I have been at FrOSCon and participated in the keysigning party. About 60 people evaluating each others IDs was … interesting.
My prior exposure to this whole PGP/GPG key business had been just the minimum required for a Launchpad/BZR account and signing the Code of Conduct.
Now the task at hand is signing all the keys where I’m reasonably sure about the ID of the owner and mailing the signatures to them. While there’s no way around going through not just every key, but every uid (a name and email address associated with the key) interactively, everything else about this calls for automation.
The command line tool caff has been recommended and it seems to be the only game in town. It’s in the signing-party Debian/Ubuntu package. No GUI and no out-of-the-box solution in Ubuntu. One could conclude that building a web of trust is not essential 
The easiest way to allow caff to send out emails seems to be to set up ssmtp. Installing it caused the removal of the exim packages. Well, there was no way I would deal with the more than 1000 lines long configuration file for exim. Getting ssmtp to work with my account did cost me a few attempts, but wasn’t too hard. It’s a little sad to have a configured account in Evolution and having to use something entirely separated for sending mails from the command line or via scripts, though.
No matter what I do, caff always tells me it can’t import the keys I want to process. It asks if i want to continue anyway and defaults to aborting. Only after trying a lot of things, I decided to choose continue and it looks like the script can do its job nonetheless!?
Meanwhile, I imported and signed the keys via gpg directly, instead. Signing on a per-uid level is really cumbersome and could be much faster with a GUI.
caff assumes the keys are not signed, unless run with a flag to not sign keys. Using that, I did a test run with a single key. Since I couldn’t think of another way to check if the email had the right content and got through, I did send another one via Evolution to ask the recipient.
No answer, yet. This morning, I decided to pick another single key. I’m not aware of any relevant changes on my system, but now caff claims that it can’t find a signed uid for any of the keys. The gpgsigs tool tells me there are signed uids for all keys in my list, so the signatures most definitively did not disappear. Any idea what might be going on?
My inbox shows that several participants got caff to work.
I could help with the interaction/interface design, if somebody decides to write a graphical tool or to extend one of the existing key managers. I wonder if and how this should be integrated with whatever is the default email application of a distribution, though.
Filed under: Planet Ubuntu, Thoughts, Ubuntu
