Planeta Joves Ubuntaires
http://joves.ubuntu.cat/planet
Planeta Joves Ubuntaires - http://joves.ubuntu.cat/planet
-
RainCT: GPG key signing with CAFF
http://bloc.eurion.net/archives/2010/gpg-key-signing-with-caff/
<img class="face" src="http://joves.ubuntu.cat/planeta/images/faces/rainct.png" alt="Cara a Ubuntu.cat" /><p>I’ve finally got around to doing my homework from <a href="http://fosdem.org/2010/">FOSDEM</a> and since I’m sure before long I’ll have forgotten again how all this works, let me write it down here.</p>
<p><strong>1. Installing CAFF</strong> (CA – Fire and Forget)</p>
<p>Easy.</p>
<pre>sudo aptitude install signing-party</pre>
<p><strong>2. Configuring CAFF</strong></p>
<p>For this we open up ~/.caffrc and write in something like this:</p>
<pre>$CONFIG{'owner'} = 'Siegfried Gevatter';
$CONFIG{'email'} = 'name@example.com';
$CONFIG{'keyid'} = [ qw{1CFC22F3363DEAE3} ];
$CONFIG{'gpg-sign-args'} = 'save';
</pre>
<p>The last line avoids the default behavior of dropping you into an interactive <strong>gpg</strong> session for each key, and just signs all IDs automatically after asked for confirmation. I’ve also set the trust level to 2 (“<em>I have checked this key casually.</em>“) by creating a <em>~/.caff/gnupghome/gpg.conf</em> file with:</p>
<pre>personal-digest-preferences SHA256
cert-digest-algo SHA256
default-cert-level 2</pre>
<p>To further streamline the process, I’ve defined an alias in my <em>~./.bashrc</em> so that CAFF won’t ask for confirmation for every single e-mail it sends:</p>
<pre>alias caff="caff -m yes"</pre>
<p><strong>3. Installing and configuring sSMTP</strong></p>
<p>Now so that CAFF can send out the mails, we need a mail agent. If you don’t have one already, you’ll need to install one and configure it to work with your e-mail setup (in my case, Gmail). I decided to go with sSMTP, but you can use any other MTA of your choice.</p>
<p>I followed those instructions to configure it: <a href="http://www.nixtutor.com/linux/send-mail-with-gmail-and-ssmtp/">Send Mail with Gmail and sSMTP</a>. Additionally, I changed the permissions of the <em>/etc/ssmtp/ssmtp.conf</em> file to 640 (<em>-rw-r—–</em>) and the owner to <em>root.rainct</em> (where <em>rainct</em> is my username) so that the plain-text password in it is protected.</p>
<p><strong>4. Using CAFF</strong></p>
<p>That’s it. Well, at least for the setup part, now the real work begins, verifying and signing all the keys. In my case I had them printed out on paper and just typed “<em>caff <id1> <id2> <…>” </em> (eg. “<em>caff 363DEAE3</em>“). CAFF then downloads the keys, asks for confirmation for each of them so you can double-check, and finally e-mails the signatures to everyone.</p>
<p>By the way, in case you accidentally sign the wrong key (eg. one you had on your list but whose owner you didn’t met), you can still revoke your signature (see this “<a href="http://http://lists.gnupg.org/pipermail/gnupg-users/2005-August/026543.html">Help revoking a signature</a>” mailing list post).</p>
<hr />
<p><small>
<a href="http://bloc.eurion.net/archives/2010/gpg-key-signing-with-caff/#comments">No comments</a><br />
© Siegfried-Angel Gevatter Pujals, 2010. |
<a href="http://bloc.eurion.net/archives/2010/gpg-key-signing-with-caff/">Permalink</a> |
<a rel="license" href="http://creativecommons.org/licenses/by-nc-sa/3.0/">License</a> |
Post tags: <a href="http://bloc.eurion.net/archives/tag/debian/" rel="tag">Debian</a>, <a href="http://bloc.eurion.net/archives/tag/events/" rel="tag">events</a>, <a href="http://bloc.eurion.net/archives/tag/ubuntu/" rel="tag">Ubuntu</a><br />
</small></p>
2010-06-12T14:06:41+00:00
RainCT