[opensuse] oSC16 keysigning party
Hi, at oSC16 we would like to offer the opportunity to get your key signed by other openSUSE contributors. Some of our SUSE employees have very well connected GPG keys, don't miss this opportunity. To make this procedure as efficient as possible I would like to use the procedure used by FOSDEM: - All attendees send their public keys to me: # gpg --armor --export --output $KEY_ID.gpg $KEY_ID Send $KEY_ID.gpg via email to me (jsegitz@suse.com) - I'll compose a file with all the signatures, further instructions and send a signed version around three days before the event - You need to print out that list, compute two hashes and fill them in on the printed copy (it's described in the file you'll receive). Bring this list, a pen and some form of photo ID to the keysigning party. With that procedure everyone can check their own key and the hashes. If there are no discrepancies only the photo ID needs to be checked, which speeds up the event considerably. Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)
On Wed, May 25, 2016 at 04:11:36PM +0200, Johannes Segitz wrote:
at oSC16 we would like to offer the opportunity to get your key signed by other openSUSE contributors. Some of our SUSE employees have very well connected GPG keys, don't miss this opportunity.
To make this procedure as efficient as possible I would like to use the procedure used by FOSDEM: - All attendees send their public keys to me: # gpg --armor --export --output $KEY_ID.gpg $KEY_ID Send $KEY_ID.gpg via email to me (jsegitz@suse.com) - I'll compose a file with all the signatures, further instructions and send a signed version around three days before the event - You need to print out that list, compute two hashes and fill them in on the printed copy (it's described in the file you'll receive). Bring this list, a pen and some form of photo ID to the keysigning party.
With that procedure everyone can check their own key and the hashes. If there are no discrepancies only the photo ID needs to be checked, which speeds up the event considerably.
If you plan on attending and didn't send me your key, please do so now/soon. Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)
On Wed, May 25, 2016 at 04:11:36PM +0200, Johannes Segitz wrote:
- I'll compose a file with all the signatures, further instructions and send a signed version around three days before the event
Please find attached the file you'll need to participate. You can check it by running: # gpg --verify keylist.txt.asc keylist.txt Here's what you have to do with this file: (0) Verify that the key-id and the fingerprint of your key(s) on this list match with your expectation. (1) Print this UTF-8 encoded file to paper. Use e.g. paps(1) from http://paps.sf.net/. (2) Compute this file's RIPEMD160 and SHA256 checksums. gpg --print-md RIPEMD160 keylist.txt gpg --print-md SHA256 keylist.txt (3) Fill in the hash values on the printout. (4) Bring the printout, a pen, and proof of identity to the keysigning event. You may find it useful to make a badge stating the number(s) of your key(s) on this list and the fact that you verified the fingerprints of your own key(s). Also provide a place to mark that your hashes match. e.g. +----------------------------+ | I am number 001 | | My key-id & fingerprint: ☑ | | The hashes: ☐ | +----------------------------+ Be on time (2016-06-24 14:00 in the Hacker Room) to actually verify the hashes as they are announced! Usually I shouldn't publish the hash values before the event to prevent people from just taking them from this mail and not computing them themselves. But we had some problems last year with mail clients mangling the attachments, which lead to non-matching hash values. So I'll publish the beginning of the RIPEMD160 hash: keylist.txt: A0AC F9EF DD99 97BC 484D (...) If you don't have that for keylist.txt, then your mail client screwed up. Regarding proof of identity: During our last keysigning party we had some ID documents that were quite old (so you used to be quite the heavy metal guy 20 years ago, but now broken by life and without hair it's hard to recognize you), hard to read etc. In such a case it doesn't hurt to bring additional documents, otherwise more security conscious people might not sign you key. Looking forward to seeing you there, Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)
On Tue, Jun 21, 2016 at 03:38:21PM +0200, Johannes Segitz wrote:
Be on time (2016-06-24 14:00 in the Hacker Room) to actually verify the hashes as they are announced!
The hacker room is too small to accommodate us and it's way too nice to spent the day inside. We'll do it in the beer garden area in the shady spots. See you there, Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)
On Tue, Jun 21, 2016 at 03:38:20PM +0200, jsegitz@suse.com wrote:
Be on time (2016-06-24 14:00 in the Hacker Room) to actually verify the hashes as they are announced!
Thank you all for participating. So it was a bit hot and we found some steps that could be improved for the next event, but to me it looked like everyone was having fun while trying to evade the horrible yellow monster above. Please find attached the keyring with the keys of all participants. To make signing easier you can check out caff, it helps you with that. See you next openSUSE con, Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)
On Sun, Jun 26, jsegitz@suse.com wrote:
To make signing easier you can check out caff, it helps you with that.
Done. caff from signing-party.rpm as shipped with 13.1/13.2/Leap fails. Looks like the Leap variant does not handle a missing trustdb.gpg. I received some mails already, appearently sent using caff. So it seems to work for a few config variants. Olaf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Jun 28, 2016 at 10:45:21AM +0200, Olaf Hering wrote:
On Sun, Jun 26, jsegitz@suse.com wrote:
To make signing easier you can check out caff, it helps you with that.
Done. caff from signing-party.rpm as shipped with 13.1/13.2/Leap fails. Looks like the Leap variant does not handle a missing trustdb.gpg. I received some mails already, appearently sent using caff. So it seems to work for a few config variants.
That is likely boo#986783. For Leap I have a gpg2 that should fix that: https://build.opensuse.org/package/show/home:jsegitz:branches:openSUSE:Leap:... Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg)
On Tue, Jun 28, Johannes Segitz wrote:
That is likely boo#986783.
Thanks, ...
For Leap I have a gpg2 that should fix that: https://build.opensuse.org/package/show/home:jsegitz:branches:openSUSE:Leap:...
... and just for Tumbleweed I have a signing-party.rpm including required runtime dependencies as well: https://build.opensuse.org/package/show/home:olh/signing-party Olaf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Johannes Segitz
-
jsegitz@suse.com
-
Olaf Hering