This page is a mirror of http://www.netsplit.com/software/signkey/.
Skip to:
This script takes a list of key IDs, or the name of a file containing such a list, on the command line and for each key signs each UID individually and mails that single signature encrypted to the e-mail address in the UID.
The recipient would then receive one e-mail for each UID on their key and needs to decrypt and import each to receive the complete set of signatures. It is up to the recipient to upload these signatures to a key server.
With a few hours to kill on a bus from Oslo Torp airport to the city itself, and with the anticipation of a large key signing event at the Debian Conference I was there to visit, I wrote this script to do the hard work for me. Many people have since asked for a copy, so I make it publically available here.
The current version consists of a single Perl source file and is distributed under an MIT licence.
You will need the DEBFULLNAME and DEBEMAIL
environment variables set to your full name and e-mail address
respectively. You will also need a working GPG set-up for the user
you run as.
With any tool such as this, it is important to be aware of the security concerns surrounding it.
You should carefully read the script to ensure it does indeed do what I claim.
The script holds your key's passphrase in insecure memory, it should never be run on a machine with other users logged in or with any method for other users to gain access (such as a network connection).
The script was only ever a “quick hack” so does not run in Perl's ‘strict’ or ‘taint’ modes, make your own decisions based on this.
In its default configuration the script will not place your signatures on your own keyring, in order to obtain these signatures you would need to refresh the key against the key servers once the key owner has decrypted, imported and uploaded them.
It is trivial to modify the script to import these signatures onto your keyring (the code is simply commented out) however you must make sure never to accidentally upload to a key server.
The verification method works on an assumption that the holder of the signature key and encryption sub key are the same and that no ADK exists. This remains true for the most part, therefore the script remains useful, other methods such as a challenge and signed response have equal “flaws”.
The method notably fails for signature-only keys.