On 1st & 2nd February I was fortunate to attend FOSDEM 2020 in at Université Libre de Bruxelles, Brussels. While I was there I took part in the event’s keysigning party and now need to sign the keys I verified (only 8 days before the deadline of 30th April!).
apt-get install signing-party
Per the caff wiki page:
caff usually requires a properly configured MTA (mail transfer agent).
This usually means the command “mail -s “test_email” firstname.lastname@example.org” should work.
The machine I was running this on is not routinely used for email going outside my own mail systems and it is useful to me that mail originates from ‘host.subdomain.domain.name.tld’ and not ‘domain.name.tld’ directly. For the messages after keysighing, though, I do want them to come from a proper email address.
I therefore temporarily enabled outgoing (via SMTP transport) email rewriting by add ‘smtp_generic_maps’ to main.cf and addinga rewrite to my local user to my public email address:
smtp_generic_maps = hash:/etc/postfix/smtp_generic_map
# echo "email@example.com firstname.lastname@example.org" > /etc/postfix/smtp_generic_map # postmap /etc/postfix/smtp_generic_map # systemctl reload postfix
Run caff to generate a template configuration:
$ caff [NOTICE] No configfile /home/someuser/.caffrc present, I will use this template: # .caffrc -- vim:ft=perl: # ... [NOTICE] Please edit /home/someuser/.caffrc and run caff again.
So I did as instructed and edited the file.
Fetch the key list and verify it (checksum must match printed list from the party):
$ $ wget https://ksp.fosdem.org/files/ksp-fosdem2020.txt --2020-04-22 16:00:12-- https://ksp.fosdem.org/files/ksp-fosdem2020.txt Resolving ksp.fosdem.org (ksp.fosdem.org)... 188.8.131.52, 2001:67c:1808::144 Connecting to ksp.fosdem.org (ksp.fosdem.org)|184.108.40.206|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 42552 (42K) [text/plain] Saving to: ‘ksp-fosdem2020.txt’ ksp-fosdem2020.txt 100%[=================================================>] 41.55K 150KB/s in 0.3s 2020-04-22 16:00:15 (150 KB/s) - ‘ksp-fosdem2020.txt’ saved [42552/42552] $ sha256sum ksp-fosdem2020.txt d926f4824e653cce3fac38c2d14c405399b8deab25cabbc34d61b79406ae762d ksp-fosdem2020.txt $ openssl dgst -ripemd160 ksp-fosdem2020.txt RIPEMD160(ksp-fosdem2020.txt)= 7963ffc28e87f28008a0d74d993f51faa66f1d49 $ openssl dgst -sha256 ksp-fosdem2020.txt $ gpg --print-md RIPEMD160 ksp-fosdem2020.txt $ gpg --print-md RIPEMD160 ksp-fosdem2020.txt
Modify the file, checking (with an ‘X’) all the boxes physically checked at the party. (I also have an extra ‘write-in’ key that was verified that I will sign manually after the bulk.)
Conveniently FOSDEM provide a keyring with the keys from the party in it. Using this we can give it to caff:
$ wget https://ksp.fosdem.org/files/non-authoritative/keyring.gpg --2020-04-22 16:35:15-- https://ksp.fosdem.org/files/non-authoritative/keyring.gpg Resolving ksp.fosdem.org (ksp.fosdem.org)... 220.127.116.11, 2001:67c:1808::144 Connecting to ksp.fosdem.org (ksp.fosdem.org)|18.104.22.168|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 649161 (634K) [application/octet-stream] Saving to: ‘keyring.gpg’ keyring.gpg 100%[=================================================>] 633.95K 388KB/s in 1.6s 2020-04-22 16:35:18 (388 KB/s) - ‘keyring.gpg’ saved [649161/649161]
I initially ran caff with the ‘no mail, no sign’ options to verify everything and it failed to import some of the keys.
$ caff -m no -S --key-file keyring.gpg < ksp-fosdem2020.txt [NOTICE] Reading gpgparticipants formatted input on STDIN [NOTICE] Found RIPEMD160 checksum (marked as verified, assumed good) [NOTICE] Found SHA256 checksum (marked as verified, assumed good) ...
And finally ran it for real, at which point it prompted, twice, to make sure I wanted to sign the key and then fell-over:
$ caff -m yes --key-file keyring.gpg < ksp-fosdem2020.txt ... Really sign? (y/N) y gpg: signing failed: No such device or address gpg: signing failed: No such device or address
Turns out I needed to do this (from the gpg-agent man page, which says it should be done in .bashrc):
$ GPG_TTY=$(tty) $ export GPG_TTY
Then it worked:
$ caff -m yes --key-file keyring.gpg < ksp-fosdem2020.txt
I needed to unlock my secret key with the first one, and don’t forget to type save at the
gpg> prompt after confirming to sign each one (double checking against the paper list as I went).
Unfortunately quite a few emails bounced as the system I did this on (did I mention it doesn’t routinely send email?!) isn’t permitted to send by my main domain’s SPF policy. I bounced them to a mail-sever internally and re-sent them to their final recipients. Note to self: next time do this on a mail router or tell postfix to relay via one of them.
“Please upload your keys to a reliable keyserver on a regular basis so we can make nice statistics!”
Finally, I uploaded the updated key to a key server as suggested by caff:
gpg --keyserver hkp://pool.sks-keyservers.net --send-key FC4070E73C3CBE2F