oSC16 keysigning party

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

oSC16 keysigning party

Johannes Segitz
Hi,

at oSC16 we would like to offer the opportunity to get your key signed by
other openSUSE contributors. Some of our SUSE employees have very well
connected GPG keys, don't miss this opportunity.

To make this procedure as efficient as possible I would like to use the
procedure used by FOSDEM:
- All attendees send their public keys to me:
  # gpg --armor --export --output $KEY_ID.gpg $KEY_ID
  Send $KEY_ID.gpg via email to me ([hidden email])
- I'll compose a file with all the signatures, further instructions and send
  a signed version around three days before the event
- You need to print out that list, compute two hashes and fill them in on the
  printed copy (it's described in the file you'll receive). Bring this list, a
  pen and some form of photo ID to the keysigning party.

With that procedure everyone can check their own key and the hashes. If there
are no discrepancies only the photo ID needs to be checked, which speeds up the
event considerably.

Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: oSC16 keysigning party

Johannes Segitz
On Wed, May 25, 2016 at 04:11:36PM +0200, Johannes Segitz wrote:

> at oSC16 we would like to offer the opportunity to get your key signed by
> other openSUSE contributors. Some of our SUSE employees have very well
> connected GPG keys, don't miss this opportunity.
>
> To make this procedure as efficient as possible I would like to use the
> procedure used by FOSDEM:
> - All attendees send their public keys to me:
>   # gpg --armor --export --output $KEY_ID.gpg $KEY_ID
>   Send $KEY_ID.gpg via email to me ([hidden email])
> - I'll compose a file with all the signatures, further instructions and send
>   a signed version around three days before the event
> - You need to print out that list, compute two hashes and fill them in on the
>   printed copy (it's described in the file you'll receive). Bring this list, a
>   pen and some form of photo ID to the keysigning party.
>
> With that procedure everyone can check their own key and the hashes. If there
> are no discrepancies only the photo ID needs to be checked, which speeds up the
> event considerably.
If you plan on attending and didn't send me your key, please do so
now/soon.

Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: oSC16 keysigning party

Johannes Segitz
On Tue, Jun 14, 2016 at 09:47:42AM +0200, Johannes Segitz wrote:
> If you plan on attending and didn't send me your key, please do so
> now/soon.

Last chance, I'll send the final list in four hours, after that you can only
participate by bringing your own fingerprint snippets and after we finished
the official event.

Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: oSC16 keysigning party

Johannes Segitz
On Mon, Jun 20, 2016 at 12:08:27PM +0200, Johannes Segitz wrote:
> On Tue, Jun 14, 2016 at 09:47:42AM +0200, Johannes Segitz wrote:
> > If you plan on attending and didn't send me your key, please do so
> > now/soon.
>
> Last chance, I'll send the final list in four hours, after that you can only
> participate by bringing your own fingerprint snippets and after we finished
> the official event.

We decided to move the deadline to tomorrow, 2016-06-21 15:00 CEST because
an additional announcement was sent to an external announce list. Please
find attached the current list, containing all the keys that were sent to
me. Please check if you're on there. Once I sent the signed version no
corrections are possible anymore.

Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

keylist.txt (19K) Download Attachment
signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: oSC16 keysigning party

Johannes Segitz
In reply to this post by Johannes Segitz
On Wed, May 25, 2016 at 04:11:36PM +0200, Johannes Segitz wrote:
> - I'll compose a file with all the signatures, further instructions and send
>   a signed version around three days before the event

Please find attached the file you'll need to participate. You can check it
by running:
# gpg --verify keylist.txt.asc keylist.txt

Here's what you have to do with this file:

(0) Verify that the key-id and the fingerprint of your key(s) on this list
    match with your expectation.

(1) Print this UTF-8 encoded file to paper.
    Use e.g. paps(1) from http://paps.sf.net/.

(2) Compute this file's RIPEMD160 and SHA256 checksums.

      gpg --print-md RIPEMD160 keylist.txt
      gpg --print-md SHA256 keylist.txt

(3) Fill in the hash values on the printout.

