There is a tool called caff, which is the de-facto standard when dealing with keysigning (on a large scale, e.g. after a key signing party). This tool hasn't been touch in years, is written and configured in Perl (hence cannot be read and/or maintained :smile:) and is not easy to package, because of a lot of dependencies, etc. It is not even available in our default repositories (at least for Tumbleweed). In general there seems to be a certain kind of frustration with this software, but there is no real alternative available yet.

Ideally the new toolset should allow to organize a complete keysigning party, e.g. it should assist the organizer with:

  • Collecting all the keys before the keysigning party (e.g. automatically via mail and/or a dedicated OpenPGP keyserver) or by adding them manually (e.g. import the key itself or the key ID)
  • Prepare a keyring/printout containing all of the keys previously collected and make it available to all participants (via mail, via keyserver, by copying it to a HTTP server, or possibly by hosting it over HTTP for ourselves, etc.)

For the actual participants of a keysigning party there should be a set of tools to allow for the following:

  • Optional: Import the keyring published by the organizer
  • Iterate through all of the keys (either from previously imported keyring or specified by the user):
    • Retrieve the key information from a keyserver, if necessary
    • Display the required information (fingerprint, name, UIDs, etc.)
    • Ask the user for confirmation
    • Actually sign the key
  • For each UID that contains a mail address, the following should be done:
    • Strip the UID from the rest of the key
    • Send the receiver his signed key via mail, which makes sure he is (and/or at least was at some point in time) in control over the specified mail address
    • Optional: Upload the key to a keyserver (when the mail loop is not wanted, etc.)

Another set of scripts/tools that might be useful for the organizer of a keysigning party, might allow for visualization of the web of trust before and after the event takes place. For instance the tool could generate a graph on the keyring published before the keysigning party. The resulting image file can be published. After the event has taken place and all of the participants had enough time to sign their keys (e.g. two weeks after the event), you could re-issue the command and publish the new graph. Ideally, the web of trust should be way better than beforehand.

All of this should be configurable via configuration files and command line options. It should be something easy to understand and flexible to use (e.g. YAML). You should not require any knowledge about the programming language that is used (which is the case with caff, since it uses Perl for its configuration file).

While I'm open to discussion about the programming language and tools being used, I'm planning to work on this in Go. I don't have a lot of experience with it yet, and hope to improve my skills with this project. Support for most of the requirements is already available, in particular:

  • OpenPGP for actual cryptographic operations: https://godoc.org/golang.org/x/crypto/openpgp
  • SMTP for sending mail(s): https://golang.org/pkg/net/smtp/
  • Hosting and retrieving content via HTTP: https://golang.org/pkg/net/http/

Looking for hackers with the skills:

keysigning go programming coding cryptography party

This project is part of:

Hack Week 17

Activity

  • about 2 years ago: xgonzo liked Tools to make keysigning fun again (replacement for caff)
  • about 2 years ago: ancorgs liked Tools to make keysigning fun again (replacement for caff)
  • about 2 years ago: pdostal liked Tools to make keysigning fun again (replacement for caff)
  • about 2 years ago: iulhaq liked Tools to make keysigning fun again (replacement for caff)
  • about 2 years ago: pluskalm liked Tools to make keysigning fun again (replacement for caff)
  • about 2 years ago: mkoutny liked Tools to make keysigning fun again (replacement for caff)
  • about 2 years ago: aspiers liked Tools to make keysigning fun again (replacement for caff)
  • about 2 years ago: kbabioch liked Tools to make keysigning fun again (replacement for caff)
  • about 2 years ago: kbabioch added keyword "keysigning" to Tools to make keysigning fun again (replacement for caff)
  • about 2 years ago: kbabioch added keyword "go" to Tools to make keysigning fun again (replacement for caff)
  • All Activity

    Comments

    • ArchLinux
      about 2 years ago by ArchLinux | Reply

      I wrote a tool called easy-signing-party (https://github.com/mytbk/easy-signing-party) before. add-emoji

    Similar Projects

    Polish filtra and move data collection to Postresql by jochenbreuer

    Last [hackweek](https://hackweek.suse.com/proje...


    SUSE Manager Cluster Extension (PoC) by bmaryniuk

    Since SUSE Manager doesn't scale out and stacki...