使用caff

經常收到別人用E-Mail寄來sign gpg 的信,內容大概是這樣:

> Hi,

> please find attached the user id
> Yu-Chin Tsai ....
> of your key A.... signed by me.

> If you have multiple user ids, I sent the signature for each user id
> separately to that user id's associated email address. You can import
> the signatures by running each through `gpg --import`.

> Note that I did not upload your key to any keyservers. If you want this
> new signature to be available to others, please upload it yourself.
> With GnuPG this can be done using
>     gpg --keyserver pool.sks-keyservers.net --send-key A....

> If you have any questions, don't hesitate to ask.

然後附件是sign好的key。

通常我都會照著做,就是

gpg --import [attached_file]
gpg --keyserver pool.sks-keyservers.net --send-key [ID]

可是,要怎麼sign別人的勒?我以往都是直接從 key server 但是這樣好像不是很好,因為無法確認 E-Mail Address 的可效性,好像滿有道理的。所以,大家其實都是用 caff 這個指令一次完成。用法:

# 安裝 signing-party
apt-get install signing-party

# 準備使用 caff, 第一次會產生config範本
caff

# 編輯 ~/.caffrc
# change the name
$CONFIG{'owner'} = 'Thomas Tsai';
# change the email address
$CONFIG{'email'} = 'bg@aaa..com';
# your keyid
$CONFIG{'keyid'} = [ qw{1234567890ABCDEF} ];

# 加強安全性 所以再編輯 ~/.caff/gnupghome/gpg.conf
personal-digest-preferences SHA512
cert-digest-algo SHA512

# 來 caff 吧
caff 01234567

# sign 好之後要輸入 save, 之後會問你要不要寄出去,寄出去就完成了。

我第一次執行因為沒有設定 exim4 寄信,所以失敗,可以參考之前寫的 exim4使用 google smtp 的方式寄信,再重新 caff 01234567 即可。

過程中,看到 debian wiki 寫的 sig2dot 很有趣阿,只是xdot 沒有辦法收pipe的樣子。

sudo apt-get install graphviz xdot 
gpg --list-sigs  | sig2dot >sig_file.xdot
xdot sig_file.xdot

這樣就可以看到有去的關聯圖了!

'sig2dot'

reference:

  • https://pgp-tools.alioth.debian.org/
  • http://kalug.linux.org.tw/planet/user/18/tag/gpg/
  • http://pre.tir.tw/008/blog/output/gnupg-zui-jia-shi-jian-gpg-subkeys.html
  • http://www.codemud.net/~thinker/GinGin_CGI.py/show_id_doc/478
  • https://www.azabani.com/2014/01/07/after-pgp-key-signing-parties.html

Comments