Sign each UID on a set of PGP keys
Version: 2.0.3PGP Individual UID Signer (or PIUS) allows users to sign individual UID keys from a set of PGP keys. It is designed to take the pain out of the sign-all-the-keys part of PGP Keysigning Party while adding security to the process.
Operating System: Linux
Post party you need to, at a minimum, sign the keys of everyone who was present at the party and had sufficient ID. You then need to get those signed keys back to their owner.
That can already be time consuming, but preferrably, you want to verify the identity in each UID, which means verifying the email addresses. There are a few ways to do this, but one of them is to sign each UID on the key individually (which requires import-sign-export-delete for each UID), encrypt-emailing that key to the email address in the UID. This can be incredibly time consuming.
That's where pius comes in. Pius will do all the work for you - all you have to do is confirm the fingerprint for each key. It will then take care of signing each UID cleanly, minimizing the key, and using PGP/Mime email to send it, encrypted, to the email address in the UID.
The simplest (but least useful) use form is
pius -s < your_keyid > < keyid >
This will sign all UIDs on , and export one copy of the for each UID with only that UID signed. These keys are exported into a file in /tmp named < keyid >__< id >.asc, where id is usually an email address if we can extract one, otherwise some other piece of the UID. The '-s' flag denotes the "signing" keyid.
Note this default mode will prompt for your passphrase and cache it for the life of the execution so that it can provide it to GnuPG. There are other options, please see the SECURITY IMPLICATIONS section below.
After a keysigning party you probably have a party keyring provided by the organizer and want to sign most of the keys on it. In this case, don't specify the all the keyids to sign and instead probably want something more like:
$ pius -A -r < /path/to/keyring.gpg > -m < your_email > -s < your_keyid >
The -r flag specifies a keyring to use, and the -A flag says to sign all keyids on that keyring. Since you are prompted to verify each fingerprint, you can say no to any people on the ring you were unable to verify. The -p flag, as previously mentioned, will catch your passphrase. -m will cause pius to email out the keys to the respective email addresses from < your_email >.
There are a variety of other options that you may want:
- customize the tmpdir and outdir directories (-t and -o respectively)
- encrypt the outfiles to < filename >_ENCRYPTED.asc (-e)
- select the signing level (-l)
- import the unsigned keys to the default keyring (-I)
- verbose mode (-v)
- customize mail hostname and port (-H and -P respectively)
- customize the email message (-M)
- don't use PGP/Mime in the email (-O, implies -e)
- specify a SMTPAUTH or STARTTLS for SMTP (-u and -S)
And more! See the '-h' option for more.