(4) Bring the printout, a pen, and proof of identity to the keysigning event.
    You may find it useful to make a badge stating the number(s) of your key(s)
    on this list and the fact that you verified the fingerprints of your own
    key(s).  Also provide a place to mark that your hashes match.
    e.g.
       +----------------------------+
       | I am number 001            |
       | My key-id & fingerprint: ☑ |
       | The hashes:              ☐ |
       +----------------------------+

Be on time (2016-06-24 14:00 in the Hacker Room) to actually verify the
hashes as they are announced!

Usually I shouldn't publish the hash values before the event to prevent
people from just taking them from this mail and not computing them
themselves. But we had some problems last year with mail clients mangling
the attachments, which lead to non-matching hash values. So I'll publish
the beginning of the RIPEMD160 hash:
keylist.txt: A0AC F9EF DD99 97BC 484D (...)
If you don't have that for keylist.txt, then your mail client screwed up.

Regarding proof of identity: During our last keysigning party we had some
ID documents that were quite old (so you used to be quite the heavy metal
guy 20 years ago, but now broken by life and without hair it's hard to
recognize you), hard to read etc. In such a case it doesn't hurt to bring
additional documents, otherwise more security conscious people might not
sign you key.

Looking forward to seeing you there,
Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

keylist.txt (28K) Download Attachment
keylist.txt.asc (868 bytes) Download Attachment
signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: oSC16 keysigning party

Johannes Segitz
On Tue, Jun 21, 2016 at 03:38:21PM +0200, Johannes Segitz wrote:
> Be on time (2016-06-24 14:00 in the Hacker Room) to actually verify the
> hashes as they are announced!

The hacker room is too small to accommodate us and it's way too nice to spent
the day inside. We'll do it in the beer garden area in the shady spots.

See you there,
Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: oSC16 keysigning party

Johannes Segitz
In reply to this post by Johannes Segitz
On Tue, Jun 21, 2016 at 03:38:20PM +0200, [hidden email] wrote:
> Be on time (2016-06-24 14:00 in the Hacker Room) to actually verify the
> hashes as they are announced!

Thank you all for participating. So it was a bit hot and we found some
steps that could be improved for the next event, but to me it looked like
everyone was having fun while trying to evade the horrible yellow monster
above.

Please find attached the keyring with the keys of all participants. To make
signing easier you can check out caff, it helps you with that.

See you next openSUSE con,
Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

keyring.asc.bz2 (470K) Download Attachment
signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: oSC16 keysigning party

Olaf Hering-2
On Sun, Jun 26, [hidden email] wrote:

> To make signing easier you can check out caff, it helps you with that.

Done. caff from signing-party.rpm as shipped with 13.1/13.2/Leap fails.
Looks like the Leap variant does not handle a missing trustdb.gpg.
I received some mails already, appearently sent using caff. So it seems
to work for a few config variants.

Olaf
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: oSC16 keysigning party

Johannes Segitz
On Tue, Jun 28, 2016 at 10:45:21AM +0200, Olaf Hering wrote:
> On Sun, Jun 26, [hidden email] wrote:
>
> > To make signing easier you can check out caff, it helps you with that.
>
> Done. caff from signing-party.rpm as shipped with 13.1/13.2/Leap fails.
> Looks like the Leap variant does not handle a missing trustdb.gpg.
> I received some mails already, appearently sent using caff. So it seems
> to work for a few config variants.

That is likely boo#986783.

For Leap I have a gpg2 that should fix that:
https://build.opensuse.org/package/show/home:jsegitz:branches:openSUSE:Leap:42.1:Update/gpg2

Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: oSC16 keysigning party

Olaf Hering-2
On Tue, Jun 28, Johannes Segitz wrote:

> That is likely boo#986783.

Thanks, ...

> For Leap I have a gpg2 that should fix that:
> https://build.opensuse.org/package/show/home:jsegitz:branches:openSUSE:Leap:42.1:Update/gpg2

... and just for Tumbleweed I have a signing-party.rpm including
required runtime dependencies as well:

https://build.opensuse.org/package/show/home:olh/signing-party

Olaf
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]