Matt's Musings

June 26, 2009

GPG Keysigning Update

Filed under: Debian,WLUG / LinuxNZ — @ 12:56 pm NZST

From the better late than never category… I finally got around to signing keys from the LCA2006 key signing party, the verification sheet from which has travelled with me from NZ to Dublin and then sat on my desk for a few years. I inevitably lost a few of my notes and verifications along the way, so if you were still expecting a signature from me and didn’t get one let me know!

The main hold up for me has been that my previous key signing system, a home grown script, was overly complex and involved me sending an encrypted token to each UID that I waited to receive back before issuing the signature. Lots of work for me, and much hassle for those whose keys I am signing. I’ve reverted back to the more standard method of signing and encrypting the signature to each UID and then throwing my copy of the signature away. Unless the recipient controls the UID and can decrypt the message, the signature will never be released to the world.

I’ve adopted pius as my new signing tool of choice, with a few extra patches to help me maintain my database of signature details and the corresponding verification pages at which are linked from the Policy URL packet of each signature I make. I guess I’ll tidy up the patches over the next few days and see if there is any interest in getting them merged.


  1. pius isn’t in Debian, could you package it? Also, why not just use caff from signing-party?

    Comment by foo — June 26, 2009 @ 4:58 pm

  2. I can certainly investigate packaging pius for Debian.

    Caff is perl, and I don’t really do perl, pius is Python, and I enjoy Python, so it was an easy choice for me.

    Comment by matt — June 26, 2009 @ 8:27 pm

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress