often). 2. Running gpgmailsign Set $PGPKEY to your own keyid (alternatively you can use gpgmailsign -u). You can give multiple, comma-separated keyids. $ export PGPKEY=0x12345678 Start q-agent: $ eval `q-agent &` Start agpg, enter your passphrase, and close agpg with ^D: $ agpg ^D Call gpgmailsign with the keyid you want to sign: $ gpgmailsign [-rsv] [-u local_user{,...}] 87654321 ... Alternatively you can write the uids to a file, one by line, and call gpgmailsign -F keys.txt. After each signing, the keyid will be commented out in the file to keep track of which uids have been signed. gpgmailsign now calls gpg --list-key to get all uids of the key. After creating a work directory (./work/) gpgmailsign prints the fingerprint of the key and asks the user whether he wants to continue. In the following, '' is the long (8 byte, 16 chars) keyid. (NB: the short (4 byte, 8 chars) is the second half of the long id.) The following steps are taken for each uid: * If the uid does not contain a mail address, it is skipped. * Your own key and the key to be signed are exported to work/-.gpg. * The key is stripped down to this uid and all unknown signatures are removed using 'purgesigs' and the expect script 'purgesigs.expect'. * If the uid is already signed, it is skipped. * The uid is signed in work/-.gpg with all local keys using the expect script 'sign.expect'. * The template file 'key_instructions.txt' is translated to work/-.txt, containing the signed key and some instructions. * This file is encrypted and copied into work/.mail, using the template file 'mail_template.txt'. work/.mail is a shell script that uses the 'mail' command to send the (encrypted) signature to the receipient. You can use 'sh' to execute it: $ sh work/1234567887654321.mail Options: -f force output even without email address -F file to read keys from, one keyid per line (will be modified) -g name of gpg-agent wrapper (default: agpg) -q do not ask for confirmation on startup -r call gpg --recv-key before proceeding -s send out mail immediately (default: write shell skript) -v be verbose -u key to sign with (comma-separated for multiple keys, default: use \$PGPKEY) 3. Known Bugs, Wishlist * purgesigs randomly fails if gpg screws up the order of uids. Fix: re-run gpgmailsign until it works * agpg (q-agent) does not work with multiple keys if they have different passphrases. Fix: make the passphrases equal. * Send out proper MIME messages. * use gpg --status-fd etc. 4. Availability The gpgmailsign homepage is http://www.df7cb.de/projects/gpgmailsign/. Instructions for CVS access can be found at http://www.df7cb.de/projects/anoncvs/, the module name is gpgmailsign. 5. Thanks Thanks go to Andreas Steinel who helped to find several bugs in the gpg output parsing. Tollef Fog Heen added code to skip revoked uids. Christoph Berg $Id: README,v 1.12 2004/07/08 18:01:27 cb Exp $