Keysigning party post-party signing

On 1st & 2nd February I was fortunate to attend FOSDEM 2020 in at Université Libre de Bruxelles, Brussels. While I was there I took part in the event’s keysigning party and now need to sign the keys I verified (only 8 days before the deadline of 30th April!).

Setup

Using a Debian system, the signing-party package package provides caff which is supposed to automate much of the process.

apt-get install signing-party

Per the caff wiki page:

caff usually requires a properly configured MTA (mail transfer agent).

This usually means the command “mail -s “test_email” user@mailprovider.com” should work.

The machine I was running this on is not routinely used for email going outside my own mail systems and it is useful to me that mail originates from ‘host.subdomain.domain.name.tld’ and not ‘domain.name.tld’ directly. For the messages after keysighing, though, I do want them to come from a proper email address.

I therefore temporarily enabled outgoing (via SMTP transport) email rewriting by add ‘smtp_generic_maps’ to main.cf and addinga rewrite to my local user to my public email address:

smtp_generic_maps = hash:/etc/postfix/smtp_generic_map

# echo "user@host.subdomain.domain.name.tld rewrittne_user@domain.name.tld" > /etc/postfix/smtp_generic_map
# postmap /etc/postfix/smtp_generic_map
# systemctl reload postfix

Configuring

Run caff to generate a template configuration:

$ caff
[NOTICE] No configfile /home/someuser/.caffrc present, I will use this template:
# .caffrc -- vim:ft=perl:
# ...
[NOTICE] Please edit /home/someuser/.caffrc and run caff again.

So I did as instructed and edited the file.

Signing keys

Fetch the key list and verify it (checksum must match printed list from the party):

$ $ wget https://ksp.fosdem.org/files/ksp-fosdem2020.txt
--2020-04-22 16:00:12--  https://ksp.fosdem.org/files/ksp-fosdem2020.txt
Resolving ksp.fosdem.org (ksp.fosdem.org)... 31.22.22.144, 2001:67c:1808::144
Connecting to ksp.fosdem.org (ksp.fosdem.org)|31.22.22.144|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 42552 (42K) [text/plain]
Saving to: ‘ksp-fosdem2020.txt’

ksp-fosdem2020.txt            100%[=================================================>]  41.55K   150KB/s    in 0.3s

2020-04-22 16:00:15 (150 KB/s) - ‘ksp-fosdem2020.txt’ saved [42552/42552]
$ sha256sum ksp-fosdem2020.txt
d926f4824e653cce3fac38c2d14c405399b8deab25cabbc34d61b79406ae762d  ksp-fosdem2020.txt
$ openssl dgst -ripemd160 ksp-fosdem2020.txt
RIPEMD160(ksp-fosdem2020.txt)= 7963ffc28e87f28008a0d74d993f51faa66f1d49
$ openssl dgst -sha256 ksp-fosdem2020.txt
$ gpg --print-md RIPEMD160 ksp-fosdem2020.txt
$ gpg --print-md RIPEMD160 ksp-fosdem2020.txt

Modify the file, checking (with an ‘X’) all the boxes physically checked at the party. (I also have an extra ‘write-in’ key that was verified that I will sign manually after the bulk.)

Conveniently FOSDEM provide a keyring with the keys from the party in it. Using this we can give it to caff:

$ wget https://ksp.fosdem.org/files/non-authoritative/keyring.gpg
--2020-04-22 16:35:15--  https://ksp.fosdem.org/files/non-authoritative/keyring.gpg
Resolving ksp.fosdem.org (ksp.fosdem.org)... 31.22.22.144, 2001:67c:1808::144
Connecting to ksp.fosdem.org (ksp.fosdem.org)|31.22.22.144|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 649161 (634K) [application/octet-stream]
Saving to: ‘keyring.gpg’

keyring.gpg                   100%[=================================================>] 633.95K   388KB/s    in 1.6s

2020-04-22 16:35:18 (388 KB/s) - ‘keyring.gpg’ saved [649161/649161]

I initially ran caff with the ‘no mail, no sign’ options to verify everything and it failed to import some of the keys.

$ caff -m no -S --key-file keyring.gpg < ksp-fosdem2020.txt
[NOTICE] Reading gpgparticipants formatted input on STDIN
[NOTICE] Found RIPEMD160 checksum (marked as verified, assumed good)
[NOTICE] Found SHA256 checksum (marked as verified, assumed good)
...

And finally ran it for real, at which point it prompted, twice, to make sure I wanted to sign the key and then fell-over:

$ caff -m yes --key-file keyring.gpg < ksp-fosdem2020.txt
...
Really sign? (y/N) y
gpg: signing failed: No such device or address
gpg: signing failed: No such device or address

Turns out I needed to do this (from the gpg-agent man page, which says it should be done in .bashrc):

$ GPG_TTY=$(tty)
$ export GPG_TTY

Then it worked:

$ caff -m yes --key-file keyring.gpg < ksp-fosdem2020.txt

I needed to unlock my secret key with the first one, and don’t forget to type save at the gpg> prompt after confirming to sign each one (double checking against the paper list as I went).

Unfortunately quite a few emails bounced as the system I did this on (did I mention it doesn’t routinely send email?!) isn’t permitted to send by my main domain’s SPF policy. I bounced them to a mail-sever internally and re-sent them to their final recipients. Note to self: next time do this on a mail router or tell postfix to relay via one of them.

“Please upload your keys to a reliable keyserver on a regular basis so we can make nice statistics!”

Finally, I uploaded the updated key to a key server as suggested by caff:

gpg --keyserver hkp://pool.sks-keyservers.net --send-key FC4070E73C3CBE2F